Peter A Clarke

Accidental, usually negligent, publication of documents containing the personal information of multiple people is a public service specialty and common enough to be almost passe. But it is almost always serious. And so it was when the communications team of the Post Office published an unredacted version of a legal settlement document which set out the personal information of 502 former postmasters who had sued the Post Office for its egregious use of Horizon IT to make allegations against them.

Having proper protocols for publishing documents on line is vitally important.  Most additions to web sites are non controversial and pose no privacy risks because the information does not identify individuals and is generally about the organisation.  But organisations create or hold documents which do contain personal information and with most documents stored in digital form they can be passed across to a whole range of people in an organisation. Here it was the communications team, who are culturally and technically as far away from dealing with sensitive information as one can get.  They specialise in spinning and putting out press releases.  Not analysing legal documents.  The ICO sets out matters that an organisation should consider in the handling of information.

The media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Post Office Limited following a data breach that resulted in the unauthorised disclosure of personal information belonging to hundreds of postmasters involved in the Horizon IT scandal.  

The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of a group litigation against the organisation. It remained publicly accessible from 25 April to 19 June 2024, before being removed following notification from an external law firm.

When investigating the circumstances of this data breach, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. We found there to be a lack of documented policies or quality assurance processes for publishing documents on the corporate website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices. Read the rest of this entry »

The Federal Trade Commission is one of the main regulators the deal with privacy breaches. The usual basis for action is the deceptive conduct by companies and organisations. Most recently the FTC took action against Avast for using iits browser extensions and antivirus software to collect, store and sell browsing information without notice and proper consent. The FTC took action in February 2024 seeking $16.5 million from Avast. The claim settled in June 2024.

This type of privacy breach is common enough in Australia, and other places, though not as egregious as what Avast did.  Avast engaged in active deception. Companies continue to collect more information than they require to provide the service to their customers, subscribers or visitors to their sites.  Organisations continue to justify this conduct.  The danger to them and their clients is that if there is a data breach the misuse or overcollection or both of data will be discovered.  And regulatory action will follow. Or a class action.  Or both.

The most recent announcement about distribution of payments Read the rest of this entry »