Basildon Borough Council have been given a £150,000 fine by the Information Commissioner, after a statement in support of a householder’s planning application was published online in full without redacting personal data.
The statement had contained sensitive information about a family’s disability requirements including mental health issues, as well as all their names, ages and addresses. It had been posted by an inexperienced council officer who failed to notice the personal information and there was no procedure requiring a second person to check if redaction was required before publishing. The information stayed on line for almost two months before being removed.
The ICO found that, contrary to the Data Protection Act (DPA), the council had failed to take appropriate organisational measures against the unauthorised processing of personal data and made it clear there was no exemption for planning and instead felt the controversial and emotive nature of planning cases made the breach worse.
The size of fine reflected the council’s lack of robust procedures to safeguard data and is a warning to all organisations that publish information online that exemptions from the DPA are very limited. Without well thought out procedures and training for staff on data protection, organisations risk facing a similar fine.
Clarkslegal are running a “Getting to Grips with Data Protection” series of webinars, starting on Monday 19 June with a free webinar to address the basic concepts and key principles of data protection. Sign up is free and can be found here.