Council published sensitive data of family on its online portal
Revealed names of disabled residents leads to £150,000 fine Credit: Fotolia
Basildon Borough Council has been fined £150,000 by the Information Commissioner’s Office (ICO) for revealing sensitive details of a family on a public portal.
The council had received a planning statement in support of a householder’s application for proposed building works back in July 2015. The statement had contained sensitive personal data relating to a family that had been living at this address for many years.
In particular, the statement referred to the family’s disability requirements, including mental health issues, the names of all the family members, their age and the location of the site.
- Councils told to get social care workers on board to promote online services
- How mobile technology can help join up health and social care systems
This data was not only personal – but it would also enable anyone with access to the data to identify each family member, and the location of their home.
Basildon’s policy at that time in regards to personal and sensitive data was to redact specific information from statements before they were published as part of the electronic register of planning applications, which the council made available through an online portal.
However, the statement was passed on to a planning technician, who was responsible for validating the application and for checking that personal data had been redacted before it was published. However, the ICO said the technician was inexperienced in checking the contents of planning applications with sensitive data, so he did not notice the information about the family that was embedded in the statement – and therefore didn’t make any redactions.
There was no procedure in place for a second person to check the documents before they were uploaded to the portal, the ICO stated. Instead the statement was returned to the administrator, who relied on the planning technician’s knowledge of these applications, and decided to upload the application to Basildon’s website.
Despite Basildon Council’s protestations, the commissioner found that it had contravened the Data Protection Act by failing to take appropriate organisational measures against the unauthorised processing of personal data.
The ICO said it would reduce the monetary penalty by 20% to £120,000 if it receives the fine by 21 June 2017. However, the ‘early payment discount’ isn’t available if the council decides to exercise its right of appeal.