Tuesday, 22 June 2021

Brent Council apologises for Friday's email data breach - investigation underway

Alan Lunt, Brent Council's Strategic Director for Regeneration and Environment has written to the 970 recipients of Friday's email apologising for the data breach.

He said:

Please accept my apologies for the sending of an email on Friday regarding the consultation on the Neasden Stations Growth Area SPD, which showed email addresses when they should have been hidden. This was a human error. This security incident is being investigated by the data protection team.

We are reviewing our practice and process, in addition to exploring with IT ways of ensuring that this type of error cannot happen again.

The vast majority of emails recipients are for companies, stakeholders and staff and consequently we have assessed the risks to you in terms of any data mis-use as low.

Former Liberal Democrat councillor, Alison Hopkins, who was one of the recipients of Friday's email has replied to Mr Lunt:

I note that I have had no response to my formal complaint to Brent's DPO (Data Protection Officer)

I have spoken to the ICO (Information Commissioner's Office) this morning and consider your response to be wholly inadequate. They concur and I am raising a formal complaint with them.

Your statement that the risk to me is "low" is a dismissive brush off. It is presumably based on Brent's opinion, rather than any proven and sound foundation, and as such legally remains merely your opinion rather than any properly tested fact.

As someone with decades in IT and considerable experience of GDPR and safeguarding practice, the risk is considerably more than "low". Given the seriousness of the original "error", how am I to trust any assessment you have made, especially as you have given no detail of how this conclusion was reached?

I have no knowledge of the companies, stakeholders and staff you refer to, their credentials or probity. In any event, this statement is not acceptable under GDPR rules.


4 comments:

Alison Hopkins said...

I've just replied with this. I honestly think Brent is literally crumbling at the seams: emails unanswered, even replies by councillors ignored.

Dear Mr Lunt

I note that I have had no response to my formal complaint to Brent's DPO.

I have spoken to the ICO this morning and consider your response to be wholly inadequate. They concur and I am raising a formal complaint with them.

Your statement that the risk to me is "low" is a dismissive brush off. It is presumably based on Brent's opinion, rather than any proven and sound foundation, and as such legally remains merely your opinion rather than any properly tested fact.

As someone with decades in IT and considerable experience of GDPR and safeguarding practice, the risk is considerably more than "low". Given the seriousness of the original "error", how am I to trust any assessment you have made, especially as you have given no detail of how this conclusion was reached?

I have no knowledge of the companies, stakeholders and staff you refer to, their credentials or probity. In any event, this statement is not acceptable under GDPR rules.

Alison Hopkins

Anonymous said...

This is a common problem in Brent. FirstPort (managing much of the Wembley Park estate) has also breached the GDPR on several occasions.

Anonymous said...

It's the same if you make a complaint to Brent Council as I did re Veolia - they just passed my complaint with my address and email address showing onto Veolia for them to respond to - when I complained that Brent Councl had done this without my permission, breaching my data and potentially putting me at risk of repercussions from Veolia staff they just said ah don't worry Veolia are basically a part of Brent Council - how can a multibillion pound, multinational company like Veolia be part of Brent Council?

Martin Francis said...

In that case, Quintain IS Brent Council.