The Information Commissioner's Office (ICO) has reprimanded Scottish social Landlord Clyde Valley Housing Association (CVHA) for the inadvertent publication of residents' personal data on an online portal.
The Housing Association, responsible for the management of circa 4,700 homes across the Lanarkshire and East Dunbartonshire areas of Scotland, launched a new online customer portal on 14 July 2022.
On this launch date, a resident became aware that they could access documents relating to anti-social behaviour cases and personal information about other residents including names, addresses, and dates of birth on the portal. The resident contacted the Housing Association's customer services to alert them of this breach, but the issue was not escalated.
On 19 July 2022, the Housing Association promoted the new customer portal and received four more reports of residents being able to view other residents' personal information. Soon after receiving these further reports, all portal user accounts were locked and the customer portal was suspended. At this point, the personal information of residents and documents relating to any anti-social behaviour cases had been accessible on the portal for five days.
In total, 139 residents were personally affected by this breach. The Housing Association has stated that 62 of these residents face a high risk to their rights and freedoms, which they define as a 'significant invasion of privacy with regards to data of a private or confidential nature, and a risk of financial loss as a consequence of fraud or identity theft”.
What went wrong?
The customer portal offered an application by which residents could view documents relating to anti-social behaviour cases they were involved in. It was intended that this application would only provide information pertaining to the specific resident using it. However, due to a configuration error, residents were able to view all other documents on the portal. It is reported that 394 data entries linked to anti-social behaviour were accessible on the portal as a result.
Lessons learnt
The ICO's investigation found that the Housing Association failed to effectively test the customer portal before it went live, and the Housing Association's staff were not sufficiently trained on the procedure for escalating data breaches.
The ICO recommended that the Housing Association take steps to ensure its compliance with data protection law, including:
- Ensuring vigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future.
- Conducting a review of data protection training to ensure that the training provided is relevant to, and adequate for, the staff members receiving it.
As explained by Jennifer Brotchie, Regional Manager for Scotland at the ICO: “We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected”.
For more information on complying with data protection law, please contact Hetal Ruparelia or Georgia Maskell.
We will be hosting Data Protection and Information Law Conference 2024 on Thursday 9 May, please click here to book your place.
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-04-15-08-45-34-968-661ce92ec2294b5a473dd3e9.jpg)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-05-03-08-29-45-558-6634a079c042ba8a7ecb2fff.jpg)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-04-30-16-24-17-194-66311b31a63747976b0d3592.jpg)
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-04-29-13-16-59-437-662f9dcbf823e3bbaec883fd.jpg)