The U.K. Information Commissioner's Office (ICO) has fined the Aberdeen City Council £100,000 after a council employee inadvertently published 39 pages of documents online relating to the care of children, which contained names and addresses of service users, details of family members, and sensitive personal data related to alleged criminal offenses.
The employee was working from home on her home computer at the time, though the council had no teleworking policy in place regarding data security. The employee's home computer, which had been purchased second-hand, had a file transfer program installed that uploaded the entire content of her My Documents folder to the Internet, including the 39 pages of documents containing sensitive data.
The files were uploaded in November of 2011, and remained available online until February 15, 2012, when another staff member discovered the documents online.
"As more people take the opportunity to work from home, organizations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," ICO assistant commissioner for Scotland Ken Macdonald said in a statement. "In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council's existing data protection guidance was being followed. The result was serious data breach that left the sensitive information of a vulnerable young child freely available online for three months."