Basildon Council has been fined £150,000 for publishing sensitive personal information in a planning application.
An Information Commissioner’s Office (ICO) investigation found that the council had breached the Data Protection Act (DPA) by publishing the names and ages of the family members, and the location of their home on a planning application, which was made publicly available on the council’s website. The application also detailed the family’s disability requirements, including mental health issues.
According to the ICO investigation, on 16 July 2015 Basildon Council inadvertently published in full a statement supporting a planning application for proposed works on green belt land. An inexperienced council officer reportedly didn’t notice the personal information in the statement, and there was no procedure in place for a second person to check it. The information remained publicly available until 4 September that year, when the concerns came to light.
“This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available,” said ICO enforcement manager Sally Anne Poole. “Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable.”
The council argued that it had not been allowed to redact personal information from such documents under planning law. However, the ICO rejected that claim, saying planning regulations don’t override people’s fundamental privacy and data protection rights. It also said that the publication of planning documents online was a choice, not a legal requirement.
“Data protection law is clear and planning regulations don’t remove an individual’s rights,” Poole added. “Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people’s sensitive personal information is protected.”
Train your staff
If you don’t want inexperienced staff causing your organisation to breach data protection laws, you should sign your staff up for our Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course.
From 25 May 2018, the GDPR will supersede the DPA, introducing much stricter penalties for non-compliance. Any organisation found to be in breach of the GDPR faces a fine of up to €20 million (about £17.6 million) or 4% of its annual global turnover – whichever is greater.
Our four-day training course will help you gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework. It takes a practical approach, using:
- A real-life case study to demonstrate best practices and methodologies
- A data protection impact assessment (DPIA) tool to help assess and address privacy risks
- A GDPR compliance gap assessment tool to help prepare a compliance plan