Following the recent data breach when an email from Brent planning was sent openly to 970 email addresses LINK that could be accessed by any recipient, the Information Commissioner's Office has given Brent Council 28 days to respond to the complainant, former councillor Alison Hopkins. She had complained to the ICO that the response to her concerns over the breach were 'wholly inadequate' when she was told that most of the other 969 recipients were mainly staff or stakeholders and the risk of misuse of her data was low. The email was about the Neasden Stations Development Plan.
The ICO said:
Accountability is one of the data protection principles and makes you responsible for complying with the General Data Protection Regulation (GDPR).
You must be able to demonstrate your compliance to your customer and work hard to promote trust and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.
As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When your customer comes to us to complain, they are in effect telling the regulator that they believe you are breaking the law. Reports of this kind are something that we will treat seriously and robustly.
We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.
We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.
If you believe that you have complied with the data protection law, you need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.
Shortly after this breach there was another breach via a similarly addressed email about the Kilburn Square development LINK.
The ICO's letter reminded me of an incident back in 2017 reported on Wembley Matters LINK.
On this occasion the ICO wrote to the complainant:
You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.
Summary of case
In this case, your email address was cc’d into an email and disclosed to other individuals.
It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).
Role of the ICO
Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.
Next steps
Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.
However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
- To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
- To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
- To check that all staff have undertaken data protection training within the last 12 months.
- Inform any other parties whose data may have been inappropriately disclosed in this case.