Watchdog faces probe after data leak
UK electoral commission under investigation after leaking details of pro-union campaign donors
The UK election watchdog has apologised after it inadvertently released the details of a pro-Union campaign group on its website.
The Electoral Commission failed to redact the details for 168 individuals who had donated to Scotland in Union, after a Freedom of Information request.
The full names of those who donated could be seen by simply cutting and pasting the spreadsheet after a technical issue enabled access to the personal information. The body now faces an investigation by the Information Commissioner's Office and potentially a large fine for breaching the Data Protection Act 1998.
The Scotland in Union was set up after the 2014 independence referendum and describes itself as a non-party organisation campaigning to promote Scotland in the UK.
The group's website promises to process its supporters data in compliance with the Data Protection Act 1998.
They responded to a request from the Electoral Commission to supply a list of donors who had pledged 500 or more.
The group said the information was encrypted, to protect its supporters right to privacy, but after the commission published the list on the website, it quickly became apparent that it had not been properly redacted.
The spreadsheet could be cut and pasted into another document where the names could all be seen by removing the blanked out details.
The commission is supposed to use data sanitising tools to remove data from documents, rather than just blank out the information, but due to a technical issue the information was discovered and circulated widely on social media.
Speaking to the BBC, the group claimed some of its supporters had already faced harassment as a result of the error.
"We have still to receive a full explanation from the Electoral Commission as to why they placed private information about our supporters in the public domain and we are consulting our legal team about next steps," said a spokesman.
"Unfortunately, we have already had instances of supporters being harassed as a result of the Electoral Commission's breach. This is completely unacceptable."
The release of such information may be in violation of the Data Protection Act 1998 and could result in criminal prosecution or a penalty of up to 500,000.
In a statement, the Electoral Commission said: "On 25 April the commission was notified of a technical issue with the application of redactions in a Freedom of Information response published on the commission's website.
"The redaction was ineffective and enabled access to personal information in relation to donations to Scotland in Union. The commission takes the management of data extremely seriously and regrets this issue.We are taking all reasonable action to minimise any harm caused and to rectify matters where we can."
The statement added: "We immediately removed the response from our website and are working with Scotland in Union to ensure that the individuals affected are notified.
"The Information Commissioner's Office has been formally notified of the breach. We are carrying out a full test of our redaction tool to understand how it occurred and will subsequently update internal procedures if required."
Image credit: Shutterstock
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now