Staff sacked after security breaches at police and councils in Norfolk
Police officers and council staff in Norfolk and Suffolk have been sacked or resigned after being caught accessing the public’s personal data, it has emerged.
A Freedom of Information request has revealed more than 150 breaches of the Data Protection Act since 2008 at the region’s hospitals, police forces and councils.
Examples of breaches included confidential council documents found in a skip, papers on 25 children in care disappearing and never recovered and a report containing information about a child considered at risk of harm being hand-delivered to the wrong address.
Restricted police documents were stolen from a Norfolk police officer’s home, while there was a string of breaches at hospitals including cases where sensitive information about patients was lost in the post or left in public places. But bosses insist they take the handling of personal data extremely seriously and in each case where the Data Protection Act (DPA) has been breached, they have taken action to tighten up the system.
At Norfolk police there were 22 breaches between 2008 and this year. A police constable resigned after being convicted of a breach of the DPA for disclosing information from the force’s crime intelligence system and a police community support officer was sacked after being convicted of obtaining details of a call to police and passing it on to a family member.
Both convictions were in 2008. The same year saw a PCSO dismissed for disclosing information after browsing police systems while another member of police staff was sacked for accessing details of a crime and disclosing information.
In 2009 a PCSO was sacked for accessing the Police National Computer for personal reasons, while another PCSO quit last year after being caught checking details of family members.
Written warnings, a caution and advice were also handed to constables, a sergeant and a PCSO for accessing information for personal or non-policing reasons, while, in another breach, in 2010, restricted documents were stolen from the house of a police officer.
A Norfolk Constabulary spokesman said: “Breaches of the Act are taken extremely seriously by the Constabulary and all staff are aware of the role they have to play in ensuring data is recorded, managed and shared appropriately, and the importance of maintaining confidentiality and respecting the rights of the public over personal information.
“Any breaches of the Act or force policy by staff will not be tolerated and if individuals are found misusing the privileged access they have to information they will be subject to disciplinary action and possibly criminal proceedings.”
At Norfolk County Council there have been 46 breaches since December 2008. A member of staff was dismissed in June 2009 for unauthorised access and alteration of social services records, while members of staff resigned before they could be dismissed in December 2009 and February last year for unauthorised access to social work records.
Last February also saw confidential service users’ files found in a skip outside a council building. An investigation was launched, but no conclusion was reached as to how they ended up there.
In May 2011, a child protection conference report - drawn up at a meeting to discuss a child considered to be at risk of harm - was hand-delivered to the wrong address.
That breach was referred by the county council to the Information Commissioner’s Office, the data protection watchdog, and the council is awaiting the judgement.
A large number of the breaches were because emails containing people’s details, such as names and addresses, were sent to the wrong people.
John Brock, corporate data protection officer at Norfolk County Council, said: “The council constantly strives to handle personal data securely and has a system in place to record any incidents that occur so that we can improve the way we handle data.
“None of the incidents of data loss have involved large volumes and in some cases the data have been recovered.
“Whereas any incidents are clearly a cause for concern, they should be seen in the context of the many thousands of items of personal data that are handled by thousands of council staff each year.”
The Norfolk and Norwich University Hospital said it had no reported breaches. The James Paget University Hospital at Gorleston had 35 breaches, 28 of which were this year, which bosses put down to an increase in reporting them.
A spokesman said many related to emails being sent in error or paperwork containing names being left where it should not be.
The Queen Elizabeth Hospital, King’s Lynn, had 65 breaches since 2008, of which five were considered ‘major’, with many of the others involving paperwork being found in “inappropriate places” within the hospital.
A spokesman said: “We regard any breach as unacceptable but the word ‘major’ refers to the potential impact such a breach might cause, rather than the actual impact.
“So, for example, in the most recent case a surgeon photocopied pages from a patient’s medical notes and took the photocopies out of the hospital with the intention of referring them to someone else, but it was discovered he had not obtained the patient’s permission.”
Other breaches included two at Norwich City Council involving stolen or lost laptops, one at the East Anglian Ambulance Service, 52 at Suffolk police and 18 at Suffolk County Council.