Children's trust issued with reprimand after it inappropriately disclosed personal information on child to another family

The Information Commissioner’s Office (ICO) has issued a reprimand to Birmingham Children's Trust Community Interest Company after the personal information of a child was “inappropriately disclosed” to another family.

The company, owned by Birmingham City Council, was working with two neighbouring families when the data breach occurred.  

A child protection plan containing “inappropriate personal data” in the form of criminal allegations against a child was disclosed to a family, relating to a child from the neighbouring family.

Although the care plan itself was authorised for the family to view, the criminal allegations were not relevant to the plan, or authorised for the family’s view, the watchdog found.

The Commissioner established that the data disclosed included both sensitive criminal data (serious criminal offence allegations made against child X) and personal identifiers of an individual under the age of 18 (child X).

The investigation concluded that Birmingham Children's Trust Community Interest Company (BCTCIC) “did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information”.

The ICO recommended that BCTCIC should take further steps to ensure its compliance with data protection law, including: 

  • Implement a more granular approach to data protection and create a Standard Operating Procedure with regards to producing social care documents.  
  • Include a process for any social care product to be independently checked by someone other than the author prior to disclosure. 
  • Create and implement a corporate redaction policy, which ensures staff have the knowledge and tools, to redact the product if necessary. 

Sally-Anne Poole, Head of Investigations at the ICO, said: “Children’s personal information requires extra protection and must be handled with great care. This disclosure of personal information by social workers at Birmingham Children's Trust Community Interest Company was a violation of privacy that would have caused distress to both the child and their family.  

“We expect all organisations processing personal information to ensure they have robust policies and procedures in place to protect it. We will take action when personal information, especially belonging to children and young people, is compromised.”

BCTCIC is owned by Birmingham City Council, however it works independently of the council in delivering its services.

A Birmingham Children’s Trust spokesperson said: “We can confirm a data breach occurred affecting one person’s information which occurred in November 2022. The Trust self-reported this incident to the ICO at the time.

“The Trust takes the protection of the information we work with very seriously and we safely manage this information in the vast majority of cases. The ICO have issued a reprimand for this data breach where some sensitive information about one person was shared in error with another family.

“We have carefully considered the ICO recommendations and have taken steps to help prevent such an occurrence from happening again. We are continuing to monitor this area of activity, and we are also working on broader procedural changes to further help protect the personal data we work with.”

Lottie Winson