Perth and Kinross council staff broke strict new rules to safeguard personal information 78 times last year.
The council recorded a wide range of data breaches, including six staff inappropriately accessing personal information, school reports sent to the wrong parents and personal data left in a public place.
At least 12 of the incidents were serious enough to warrant informing the Information Commissioner’s Office. This happens when someone is at “serious risk of social or economic disadvantage” due to the way their personal information has been handled.
Politicians attacked the council for its “appalling record”, but legal experts stressed organisations, such as local authorities and businesses, are still taking time to understand how to react to new data protection laws.
Six staff faced HR procedures after inappropriately accessing personal information – this can range from re-training to disciplinary action including dismissal.
Strict new European rules on handling public data became law in April last year. These require organisations to keep a record of each incident where the regulations have been broken.
The council has released its register of breaches after a Freedom of Information request from The Courier.
Perth MP Pete Wishart, SNP, said the register revealed an “appalling record.”
“To find out there have been 78 breaches in one year is totally unacceptable – especially when schools are involved. These instances must be upsetting and unsettling for parents,” he said.
Data law expert Nimarta Cheema, from leading legal firm Lindsays, said the new regulations introduced last year known as General Data Protection Regulation (GDPR) meant a “massive change” for organisations.
She said: “There can be a lack of understand as to what constitutes a data breach. Staff can think it has to be something as serious as a cyberattack, when it can be as simple as sending an email to the wrong address.”
A Perth and Kinross Council spokesperson said the data breaches recorded represent issues that occurred in a very small percentage of the council’s transactions.
“We take any incident which involves inappropriate management of people’s personal information very seriously,” she added.
She said people share their personal information with the council for a variety of purposes.
“By doing so they place their trust in us that we will only use this information for the purposes intended, to allow them to access the services and forms of support they need from our organisations,” she continued.
“We do not comment on individual staff circumstances, and the action taken in each incident will depend on the specific findings of the investigation into each data breach.
“This can range from re-training to disciplinary action up to and including dismissal,” she added.
