Peter A Clarke

The United Kingdom’s Information Commissioner’s Office (the “ICO”) has imposed a severe fine of on Basildon Borough Council for publishing personal information on planning application documents. The argument run by the Council was that the planning laws prevented it from doing so even though it routinely redacted personal information on other applications.  In Victoria this has been an issue in the past where some councils have felt that they can not redact while others argue they can.  It appears that most do redact.

The ICO media release provides:

A council has been fined £150,000 by the Information Commissioner’s Office (ICO) for publishing sensitive personal information about a family.

Basildon Borough Council breached the Data Protection Act when it published the information in planning application documents which it made publicly available online.

The ICO’s investigation found that on 16 July 2015, the council received a written statement in support of a householder’s planning application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years. In particular, it referred to the family’s disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home.

The council published the statement in full, without redacting the personal data, on its online planning portal later that day. The ICO investigation found that this was due to failings in data protection procedures and training. An inexperienced council officer did not notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online. The information was only removed on 4 September 2015 when the concerns came to light. 

ICO Enforcement manager Sally Anne Poole said:

“This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available. Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable.”

Even though the council had been routinely redacting personal data from planning documents – a practice also widely adopted by other local authorities – Basildon subsequently argued it was not, in fact, allowed to do so under planning law.

That view was rejected by the ICO, which said planning regulations could not override people’s fundamental privacy and data protection rights. It added that publication of planning documents online was a choice, not a legal requirement.

Ms Poole added:

“Data protection law is clear and planning regulations don’t remove an individual’s rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people’s sensitive personal information is protected.”

Again, the ICO’s approach is in stark contrast to the Privacy Commissioner in Australia.  The ICO is quite active, though far from perfect, in bringing enforcement action against malefactors while the Privacy Commissioner is on a permanent loop of churning out statements and guidelines.  The legislation in both countries are different but both regulators have significant enforcement powers.  In Australia those powers are gathering cobwebs.  One day things might change but at the moment the ethos in Australia is talk the talk and not so much walk the walk.

The flaws in practice by Basildon are quite common in many organisations and agencies, poor training, inadequate protocols and lax supervision.

As invariably occurs with such penalty notices there was significant press coverage, of a negative nature, by the BBC, Sky News and the Daily Sun (among others).

The Monetary Penalty Notice relevantly provides:

On 16 July 2015, an administrator in Basildon’s business services department received a planning statement (“the statement”) in support of a householder’s application for proposed works in a green belt.

Such statements are only required where proposed works fall within certain designated areas such as green belt, a national park or an area of outstanding natural beauty. Basildon receives approximately 1500 planning applications each year, but only 2 to 3% of those applications relate to these designated

The statement contained sensitive personal data relating to a static traveller family (“the family”) that had been living on the relevant site for many years. In particular, the statement referred to the family’s disability requirements, including mental health issues, the names of all the family members, their age and the location of the site. It was therefore possible to identify each family member, together with the location of their home. These details comprised the personal data – including sensitive personal data – of the members of that

…..

In July 2015, Basildon’s policy and established approach was that personal data (and in particular sensitive personal data) would be redacted from documents such as the statement before they were published as part of the electronic register of planning applications which Basildon made available through a web-based

The statement was passed to a planning technician who was responsible for validating the planning application and checking that personal data had been appropriately redacted before it was published  on Basildon’s website.

That planning technician, however, was inexperienced in checking the contents of documents relating to planning applications which contained sensitive information. He did not notice the information about the family that was embedded in the statement and therefore did not make any redactions.

No procedure was in place for a second person to check such documents before they were uploaded onto the

The planning technician then returned the statement to the administrator, asking him to upload the planning application to Basildon’s In the absence of any guidance on what information should not be published, the administrator quite reasonably relied on the planning technician who had specialist knowledge in planning matters.

Consequently, the administrator uploaded the planning application, and sensitive information relating to the family was inadvertently published online via Basildon’s planning portal website on 16 July 2015. This information was removed on 4 September 2015 when the data protection concerns addressed in this monetary penalty came to light.

…..

Basildon did not have in place appropriate organisational measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that statements containing sensitive personal data would not be published on Basildon’s website. In particular:

Basildon had in place no adequate procedure governing the redaction of statements by planning technicians. For example, the importance of identifying and redacting sensitive personal data does not appear to have been conveyed through Basildon’s

Basildon did not provide any (or any adequate) training to planning technicians on the redaction of

Basildon had in place no guidance or procedures for a second planning technician or senior officer to check statements for unredacted data (and specifically sensitive personal data) before they were returned to the administrator.

Basildon had in place no guidance for the administrator to check statements for unredacted data before they wereuploaded to its website.

The Commissioner is satisfied that Basildon was responsible for this contravention. This was an ongoing contravention until the security breach (i.e. the publication of the personal data and sensitive personal data referred to above) was discovered on 4 September 2015.

The relevant features of the kind of contravention are:

The contravention occurred in the context of one of Basildon’s core function as a local planning authority. Its publication of information relating to planning applications is likely to attract attention in the local community. In that context, contraventions of this kind are likely to causesubstantial damage or substantial distress because they involve public disclosure in a prominent forum.

The sensitivity of the relevant personal data is a central feature of this contravention. Contraventions involving the public disclosure of such sensitive personal data are likely to cause substantial damage and/or substantial distress to at least some affected data

Contraventions involving the publication of sensitive personal data about contentious issues such as traveller communities are likely to cause substantial distress and/or damage. In such cases, affected data subjects may legitimately fear how their data may be used by hostile third

Contraventions which result in sensitive personal data being published online for a period of some six weeks are likely to cause substantial distress and/or

This case concerns a failure to have appropriate procedures in place for identifying and redacting sensitive personal data prior to publication on a public authority’s website. In cases involving such data, such a contravention is likely to result in inappropriate disclosures at some point (as happened here). Such disclosures are likely to cause substantial distress. They may also cause damage, for example to mental health.

 In assessing the likely consequences of this kind of contravention, it is also important to take into account that Basildon published this sensitive personal data in contravention of its own practice of redacting such data from published documents. Individuals are likely to be distressed by a failure to process their data in accordance with their reasonable expectations.

In the circumstances, Basildon ought reasonably to have known that there was a risk that this contravention would occur unless it ensured that the process was governed by adequate written procedures, undertaken by staff with appropriate experience and supervision and the statement was physically checked prior to publication, in line with the practice employed in its finance

Second, the Commissioner has considered whether Basildon knew or ought reasonably to have known that the contravention would be of a kind likely to cause substantial damage or substantial distress. She is satisfied that this condition is met, given that Basildon was aware that such statements may contain sensitive personal data and that, without adequate procedures in place, such data could be made publicly available online. Basildon ought to have known that it would cause substantial distress if the information was used in ways the family did not envisage, including by online

Basildon should also have known that if the data has in fact been accessed by hostile third parties then it would cause further distress and also damage to the

Therefore, it should have been obvious to Basildon that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals.

Third, the Commissioner has considered whether Basildon failed to take reasonable steps to prevent the contravention. Again, she is satisfied that this condition is met. Reasonable steps in these circumstances would have entailed putting in place adequate written procedures governing the redaction of statements, ensuring that appropriately experienced staff undertook the redaction process and that the outcome of their work was physically checked by someone else before any disclosure was undertaken. Basildon did not take those steps. The Commissioner considers there to be no good reason for that failure.

The Commissioner has taken into account the following mitigating features of this case:

• Basildon referred this incident to the Commissioner, removed the relevant data from its website and was co-operative during the Commissioner’s
• A monetary penalty may have a significant impact on Basildon’s reputation.
• Some of the personal data and sensitive personal data which Basildon should have redacted was otherwise available in a public document, namely the previously published report of a Planning Inspector.
• The affected individuals do not appear to have become aware of or complained about this contravention. The Commissioner is not aware of the affected individuals actually suffering any damage or distress in this case.

The Commissioner has taken into account the following aggravating features of this case:

• Basildon did not notify the affected
• Basildon has not taken sufficient remedial action.