According to the ICO, on May 25, 2012, a council employee sent a letter about an adopted child to a birth mother, mistakenly including the adoptive parents’ home address. Using that information, the birth mother’s parents then got in touch with the adoptive parents, seeking access to their grandchild.
The ICO reports that the breach was caused by the council’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.”
Following the breach, the council implemented a checklist of requirements prior to the sending of such correspondence, along with a peer-checking process for work carried out by council staff.
“It would be easy to dismiss this as a simple case of human error,” ICO head of enforcement Steve Eckersley said in a statement. “The reality is that this incident happened because the organization did not pay enough attention to how it handles vulnerable people’s sensitive information, leading to a mistake that was entirely avoidable had the right guidance and training been in place. The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that.”