A county council has been fined £60,000 after sensitive files about children were left in a cabinet sent to a second-hand shop as part of an office move.
The Information Commissioner’s Office (ICO) fined Norfolk County Council after a member of the public bought the cabinet and discovered the social work case files.
The case files included information relating to seven children.
Steve Eckersley, ICO head of enforcement, said: “The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal.
“Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned, in particular about adults and children in vulnerable circumstances.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information.
“It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
The ICO has the power to impose a penalty on a data controller of up to £500,000.
Norfolk County Council has been approached for comment.
Simon George, Norfolk County Council's executive director for finance and commercial services, said: "We want to reassure residents that we have robust data protection procedures and have tightened practice in the light of the case published today.
"As a council, we take data protection very seriously and we are very sorry that our practice fell short on this occasion.
"We accept the ruling and the fine.
"There is no evidence that this information has been misused in any way and we are grateful to the member of public that quickly brought this to our attention.
"We voluntarily reported ourselves to the Information Commissioner and we undertook a careful review to ensure that we could learn from what happened.
"In the three years since this occurred, we have taken strong and effective action to ensure it is not repeated.
"This has included introducing robust procedures for office moves and training to ensure that our staff are aware of these procedures.
"Staff also receive mandatory rolling training to ensure they understand their overall data protection responsibilities.
"A recent voluntary ICO audit gave use the second highest rating for records management and training and awareness.
"We handle a huge amount of personal data every day and incidents such as this are rare, but we will continue to monitor and review practice to ensure that the personal data we hold is kept safe."