Wolverhampton council in huge data leak blunder

A report from the Information Commissioner's Office said payroll information relating to 9,858 workers had been disclosed to a 'third party' by the authority because of an email 'oversight'.

Employees at 73 'educational establishments' were affected by the bungle, which the commissioner's office said occurred in November last year. Wolverhampton council has not said whether the data relates to the city's teachers and school staff. The council has also not said if those affected have been informed of the leak.

Bosses at the local authority have been told to make its staff take regular 'refresher' training in data protection as part of an 'undertaking' signed by managing director Keith Ireland, which also asks that training is monitored more closely.

The report said: "The Information Commissioner was informed by the data controller on January 5, 2016, that personal information of employees at 73 educational establishments was sent in error to an external recipient via email. The information was held on a spreadsheet and contained personal data.

"On November 26, 2015, the data controller (Wolverhampton council) asked for a report to be produced by its payroll department. Due to an oversight the personal data of 9,858 data subjects was emailed to an external recipient. During the commissioner's investigation, the data controller informed him that data protection training for staff members is mandatory on induction, and should be refreshed at regular intervals.

"However, the commissioner's probe also revealed that the council does not have a reliable method of monitoring the completion of refresher training."

It comes just two years after the council was rebuked for its 'startling' failure train its staff in data protection.

In 2014, the commissioner served an 'enforcement notice' on the council after the warnings to train all staff within 50 days.

As a result the council trained 5,785 employees and all 60 councillors following the concerns.

The new report said: "The commissioner is satisfied that the terms of the enforcement notice were met. However, the commissioner remains concerned at the data controller's failure to establish an effective mechanism to monitor and implement refresher training."

Council spokesman Paul Brown said: "The City of Wolverhampton Council takes its responsibilities to comply with the requirements of the Data Protection Act and recommendations made by the regulator extremely seriously and has put in place a number of robust actions and procedures to address this isolated incident."