The residents of Middleton have been apoplectic this week after Milton Keynes Council accidently published the results of a residents’ survey on its website, including the addresses and phone numbers of 50 of the respondents. The data breach occurred last week and lasted for 18 hours before the error was noticed and removed.
The survey was designed to determine public opinion on a controversial park in Southside Lane, Middleton after there had been numerous complaints concerning anti-social behaviour. One resident, Dr. Bob Ranger, who has been a vociferous critic against the play park, believes that his address and contact details being made available online may even have led to recent vandalism of his car. Dr Ranger said:
“They published the contact details and other sensitive personal information of about 50 persons who have filled out a residents’ questionnaire and then submitted it to the council. It was put on the council website for 18 hours.”
“Anybody could have seen all those details in the time they were online. Nobody will accept responsibility or offer a genuine apology. We got a press statement written by the council’s PR department that is supposed to count as an apology but adds insult to injury and inflames a delicate situation even more.”
David Hill, chief executive of the council, said:
“The council has apologised for publishing personal data provided by the residents on the website, with all the background information. Although not strictly required by the Information Commissioner’s Office guidelines, we have notified a breach of the data protection legislation to the ICO and launched a data protection investigation.”
This kind of basic mistake which seems to occur so often in local councils indicates both a lack of understanding of data protection and technology as well as a lackadaisical approach to the privacy of local people. The Information Commission should investigate this case and punish those responsible.
As Big Brother Watch has mentioned before, if the ICO continues to refuse to hand out punitive financial punishments for data protection breaches then they will keep occurring. Simple asking public bodies to sign undertakings to improve staff training will not solve these problems.