Nottingham Council have been found to have published the gender, addresses and even the care requirements of 3,000 older and disabled people in an online directory called the ‘Home Care Allocation System.’

The portal contained no access restrictions and was reported by a member of the public who came across the data easily via an internet search.

The online directory was launched to allow social care providers to confirm if they were able to support a particular service user. But even though names weren’t used, it was still possible to identify the service user with the other details recorded.

The data even revealed whether the service user was still in hospital or not, providing a potential list of empty houses for anyone with ulterior motives.

Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO), said the council’s actions represented “a serious and prolonged breach of the law”.

Eckersley added: “For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

Nottingham council said it was “very sorry” about the data breach, and “wholeheartedly accepted” the ICO’s findings.

The story brings to light the importance of patient data protection, especially in light of the upcoming General Data Protection Regulation (GDPR) – a new legal framework which sets out how organisations in the EU access, store and delete data.

GDPR doesn’t come into force until May 2018, however, if Nottinghamshire Council had discovered this breach after this date then the fine could have ran into the tens of millions.

That’s because GDPR takes data protection very seriously, and EU organisations have until now and May next year to cleanse their data and add new, highly vigilant data protection processes.

Find out more about GDPR here.