Clyde Valley Housing Association, which owns and manages thousands of Lanarkshire properties, has been censured by the Information Commissioner’s Office after revealing residents’ personal data in antisocial behaviour complaint records
A housing association that owns almost 5,000 properties in Scotland has been formally reprimanded for a data breach in which residents’ personal information was left publicly available online for five days after the issue had been raised.
In 2022 Clyde Valley Housing Association (CVHA), which operates primarily in the council areas of North and South Lanarkshire, launched a new online customer portal. On the day the digital platform went live, a user found they were able to access documents related to cases of anti-social behaviour. These records contained personal information on other residents, including details of names, addresses, and dates of birth.
The user that discovered the breach rang the association to report the issue immediately but, according to a public statement from regulator the Information Commissioner’s Office, “their concerns were not escalated, and the personal information remained accessible for five days”.
The online system was only suspended after CVHA had sent out a mass email trailing the launch of the new portal – which led to four additional residents discovering and reporting the data breach.
Related content
- ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
- Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
- ICO examines use of personal data in government anti-disinformation work
The ICO said that its subsequent investigation into the matter concluded that “the housing association failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach”.
Alongside a formal censure, CVHA has also been asked to fulfil recommendations from the watchdog, including that: it undertakes a review of the relevance and adequacy of its current data-protection training regime; and rigorously tests any other digital services it intends to launch in the future.
Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information. This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal. We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected.”
Late last year, the ICO’s head of data protection complaints Helen Raftery published a blog remining housing associations of their responsibility to safeguard their residents’ information.
“We have received a number of complaints from residents who have been failed by poor data-protection practices from their housing association, company or landlord – whether that’s inaccurate record-keeping, leading to anxiety, or necessary repairs being refused due to a misunderstanding about data sharing,” she wrote. “Poor data-protection practices are also more likely to harm residents who require extra support from their housing associations, due to factors such as language barriers, health or history as a victim of domestic abuse. Our complaints data suggests that there is a lack of understanding about data protection law by some organisations in the UK housing sector.”
The blog highlighted several common issues, including housing associations inappropriately sharing residents’ personal data with third parties – such as independent legal advisers – or failing to keep accurate records of complaints.
