Parking ticket review service permitted unauthorised access to citizen data, investigation finds

The Ticket Viewer site allows people who have received a parking ticket to examine footage of their alleged offence  Credit: PA

Islington Council has been fined £70,000 after the Information Commissioner’s Office found that the north London borough’s parking-ticket website failed to adequately secure the personal information of 89,000 citizens.

The council’s Ticket Viewer service allows people who have received parking tickets in the borough to look at images or video pertaining to their alleged offence. In October 2015, a site user discovered that “manipulating the URL” gave them unauthorised access to folders containing personal information, the ICO said.

Related content

ICO flags areas for improvement at Islington

‘It’s not a choice between privacy or innovation’, ICO tells NHS trusts

ICO: Councils need to sharpen up on data protection ahead of GDPR

The oversights that allowed such material – including, in some cases, medical details – to be compromised put the data of 89,000 people at risk. Before the fault was corrected, the council discovered that 119 documents related to 71 people had been accessed without authorisation a cumulative total of 235 times from 36 unique IP addresses. 

An ICO investigation concluded that the Ticket Viewer system ought to have been tested before it went live, and frequently thereafter. The borough’s failure to do so, and the resultant threat to the security of personal information, represented a breach of the Data Protection Act, the ICO said.

“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that,” said Sally Poole, ICO enforcement manager. “Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure, it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data-protection seriously.”