Suspended Sandwell Council staff back at work after £35k wages bill

The suspected data breach at Sandwell Council occurred last October - two managers were suspended for five months on full pay while another worker was suspended for three. It is believed the investigation centred on whether workers had accidentally leaked details on the state of a man's mental health.

All of the members of staff work in the authority's homelessness team.

The most senior manager returned to work last week, and a senior officer's suspension was ended the week before.

The third employee was only suspended until December.

At the time they were suspended, the authority had stressed that suspension was no indication any of the employees were at fault.

The council today insisted it had followed with its own disciplinary procedure, but would not be drawn to explain why the process had taken five months to reach its conclusion when no further sanctions were needed against staff.

Chief Executive Jan Britton said: "Sandwell Council takes it responsibilities under the Data Protection Act very seriously.

"We can confirm that following a data protection incident the council undertook an independent investigation.

"The ICO has concluded his investigation, acknowledging the actions already taken by the council and concluding that no further action was required.

"We cannot comment on individuals."

Councils handle tens of thousands of transactions involving resident's personal information every week.

It emerged last year that Sandwell Council staff had lost sensitive personal data in the previous financial year but bosses did not specify on how many occasions, or provide a breakdown of what was sent to whom. That was after a request under the Freedom of Information Act.

The Information Commissioner's Office, the Government's privacy watchdog, can issue fines of up to £500,000 for serious breaches of data protection laws.

No local councils have faced fines in recent years.

The council does have a dedicated information management unit which was established in 2012 to improve data protection practices.

Stuart Taylor, information governance manager, wrote in a report last year that the unit had spared the council a potential of tens of thousands of pounds in penalty fines.

He wrote: "The unit has already saved the council from direct monetary intervention from the Information Commissioner's Office on at least 15 instances that have been referred.

"The saving to the council cannot be easily quantified but an average fine levied is £100,000."

Sandwell Council spent £101,644 for encryption technology on laptops to avoid data leaks in spring 2009 and had a £26,403 annual bill for software.

The security software was purchased after one worker lost a memory stick, without password protection, containing details of vulnerable children and their families.

The worker had downloaded the data in order to carry out work at home - in a breach of council policy - but lost the memory stick on the way home.

It included sensitive personal information relating to four families, including reasons why children were taken into care or made subject of a Child Protection Plan. In that case in 2009, the worker was suspended before returning to work.