A London council has been fined £70,000 after it accidentally published a cache of personal data including medical details, cheques, and even one person’s prison record, the Evening Standard (https://www.infowatch.ru/analytics/leaks_monitoring/18313) reports.
The data, which gave the medical conditions of some people appealing parking fines, was kept as part of Islington Council’s Ticket Viewer system, which allows people to see a CCTV image or video of their alleged parking offence.
An investigation by the Information Commissioner’s Office found that design faults meant a huge tranche of personal data had been compromised.
A member of the public alerted Islington Council in October 2015 after stumbling on the records while trying to pay a parking fine.
Former council leader Terry Stacy told the Standard at the time that “hundreds, if not thousands” of scanned letters, documents and cheques were part of the breach.
“The information included copies of cheques people had written, which had their bank details on, copies of supporting medical advice that people had used to appeal against PCNs and, in one case, someone’s prison record – plus people’s home addresses and telephone numbers,” he said.
The ICO found that 119 documents belonging to 71 people had been accessed during the breach, seen 236 times by users from 36 unique IP addresses.
Sally Anne Poole, enforcement manager for ICO, said of the sanction: “People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that.
“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved.”
The council should have tested the system both before going live and regularly after that, the ICO found.
Data protection laws are set to get tougher, with changes coming in May next year that will force councils to perform privacy impact assessments when new technology is to be used.
Earlier this year the ICO published its local government survey, which showed many authorities were not yet ready for the new General Data Protection Regulation.
Islington Council said it accepted the fine, which will be reduced to £56,000 on prompt payment.
A spokesman said: “We remain very sorry about the previous Ticketviewer problem and agree with the ICO that we failed to meet the required data protection standards back in 2015.
“As soon as we were aware of the problem we took every possible action to prevent a recurrence and instructed auditors to carry out a thorough review so we could learn from our mistake.”