Showing posts with label ICO. Show all posts
Showing posts with label ICO. Show all posts

Friday, 9 July 2021

A breach too far: Information Commissioner's Office admonish Brent Council over how they dealt with data breach concerns

Following the recent  data breach when an email from Brent planning was sent openly to 970 email addresses LINK  that could be accessed by any recipient, the Information Commissioner's Office has given Brent Council 28 days to respond to the complainant, former councillor Alison Hopkins.  She had complained to the ICO that the response to her concerns over the breach were 'wholly  inadequate' when she was told that most of the other 969 recipients were mainly staff or stakeholders and the risk of misuse of her data was low.  The email was about the Neasden Stations Development Plan.

The ICO said:

Accountability is one of the data protection principles and makes you responsible for complying with the General Data Protection Regulation (GDPR).

 

You must be able to demonstrate your compliance to your customer and work hard to promote trust and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.

 

As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When your customer comes to us to complain, they are in effect telling the regulator that they believe you are breaking the law. Reports of this kind are something that we will treat seriously and robustly.

 

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

 

We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.

 

If you believe that you have complied with the data protection law, you need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

 

Shortly after this breach there was another breach via a  similarly addressed email about the Kilburn Square development LINK.


The ICO's letter reminded me of an incident back in 2017 reported on Wembley Matters LINK.

On this occasion the ICO wrote to the complainant:

You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.


 

Tuesday, 22 June 2021

Brent Council apologises for Friday's email data breach - investigation underway

Alan Lunt, Brent Council's Strategic Director for Regeneration and Environment has written to the 970 recipients of Friday's email apologising for the data breach.

He said:

Please accept my apologies for the sending of an email on Friday regarding the consultation on the Neasden Stations Growth Area SPD, which showed email addresses when they should have been hidden. This was a human error. This security incident is being investigated by the data protection team.

We are reviewing our practice and process, in addition to exploring with IT ways of ensuring that this type of error cannot happen again.

The vast majority of emails recipients are for companies, stakeholders and staff and consequently we have assessed the risks to you in terms of any data mis-use as low.

Former Liberal Democrat councillor, Alison Hopkins, who was one of the recipients of Friday's email has replied to Mr Lunt:

I note that I have had no response to my formal complaint to Brent's DPO (Data Protection Officer)

I have spoken to the ICO (Information Commissioner's Office) this morning and consider your response to be wholly inadequate. They concur and I am raising a formal complaint with them.

Your statement that the risk to me is "low" is a dismissive brush off. It is presumably based on Brent's opinion, rather than any proven and sound foundation, and as such legally remains merely your opinion rather than any properly tested fact.

As someone with decades in IT and considerable experience of GDPR and safeguarding practice, the risk is considerably more than "low". Given the seriousness of the original "error", how am I to trust any assessment you have made, especially as you have given no detail of how this conclusion was reached?

I have no knowledge of the companies, stakeholders and staff you refer to, their credentials or probity. In any event, this statement is not acceptable under GDPR rules.


Tuesday, 26 September 2017

Information Commissioner's Office calls on Brent Council to take measures to avoid future data protection breaches

Following the data breach by Brent Council when e-mail addresses of residents were sent to recipients of a message about a meeting acomplaint was made to the Information Commissioner's Office.

This is their response:

-->
You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.

Summary of case

In this case, your email address was cc’d into an email and disclosed to other individuals.

It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).

Role of the ICO

Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.

Next steps

Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.

However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
  • To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
  • To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
  • To check that all staff have undertaken data protection training within the last 12 months.
  • Inform any other parties whose data may have been inappropriately disclosed in this case.

Although we do not intend to take any further regulatory action on this case, this will remain on our systems to help us build a picture of Brent Council’s information rights handling.

We will continue to monitor the council’s data protection practices, and should any regulatory action be taken against them in the future, your case may form a part of our intelligence against them. You can view any regulatory action we do take on our website, using the following link: https://ico.org.uk/action-weve-taken/