Basildon Council lands £150,000 fine by ICO after revealing family’s personal details

Authority exposed personal data including mental health issues

The Information Commissioner's Office (ICO) has fined Basildon Council 150,000 for publishing online the personal data of a traveller family.

The authority breached the Data Protection Act by making publically available data on the family in a planning application.

The ICO discovered that the council received a written statement in support of a householder's planning application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years.

It referred to the family's disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home. The council published the statement in full, without redacting the personal data, on its online planning portal later that day.

An investigation by the ICO found that the council failed to carry out data protection procedures and training. It was revealed that an inexperienced council officer didn't notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online. The information was only removed on 4 September 2015 when the concerns came to light. 

While the council had routinely redacted personal data from planning documents a practice also adopted by other local authorities Basildon subsequently argued it was not, in fact, allowed to do so under planning law. This was rejected by the ICO, which said planning regulations could not override people's fundamental privacy and data protection rights. It added that publication of planning documents online was a choice, not a legal requirement.

"This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available," said ICO enforcement manager Sally Anne Poole. 

"Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable."

"Data protection law is clear and planning regulations don't remove an individual's rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people's sensitive personal information is protected," she added.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Fitness Depot notifies customers of data breach
data breaches

Fitness Depot notifies customers of data breach

8 Jun 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
What is the Information Commissioner’s Office (ICO)?
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

15 Apr 2020
Printing company exposes 343GB of sensitive military data
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020