Cheshire West and Chester Council has agreed to tighten its procedures after a number of shocking data protection failings were revealed.

The local authority made mistakes which had the potential to cause “serious distress” for those affected, including sending allegations of historic sexual abuse to an incorrect address due to the address and postcode being obtained from a Google Maps search.

An investigation by the Information Commissioner's Office (ICO) – the UK's independent regulator for data privacy – found data protection training across CWaC was “unsatisfactory”. 

CWaC chief executive Gerald Meehan yesterday issued an apology, blaming the problems on “human error”.

Mr Meehan said: “The council is responsible for managing and maintaining huge amounts of personal information and we take data protection extremely seriously.

“I must therefore apologise that on a small number of occasions due to human error, we have fallen short of the high expectations rightly placed upon us. 

“I would like to reassure everyone that we are proactively working with the Information Commissioner’s Office to put in place the actions put forward to keep personal data safe and to minimise the risk of similar incidents happening again.”

Mr Meehan said data protection training is now a “mandatory requirement” for all staff including temporary and agency workers, and new compliance monitoring systems will be implemented to measure its effectiveness and ensure everyone has completed it.

Mandatory refresher training will also be provided, he said.

The chief executive added: “We already have the relevant policies and procedures in place to ensure compliance with the Data Protection Act (1998) and we are preparing for the new General Data Protection Regulations (GDPR) coming into effect in
May 2018.”

Problems were first identified during an ICO audit carried out in October 2014 which resulted in a "limited assurance" rating.

As a result of the audit and a subsequent follow-up in June 2015, a number of concerns relating to staff training were identified.

These concerns were compounded by a series of self-reported incidents which the ICO was advised of. 

Despite agreed recommendations on training, subsequent investigations identified they had not been fully implemented. 

The ICO investigation found the general uptake of data protection training across CWaC was “unsatisfactory” with “considerable discrepancies” between different service areas.

Further data breaches reported to the ICO since the audit
follow-up included the incident with the allegations of historic sex abuse going to the wrong address, plus the disclosure of an incorrect mobile phone number to a former partner of a data subject.

Also, it was found a data handling procedure, introduced following previous breaches, was not being adhered to in some “high risk” areas as staff had not been made aware of it.

The latest data protection training compliance figure for the year ended 2016-17 was 61 per cent overall, with “much lower than expected” attainment figures in some high risk areas such as children and family services and adult social care and health.

The Data Protection Act undertaking for CWaC was published on the ICO’s website. 

In response, CWaC has agreed to conduct a risk-based training needs analysis for all roles within the organisation, and train all employees whose role involves the handling of personal data.

All new members of staff responsible for the handling of personal data are to receive the relevant training, while CWaC will ensure refresher training is monitored and enforced.