An investigation has been launched at Lichfield District Council after redacted personal data of some local residents was made available online.
It comes after Lichfield Live was able to access email and home addresses of people whose objections were being discussed by the local authority’s licensing and consents committee.
The views of concerned residents over plans to permit Lichfield Sports Club to sell alcohol and play music outdoors until 11pm were contained in documents published on the council’s website ahead of a meeting next week.
But despite the personal details of those submitting objections being blacked out, highlighting the section and then cutting and pasting it meant the information was still accessible.
After Lichfield Live highlighted the issue to Lichfield District Council, a spokesperson confirmed steps were being taken to identify why it had happened.
“We take the safe handling of our residents’ personal data very seriously.
“We are investigating this report as a priority at the highest level and our officers are contacting the individuals affected.”
Lichfield District Council spokesperson
As well as objectors, the personal email of Cllr Jamie Checkland was also available after he liaised with officers in his role as chair of the sports club applying for the licence variation.
But the issue is not an isolated one. Further checks by Lichfield Live identified that a similar situation had occurred at a previous meeting of the same committee in September, where information and addresses of objectors had been made available through the same method.
Documents from the committee have now been removed from the Lichfield District Council’s website after being contacted by Lichfield Live.
“You should ensure you have robust breach detection”
Such data breaches are covered by GDPR regulation in the UK.
The Information Commissioner’s Office website highlights the responsibilities organisations have in handling personal data related to individuals.
“GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
“If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
“You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
“When a personal data breach has occurred, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO.
“If a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.”
Information Commissioner’s Office website
So Tippex doesn’t work on electronic communications, you have to laugh at this Council otherwise you would cry.
Ooooffff. I feel for the member of staff responsible for this and I hope they’re not made a scapegoat. It sounds like they need technical training on the proper ways to redact information on digital documents. Unless such training has been given and ignored the fault lies with LDC as an organisation, not the individual.
What an absolute farce. Can’t trust this council as far as you could throw them.
Though if it’s a conservative we’re talking about, I could probably muster enough energy to throw them further and harder.
Why doesn’t councillor Checkland go by his name Ian, does it make him seem too old or something?
If anyone is looking for an easy job I’d recommend any position at LDC. You can work care-free, make mistakes all day long, and be completely incompetent without every facing any consequences.
The Chief Exec is made of Teflon
This is disgraceful from the council, didn’t they have GDPR issues a couple of years ago as well?
Rather than spending our taxes on Alexa bin announcements they could invest in some decent information security, staff training and an operational risk environment which could mitigate this sort of thing from happening.
Customer data should be the council’s no 1 priority and it’s outrageous that this has happened.