Birmingham Children's Trust Community Interest Company – Violation Found (United Kingdom, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Birmingham Children's Trust Community Interest Company (BCTCIC) is an organisation owned by Birmingham City Council that works independently to deliver services to the council. This case is related to the Child Protection and Review (CP&R) department which provides services to support families in the Birmingham area focused on making a positive difference to their lives. The employees of BCTCIC (CP&R) are primarily trained social workers and the department regularly processes both personal data relating to children and criminal offence data. On 10 November 2022, a personal data breach occurred involving inappropriate information related to a data subject being included in a Child Protection Plan (CP Plan). The information was contained in a summary statement of a meeting between BCTCIC and West Midlands Police, the full statement was copied verbatim into the CP Plan which was then approved and sent to a family by the CP&R department. The CP Plan was received and read by the recipient subsequently resulting in inappropriate access to both sensitive criminal data, specifically criminal allegations and the personal identifiers of an individual under the age of 18. The ICO determined that BCTCIC were responsible for certain infringements of the UK GDPR resulting in a personal data breach in relation to Article 5(l)(f) UK GDPR and Articles 32(1)(b,) and 32(2) UK GDPR. The Commissioner acknowledged that when the incident occurred BCTCIC was aiming to deliver its services between two neighbouring families and in the absence of certain data necessary to complete the CP Plan, BCTCIC attempted to act upon initiative using data copied from a related meeting statement with West Midlands Police. The Commissioner also acknowledged representations from BCTCIC and that whilst the disclosure caused no actual harms; there was an expectation of harm in the form of distress to both the data subject and family. The Commissioner concluded that BCTCIC fell short of achieving appro
GDPR Articles Cited
The Birmingham Children's Trust Community Interest Company (BCTCIC) is an organisation owned by Birmingham City Council that works independently to deliver services to the council. This case is related to the Child Protection and Review (CP&R) department which provides services to support families in the Birmingham area focused on making a positive difference to their lives. The employees of BCTCIC (CP&R) are primarily trained social workers and the department regularly processes both personal data relating to children and criminal offence data. On 10 November 2022, a personal data breach occurred involving inappropriate information related to a data subject being included in a Child Protection Plan (CP Plan). The information was contained in a summary statement of a meeting between BCTCIC and West Midlands Police, the full statement was copied verbatim into the CP Plan which was then approved and sent to a family by the CP&R department. The CP Plan was received and read by the recipient subsequently resulting in inappropriate access to both sensitive criminal data, specifically criminal allegations and the personal identifiers of an individual under the age of 18. The ICO determined that BCTCIC were responsible for certain infringements of the UK GDPR resulting in a personal data breach in relation to Article 5(l)(f) UK GDPR and Articles 32(1)(b,) and 32(2) UK GDPR. The Commissioner acknowledged that when the incident occurred BCTCIC was aiming to deliver its services between two neighbouring families and in the absence of certain data necessary to complete the CP Plan, BCTCIC attempted to act upon initiative using data copied from a related meeting statement with West Midlands Police. The Commissioner also acknowledged representations from BCTCIC and that whilst the disclosure caused no actual harms; there was an expectation of harm in the form of distress to both the data subject and family. The Commissioner concluded that BCTCIC fell short of achieving appro
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Birmingham Children's Trust Community Interest Company in UK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Birmingham Children's Trust Community Interest Company - United Kingdom (2024). Retrieved from cookiefines.eu
Last updated: