Following the data breach by Brent Council when e-mail addresses of residents were sent to recipients of a message about a meeting an complaint was made to the Information Commissioner's Office.
This is their response:
Although we do not intend to take any further regulatory action on this case, this will remain on our systems to help us build a picture of Brent Council’s information rights handling.
We will continue to monitor the council’s data protection practices, and should any regulatory action be taken against them in the future, your case may form a part of our intelligence against them. You can view any regulatory action we do take on our website, using the following link: https://ico.org.uk/action-weve-taken/
This is their response:
You have contacted us to complain that Brent Council appears to have inappropriately disclosed your personal data.
Summary of case
In this case, your email address was cc’d into an email and disclosed to other individuals.
It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).
Role of the ICO
Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.
Next steps
Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.
However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
Summary of case
In this case, your email address was cc’d into an email and disclosed to other individuals.
It would therefore appear that Brent Council has breached the Data Protection Act 1998 (DPA).
Role of the ICO
Our role is to ensure that organisations follow the Data Protection Act 1998 properly. If things go wrong we will provide advice and ask the organisation to try to put things right. Our overall aim is to improve the way organisations handle personal information.
Next steps
Although it appears that Brent Council has breached the DPA, it would seem that this is down to human error, and the ICO does not consider it necessary to take any further regulatory action at this stage.
However, we have contacted the council to advise them of our view. We have also asked that they take the following measures to ensure that similar breaches do not occur in the future:
- To remind all staff to take extra due care and attention when sending emails by double checking addresses and only sending out relevant and appropriate information in future.
- To use the bcc feature when sending emails to numerous individuals with external email domains, to ensure that email addresses are not disclosed to other parties.
- To check that all staff have undertaken data protection training within the last 12 months.
- Inform any other parties whose data may have been inappropriately disclosed in this case.
Although we do not intend to take any further regulatory action on this case, this will remain on our systems to help us build a picture of Brent Council’s information rights handling.
We will continue to monitor the council’s data protection practices, and should any regulatory action be taken against them in the future, your case may form a part of our intelligence against them. You can view any regulatory action we do take on our website, using the following link: https://ico.org.uk/action-weve-taken/