Portsmouth City Council mistakenly provided sensitive information about an individual when a request was made about another person.
In a subject access request, the Information Commissioner's Office (ICO) said that the council failed to redact documents correctly and so accidentally disclosed information about another individual. The ICO said it was informed of the breach by the council and its investigation revealed that the individual responsible for redacting the documents was neither employed by the council, nor acting under the terms of a formal contract for services.
The supervision and training provided to staff involved in the subject access request process was also found to be inadequate.
Mick Gorrill, head of enforcement at the ICO, said: “This breach of the Data Protection Act was entirely avoidable and would not have happened if the individuals dealing with the request had been given proper training and the necessary levels of support.
“The fact that the information released included sensitive information relating to an individual, who wasn't directly involved in the original request, could have caused a great deal of embarrassment and distress.
“We are pleased that Portsmouth City Council recognise the seriousness of the case, and have taken the necessary steps to ensure this won't happen again. We would urge local authorities across the country to remain vigilant when handling such requests in order to ensure they continue to comply with the act.”
David Williams, chief executive of Portsmouth City Council, has now signed a formal undertaking to ensure that all relevant staff are fully trained in how to handle subject access requests and that checks are put in place to ensure that third-party data is dealt with in accordance with the Data Protection Act's requirements. The council has also agreed that in future any individuals tasked with redacting material from subject access requests will either be employed by the council directly, or otherwise enter into a formal contract to provide this service.
Commenting, Dave Jevans, CEO of IronKey, told SC Magazine that the lack of training for such a sensitive issue was 'ridiculous'. He said: “You don't go to the local football field and get them to do the work. It seems like a ridiculous incident and the real issue is that the guy doing it was not trained and they have not got their house in order.
“Where are they getting people to do this work? I guess my concern is that they got some guy off the street, but how do they send other people's information and how do they manage it and why can they not redact it? It seems that they have got a real data management issue there.”
He further claimed that it is time for public sector companies to consider the fact that they may be fined, as he suspected that the attitude is that they will not be fined because they are government agencies.
“They feel that a £500,000 fine does not apply to them so it is only a reputational issue for the security officer and not something for the broader organisation to consider. Government needs to consider and have some form of audit and a set of rules that they need to have to achieve, how can they enforce it if they do not have rules to meet? There needs to be penalties or enforcement to change behaviour,” Jevans said.