Friday 9 July 2021

A breach too far: Information Commissioner's Office admonish Brent Council over how they dealt with data breach concerns

Following the recent  data breach when an email from Brent planning was sent openly to 970 email addresses LINK  that could be accessed by any recipient, the Information Commissioner's Office has given Brent Council 28 days to respond to the complainant, former councillor Alison Hopkins.  She had complained to the ICO that the response to her concerns over the breach were 'wholly  inadequate' when she was told that most of the other 969 recipients were mainly staff or stakeholders and the risk of misuse of her data was low.  The email was about the Neasden Stations Development Plan.

The ICO said:

Accountability is one of the data protection principles and makes you responsible for complying with the General Data Protection Regulation (GDPR).


You must be able to demonstrate your compliance to your customer and work hard to promote trust and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.


As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When your customer comes to us to complain, they are in effect telling the regulator that they believe you are breaking the law. Reports of this kind are something that we will treat seriously and robustly.


We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.


We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.


If you believe that you have complied with the data protection law, you need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.


Shortly after this breach there was another breach via a  similarly addressed email about the Kilburn Square development LINK.

The ICO's letter reminded me of an incident back in 2017 reported on Wembley Matters LINK.

On this occasion the ICO wrote to the complainant:

You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.


1 comment:

Philip Grant said...

Although I didn't comment when the Neasden data breach first came up, I discovered that I was one of the 970 recipients whose "email address" had been disclosed.

I only discovered this because I was checking an old email address, that I haven't used for a couple of years, but which I do check occasionally in case a past contact has sent something to me at that address by mistake.

The other 969 recipients needn't worry about me having their email details, because I deleted the Brent emails without looking at those addresses.

But I do wonder why Brent notified me about the Neasden consultation (and at that email address), as the only "Neasden" connection I can think of that I have had was an article I wrote some years ago for Brent Archives about "Neasden's Railway Village"!