The Birmingham Children’s Trust has been formally instructed to improve its policies to protect information after sharing with the wrong family ‘personal information and criminal allegations relating to a child’

Birmingham City Council’s arm’s-length unit for children’s services has been reprimanded by regulators over a data-protection breach.

The incident, which is understood to have taken place in November 2022, saw “personal information of a child… inappropriately disclosed to another family” by council-owned Birmingham Children’s Trust Community Interest Company.

According to watchdog the Information Commissioner’s Office, the information in question – which was wrongly shared when the trust “was working with two neighbouring families” – included details of “personal information and criminal allegations relating to a child from the neighbouring family”. This was wrongly included in communication sent to one family “after being copied across from meeting minutes”.

Following an investigation into the breach, the ICO concluded that the trust lacked the necessary policies to ensure that such sensitive information was adequately protected.

Related content

• ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
• Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
• ICO: Instead of massive fines, regulation works best when we work alongside organisations

The reprimand issued by the regulator requires the children’s services body to “implement a more granular approach to data protection and create a Standard Operating Procedure with regards to producing social care documents”. This procedure should ensure that all social-care documents – or ‘products’ – are “independently checked by someone other than the author prior to disclosure” externally. The trust has also been instructed to “create and implement a corporate redaction policy, which ensures staff have the knowledge and tools, to redact the product if necessary”.

Sally-Anne Poole, head of investigations at the ICO, said: “Children’s personal information requires extra protection and must be handled with great care. This disclosure of personal information by social workers at Birmingham Children’s Trust Community Interest Company was a violation of privacy that would have caused distress to both the child and their family. We expect all organisations processing personal information to ensure they have robust policies and procedures in place to protect it. We will take action when personal information, especially belonging to children and young people, is compromised.”

The trust was created after, effectively, being spun out of the council in 2018. Although it remains owned by local government, the trust operates independently and at arm’s-length from the authority.

A Birmingham Children’s Trust spokesperson said: “We have carefully considered the ICO recommendations and have taken steps to help prevent such an occurrence from happening again. We are continuing to monitor this area of activity, and we are also working on broader procedural changes to further help protect the personal data we work with.”