Sutton Council has apologised following the publication on its website of a confidential document containing names of those who received benefit payments. The data included information on payments made to hundreds of people for disabilities, adoption and special needs education. It is understood that no other personal information was released.
The document was originally posted online in June, followed by a more recent version published in July before it was finally discovered on 17 July.
A statement from the council said:
We immediately removed the data in question upon discovering this breach. As part of our agreed internal policies we are carrying out an investigation and are in contact with the Information Commissioner’s Office (ICO). We will of course do everything we can to help the ICO should they wish to make further enquiries.
We are sorry this has happened and want to reassure residents we take matters such as these seriously. We are reviewing our processes to take all steps necessary to avoid any instance such as this happening again.
Councillor Tim Crowley told Sutton Guardian:
It is a very concerning development. Although I am sure this is a mistake rather than deliberate, the Data Protection Act is in place to protect most of the individuals who have been identified by this leak. They are in the main the most vulnerable members of the community and publishing this data could lead to those individuals being made to feel even more vulnerable and exposed.
Even if this leak was accidental, the ICO can still impose a fine of up to £500,000. Although this breach hasn’t been confirmed as being caused by human error, it reiterates the importance of staff awareness training to make sure that staff who have access to sensitive data have a good understanding of information security.
Increase awareness to reduce data breaches
Rolling out a comprehensive staff awareness programme will give employees a clear understanding of their compliance requirements, your organisation’s security policies and procedures, and basic knowledge of information security best practices to reduce preventable mistakes.