Islington Council Was Fined £56,000 By The Information Commissioner’s Office For Publishing Personal Data

The personal data that was published by Islington Council included people’s medical and bank details, and was made available by a website design fault. It left folders accessible by simply manipulating the URL address, and the problem was only discovered when a member of the public informed the council.

Following an investigation, the Information Commissioner’s Office (ICO) discovered there had been unauthorised access to 119 documents, affecting 71 people. 

The ICO originally fined Islington Council £70,000; however this was reduced to £56,000 due to the council’s prompt payment.

Matthew Newbould, a product liability and group actions specialist at Irwin Mitchell, said:

Expert Opinion

“The information leak by Islington Council was a significant and far reaching failure. Custodians of personal data have a duty under the Data Protection Act 1998 to keep that information confidential.

“The ICO has acted correctly and responsibly in imposing a £56,000 fine for this breach.

“It is also possible that the price Islington Council pay will be greater than the fine as individuals affected by the breach may have a right to damages for their distress arising from the breach and a related right of action in ‘misuse of private information’.

“The right to recover damages for distress following data breaches is a fairly new development, which was only fully established following the 2015 cases of Vidal Hall v Google and TLT and others v Secretary of State.

“Whilst the Information Commissioner is responsible to impose fines on those responsible for breaches, it has no power to award damages to individuals for distress. Those cases must be pursued in through the Courts.” Matthew Newbould - Associate Solicitor