Basildon Council lands £150,000 fine by ICO after revealing family’s personal details
Authority exposed personal data including mental health issues
The Information Commissioner's Office (ICO) has fined Basildon Council 150,000 for publishing online the personal data of a traveller family.
The authority breached the Data Protection Act by making publically available data on the family in a planning application.
The ICO discovered that the council received a written statement in support of a householder's planning application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years.
It referred to the family's disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home. The council published the statement in full, without redacting the personal data, on its online planning portal later that day.
An investigation by the ICO found that the council failed to carry out data protection procedures and training. It was revealed that an inexperienced council officer didn't notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online. The information was only removed on 4 September 2015 when the concerns came to light.
While the council had routinely redacted personal data from planning documents a practice also adopted by other local authorities Basildon subsequently argued it was not, in fact, allowed to do so under planning law. This was rejected by the ICO, which said planning regulations could not override people's fundamental privacy and data protection rights. It added that publication of planning documents online was a choice, not a legal requirement.
"This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available," said ICO enforcement manager Sally Anne Poole.
"Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable."
"Data protection law is clear and planning regulations don't remove an individual's rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people's sensitive personal information is protected," she added.
Key considerations for implementing secure telework at scale
Identifying the security risks and advanced requirements of a remote workforceDownload now
The State of Salesforce 2020
Your guide to getting the most from SalesforceDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Rethink your cybersecurity strategy for the new world
5 steps to secure the enterprise and be fit for a flexible futureDownload now