South Gloucestershire Council reports itself to the Information Commissioner’s Office after 625 people who gave their views on a core strategic planning document had sensitive data placed online last month 

South Gloucestershire Council has issued an apology after it mistakenly published sensitive personal data relating to hundreds of people who responded to a strategic planning consultation.

The authority said it had reported itself to data watchdog the Information Commissioner’s Office over the breach, which involved 625 respondents to a consultation on South Gloucestershire’s Local Plan. 

The authority said the people affected were either local residents or members of representative groups who contributed to the consultation on the Local Plan, which sets out a blueprint for the area’s development over the next 15 years. 

The Local Plan was submitted to the Planning Inspectorate for examination on 24 October. South Gloucestershire said it was required to publish the consultation responses as part of that process. However, a spreadsheet in which respondents’ details were “hidden” but retrievable was also published – an error with similarities to the Ministry of Defence’s February 2022 Afghan data breach, details of which only emerged this summer. 

The consultation respondents’ details are understood to have remained online for around three days. 

In a letter to those affected, Patrick Conroy, planning policy manager at South Gloucestershire, gave his “unreserved apologies” for the breach. 

Related content

• ICO says MoD Afghan data breach ‘unacceptable – and should never happen again’
• MoD lifts lid on almost 50 data breaches affecting Afghan resettlement schemes
• Capita given penalty £14m over cyberattack despite urging ICO to apply non-fining public-sector approach

A spokesperson for the council said: “We can confirm that a data breach occurred in relation to the publication of the council’s new Local Plan last month. We have written to notify all of the potentially affected individuals and organisations to apologise, and have referred the matter to the Information Commissioner’s Office. Alongside the plan itself, we are required to publish the consultation responses received so that they can be considered by the government’s planning inspectors. These are published alongside the names of individuals and organisations who made the submission. 

The spokesperson added: “When this information was received, personal data, which varied from submission to submission, but potentially included names, contact details and addresses, were logged on a spreadsheet. For working purposes, this data was moved to a hidden worksheet that was not visible. Unfortunately, when the documents were published, these worksheets were not deleted beforehand as they should have been, meaning that data was accessible to anyone who found and opened the hidden sheets. The details covered 625 respondents to the Local Plan consultation, either members of the public or representative groups who had given personal contact details. The council’s data protection incident policy and protocols are being followed, including referring the matter to the ICO. All measures to avoid any similar breach in future will be taken, in addition to following any guidance received from the ICO in due course.”