AN Abergavenny businesswoman has accused Monmouthshire County Council of falling down on its data-protecting and safeguarding responsibilities after being emailed sensitive information about a child.

Lisa-Marie Harris, who is the principal of Abergavenny-based performing arts academy Mayzmusik, said the alleged breach of data protection came when she applied for performance licences for a number of children who were taking part in a recent summer showcase at the Borough Theatre.

"When the licences were eventually emailed back to me I discovered to my shock that one of them was for a child who was not part of my cast but had taken part in a show in another part of the county last year," said Mrs Harris.

"We certainly see this as a major breach regarding a minor," she said. "The licence contains the full name of the child, their date of birth, medical information and the name of a parent.

"There was also a picture of the child in a clearly identifiable school uniform."

"In a way I’m pleased that the information came to us because as soon as I realised the mistake I immediately deleted the email and all its attachments, and reported it to the authority, completing all the relevant paperwork required when containing a MCC data breach but it worries me that such sensitive information could have got into the wrong hands.

"In this instance the show had already happened, but it could so easily have been for a show in the future which would have meant that an awful lot of information not only about the child but about where that child was going to be and how they were getting there had been disclosed," said Mrs Harris.

"I’m also concerned that one of the licences I was expecting to receive was missing and although I have been assured that it hasn’t been sent anywhere else I don’t really have a lot of faith in MCC."

"If we can’t trust the local authority to treat sensitive information with care then who can we trust," she added.

"We are very careful that we follow the letter of the law in terms of safeguarding and it seems that MCC doesn’t have either the knowledge or the resources to support us - and they are supposed to be the experts."

After submitting an formal complaint to MCC, Mrs Harris received an apology saying that it had been investigated internally and promising that data would be handled with ’due diligence’ in the future.

"I was told that the complaint was not going to be reported to the Information Commissioner’s Office as it would cause ’significant harm to the individual whose data was the subject of the breach’," said Mrs Harris.

"I have to say I’m not entirely sure what harm it would do to the child to report the department for mishandling her data although some might think that it could so some harm to MCC to reveal its incompetence," she added.

Mrs Harris said she now plans to report the incident to the ICO herself.

A spokesman for MCC said, "Monmouthshire County Council identified that the information was sent to one person in error and we immediately followed all processes and procedures to address this. Appropriate action has been taken."

Other data breaches

A request submitted to MCC has revealed that in just over a year since the GDPR regulations were introduced, 24 breaches have been reported.

’Since the implementation of the new data protection guidelines, ( General Data Protection Regulations) in May 2018  the authority has experienced 24 data security breaches," said a spokesman for the authority.

"Two data breaches were referred to the Information Commissioners Office, but no action was taken. We are continually working with staff to ensure that everyone is are aware of the importance of GDPR," she said.

Requirement to report

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, organisations must also inform those individuals without undue delay.

If it is unlikely there is no requirement to report the breach to the ICO.

Under the terms of the regulations organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place.

This will facilitate decision-making about whether or not they need to notify the relevant supervisory authority and the affected individuals.

Organisation must also keep a record of any personal data breaches, regardless of whether they are required to notify.