Authority fined for data protection breaches

Posted: 13th October 2017

Data securityUploading information to the Internet takes seconds and mistakes are easily made but the consequences of publishing private data online can be severe.

In one case, a local planning authority was fined £150,000. It posted information about a family of travellers on its website.

A statement had been submitted to the authority that contained sensitive personal data about the family in the context of a planning application in the Green Belt. The statement referred to the family’s disability requirements, including mental health issues.

The authority was required to place planning applications on its website for public consultation purposes and, after the matter was put in the hands of an inexperienced employee, the statement was uploaded in unredacted form.

The Information Commissioner's Office found that what happened amounted to a serious breach of the Data Protection Act 1998. Although it was not deliberate, it had resulted from serious oversight and the inadequacy of the systems that the authority had in place to guard against such breaches.

The information could have been accessed by hostile third parties and the authority ought reasonably to have known there was a risk of a contravention that would be likely to cause harm or distress. In those circumstances, a substantial monetary penalty was justified.