We all understand that Local Authorities must keep detailed records on the children under their care and supervision and their families. They also have a legal obligation to keep such sensitive and personal records confidential, except from the professional people who need to see them.
Mr and Mrs C have a daughter who is under Lancashire County Council’s care and supervision. They recently conducted an assessment of her educational, health and care needs. Following the Council’s assessment, their SEN and Disability Officer attached a significantly detailed Educational, Health and Care Plan (20 pages) to another family’s email by mistake.
The Education, Health and Care Plan disclosed the following personal and sensitive information pertaining to the parents:
- Their names and addresses,
- Mr C’s occupation and work pattern,
- The traumatic circumstances of their daughter’s birth and aftermath,
- The history of the family’s interactions with various professionals including paediatric consultants, speech and language therapists, community paediatric and mental health services, and occupational therapists
- The effect of the family’s situation on Mrs C’s working life and sleep
- Assessments of relationships and interactions within the family
- Notes relating to a social care assessment needs
Upon receipt of this email, the other family contacted Mr and Mrs C to inform them of what had happened. Distressed, Mr and Mrs C contacted data breach/GDPR specialists Irvings Law to advise on the law and assist them. Without hesitation, Mr McConville, who is the Head of this expert department agreed that Mr and Mrs C’s privacy and personal data had been unlawfully infringed and so offered ‘no win, no fee’ terms to them to enable a claim to be pursued by them both.
Mr McConville then lodged a formal complaint to the Council. In response, the Council ‘sincerely apologised’ for their ‘mishandling’ of the personal information and confirmed that they had reported the matter to the Information Commissioner’s Office (ICO). Further, the Council confirmed that their SEN and Disability Officer’s actions were ‘not excusable’ and he is ‘now required to attend a further classroom based information security awareness course’, Also, all other Council ‘employees have been reminded to check the accuracy of any correspondence before it is sent out’.
Following this admission Mr McConville sent a Letter of Claim to the Council on behalf of Mr and Mrs C which alleged that there had been a Loss of Control / Breach and/or Invasion of Privacy / Breach of Article 8 of the Human Rights Act 1998, a Breach of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, a Breach of Confidence / Breach of Article 8 of the Human Rights Act 1998 and a Misuse of Private Information.
Following receipt of this Letter of Claim, the Council responded and confirmed that it ‘was accepted that there has been a breach of the GDPR and Data Protection Act 2018’. Given this admission, Mr and Mrs C put forward a Part 36 offer in the sum of £1,000.00 and £3,000.00 respectively. This was then accepted by the Council without delay. However, Mr McConville is now pursuing claims for Mr and Mrs C’s son and daughter who were also mentioned in great detail within the erroneously sent email.
It is difficult to imagine a more sensitive and distressing accidental disclosure for the family concerned. To their credit Lancashire CC accepted that there was no excuse for this and were willing to offer appropriate compensation. We hope that they are able to prevent such breaches occurring again.