Showing posts with label Data Breach. Show all posts
Showing posts with label Data Breach. Show all posts

Friday, 25 March 2022

EXCLUSIVE: Brent Council suspends Veolia's management of confidential waste after data breach


Wembley Matters contacted Brent Council after a Coulsdon resident emailed:

 I'm a big fan of your blog Wembley Matters. I thought you might be interested in the below......


A Veolia lorry has driven through Brighton Road in Coulsdon (CR5 2BE), leaving confidential letters sown all over the street that look to be from Brent Council........

All sorts involved, letters containing full names addresses etc and some very confidential matters.

Many of these letters have ended up in people's gardens. Veolia and the council have been round picking them up since monday

Surely this is a serious breach of the DPO laws?? 

I didn't manage to get a picture unfortunately, but if you speak to some residents you might hear some interesting tales... you may also wish to ask the council about it?

Of course I did. 

I have established that Veolia transports Brent Council confidential waste to Croydon for shredding in purpose designed confidential information bags. This is also done by other nearby councils contracted to Veolia.

I understand that about 700 items were involved and Brent Council has been collecting them and informing those affected. Some of the items in the gutter were in a poor state and unreadable.

Brent Council told Wembley Matters that this collection and contacting of residents took time but only a small proportion of the 700 items were confidential.

 

A Brent Council spokesperson said:  

 

We sincerely apologise to the Brent residents affected by the data breach by our waste contractor Veolia. 

 

As soon as we were made aware of the error we took immediate steps, together with our contractor, to recover the information. Following several sweeps of the area where the loss took place, we have done everything possible to safely recover the information. We are notifying relevant parties, where appropriate, and the incident has been reported to the Information Commissioner.

 

We are working closely with Veolia and have suspended their management of the council’s confidential waste for the time being. A full investigation is now taking place into how this incident happened so lessons can be learned and more robust measures put in place to ensure this can never happen again.

 

A Veolia spokesperson said:

We would like to apologise to all residents who have been affected by this unacceptable incident and have taken immediate action to recover and secure any confidential waste.
 
We take this matter extremely seriously and are conducting an urgent investigation into the circumstances of this incident and will continue to work closely with Brent Council in order to limit any impact.

 

William Relton, Coordinator of Brent Green Party commented:


I understand that Veolia's contract with Brent is coming to an end soon. I urge Brent Council not to renew the contract and take all waste disposal and recycling, particularly items of a confidential matter, back in-house. Why any organisation would pay another commercial organisation to shred its confidential materials is quite beyond me.


Wembley Matters will report the result of any investigation by the Information Commissioner and any measures or fines imposed as a result of this breach.

Friday, 9 July 2021

A breach too far: Information Commissioner's Office admonish Brent Council over how they dealt with data breach concerns

Following the recent  data breach when an email from Brent planning was sent openly to 970 email addresses LINK  that could be accessed by any recipient, the Information Commissioner's Office has given Brent Council 28 days to respond to the complainant, former councillor Alison Hopkins.  She had complained to the ICO that the response to her concerns over the breach were 'wholly  inadequate' when she was told that most of the other 969 recipients were mainly staff or stakeholders and the risk of misuse of her data was low.  The email was about the Neasden Stations Development Plan.

The ICO said:

Accountability is one of the data protection principles and makes you responsible for complying with the General Data Protection Regulation (GDPR).

 

You must be able to demonstrate your compliance to your customer and work hard to promote trust and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.

 

As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When your customer comes to us to complain, they are in effect telling the regulator that they believe you are breaking the law. Reports of this kind are something that we will treat seriously and robustly.

 

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

 

We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.

 

If you believe that you have complied with the data protection law, you need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

 

Shortly after this breach there was another breach via a  similarly addressed email about the Kilburn Square development LINK.


The ICO's letter reminded me of an incident back in 2017 reported on Wembley Matters LINK.

On this occasion the ICO wrote to the complainant:

You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.


 

Friday, 2 July 2021

Another data breach by Brent Council - this time Kilburn Square consultation

According to Life in Kilburn Brent Council has again breached data regulations by open copying residents' email addresses into an email about the Kilburn Square development consultation. This means that each recipient has access to all the private emails.

To make matters worse the send claimed in response to a complaint that it was impossible to send zoom details via blind copy (bcc) which zoom users know is not the case.

Life in Kilburn told Wembley Matters:

There were 21 residents on one invite but same issue on the invites to 2 similar meetings on different dates. It has also probably been happening to all previous residents invites to Zoom meetings for all infill developments, where the "consultation" is managed by this individual.

 This is the second case in just a few weeks and appears to be the same department.

 June 19th 2021:



Tuesday, 22 June 2021

LATEST: Brent Council statement on Neasden Stations Consultation email data breach

A Brent Council spokesperson said: 

"As soon as we became aware of this mistake, it was immediately flagged with the council's Information Governance team who are working with the team concerned.

"We have already apologised to the recipients and made them aware it was not intentional and due to human error. We're also exploring ways of ensuring that this type of error cannot happen again in consultation exercises.

"We would encourage people to participate in the Neasden consultation and offer us their ideas on making the area around Neasden Station a nicer and better place for people in Brent. "

Brent Council apologises for Friday's email data breach - investigation underway

Alan Lunt, Brent Council's Strategic Director for Regeneration and Environment has written to the 970 recipients of Friday's email apologising for the data breach.

He said:

Please accept my apologies for the sending of an email on Friday regarding the consultation on the Neasden Stations Growth Area SPD, which showed email addresses when they should have been hidden. This was a human error. This security incident is being investigated by the data protection team.

We are reviewing our practice and process, in addition to exploring with IT ways of ensuring that this type of error cannot happen again.

The vast majority of emails recipients are for companies, stakeholders and staff and consequently we have assessed the risks to you in terms of any data mis-use as low.

Former Liberal Democrat councillor, Alison Hopkins, who was one of the recipients of Friday's email has replied to Mr Lunt:

I note that I have had no response to my formal complaint to Brent's DPO (Data Protection Officer)

I have spoken to the ICO (Information Commissioner's Office) this morning and consider your response to be wholly inadequate. They concur and I am raising a formal complaint with them.

Your statement that the risk to me is "low" is a dismissive brush off. It is presumably based on Brent's opinion, rather than any proven and sound foundation, and as such legally remains merely your opinion rather than any properly tested fact.

As someone with decades in IT and considerable experience of GDPR and safeguarding practice, the risk is considerably more than "low". Given the seriousness of the original "error", how am I to trust any assessment you have made, especially as you have given no detail of how this conclusion was reached?

I have no knowledge of the companies, stakeholders and staff you refer to, their credentials or probity. In any event, this statement is not acceptable under GDPR rules.


Saturday, 19 June 2021

Brent Council's consultation on Neasden Masterplan marred by major data breach

Brent Council yesterday emailed local residents informing them of the consultation on the Neasden Stations Development Masterplan. The consultation was agreed at the last Cabinet LINK.

Unfortunately residents' email addresses were placed in the 'To' slot rather than bcc so private email addresses were revealed to all and sundry. That was not the end of the matter as the 'Recall' message issued when the error was revealed was also sent via the 'To' slot! Some 970  residents received up to 10 open such 'Recalls'.

This appears to be a clear breach of GDPR although likely to have been an accident.

Here are details of the consultation which officially begins on Monday:

Brent Council is asking for residents’ views on how the future development of the area around Neasden Underground Station might look.

 


 

Part of this exciting vision will include 2,000 new and affordable homes, new job opportunities for local people, improved and integrated cycling routes and new and better open spaces.

We want residents to have their say on the draft Masterplan Supplementary Planning Document (SPD), which will help guide and influence the development of Neasden Station Growth Area (NSGA).This includes land around Neasden Underground Station that the Council has designated for development in its draft Local Plan.

The document will be used by the Council to help decide which proposals should be given planning permission in the area.

Don’t miss the opportunity to have your say on Neasden’s future!

Why we are consulting

How to get involved?

  1. Visiting Wembley and Willesden Libraries:  A copy of the SPD and feedback forms will be available for you to review and provide us with your comments. Your feedback can be shared with us via: 
  • Email: Scanning or sending a photo of the form to NSGA@brent.gov.uk
  • Post: sending your feedback to NSGA MASTERPLAN SPD consultation, Regeneration Team, Engineers Way, Wembley Park, Wembley HA9 0FJ
  1. Visiting our webpage: A digital version of the document will be available as well as the feedback form: www.brent.gov.uk/your-community/regeneration/growth-areas/neasden-stations-growth-area/. You can email your response via NSGA@brent.gov.uk.
  1. Visiting one of our drop-in events:  Council officers will be happy to talk you through the project and answer any of your questions on :  
  • Monday 5th July 2021 3-6pm, Neasden Town Centre, near Neasden Parade, 263-265 Neasden Lane
  • Friday 9th July 2021, 4-6pm, St Catherine’s Church, Church forecourt, Neasden Lane,  NW10 1QB
  • Thursday 15th July 2021,   4-6pm, The Grange, Neasden Lane, London NW10 1QB

The link to the Survey should be live from Monday HERE