The Information Commissioner’s Office (ICO) announced, on 13 February 2012, that it has imposed monetary penalties on two UK councils - Croydon County Council and Norfolk County Council, for failing to secure highly sensitive information about the welfare of children.

Croydon County Council was fined £100,000 following the theft of a council worker's bag containing papers relating to the care of a child abuse victim at a London pub. Norfolk County Council was fined £80,000 following a council worker hand delivering a report containing information about a child's emotional and physical wellbeing to the wrong address - the intended recipient's neighbour.

The ICO found that both Councils had failed to ensure that the social workers had completed their mandatory data protection training, and Norfolk Council did not a have a peer checking process to ensure that sensitive information was being sent to the correct recipient.

''While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation'', said Stephen Eckersley, Head of Enforcement at the ICO.

''These are particularly interesting in that the organisations had systems in place on paper, but they were not implemented in practice'', said Rosemary Jay, Senior Attorney at Hunton & Williams LLP. ''The message to organisations is that it is not enough to have a policy or a training module - these must be followed through into day to day practice and the organisation must be able to show that the safeguards are applied in practice.''