18.08.17
Authority slapped with £70,000 fine for data protection mishap
A London council has been slapped with a £70,000 fine after it failed to keep up to 89,000 people’s information secure on its parking ticket system website.
Islington Council’s Ticketviewer System allows people to see a CCTV image or video of parking offences they have been accused of. However, due to a design fault, the system mistakenly led to personal data of almost 90,000 people being accessible by other people using the technology. Some of this data included sensitive information such as medical details relating to appeal.
The Information Commissioner’s Office (ICO) has today released its report which said that there had been unauthorised access to 119 documents on the system 235 times from 36 unique IP addresses, affecting a total of 71 people.
“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that,” said Sally Anne Poole, ICO enforcement manager.
“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
The organisation stated that the council should have made sure to test the system properly prior to it going live and then regularly after that point.
It added that its failure to do so meant that the Borough had not taken appropriate measures to keep personal information secure, leaving it in breach of the Data Protection Act.
A spokesperson for the council repeated its previous apology for the mistake, and added that the council had taken the fine down to £56,000 for prompt payment.
“We remain very sorry about the previous Ticketviewer problem and agree with the ICO that we failed to meet the required data protection standards back in 2015,” they said.
“As soon as we were aware of the problem we took every possible action to prevent a recurrence and instructed auditors to carry out a thorough review so we could learn from our mistake.”
Today’s news also follows the ICO warning councils that they had a long way to go to ensure data protection practices complied with the incoming General Data Protection Regulation.
It also fined Basildon Borough £150,000 back in June, and Gloucester City £100,000 after a cyber-attack exposed its employees’ information to hackers.
Have you got a story to tell? Would you like to become a PSE columnist? If so, click here.