The Courier & Advertiser (Fife Edition)
Bungling council reports itself over huge data breach
A bungling local authority has been forced to report itself to the Information Commissioner’s Office after admitting a massive data breach.
Perth and Kinross Council could face a huge fine after accidentally revealing the personal email addresses of more than 1,000 property owners.
A hapless staff member sent an email about an upcoming course on property management to every one of the landlords on its database.
Instead of masking the addresses, they sent the email to include them all – so every one of them could be read by each recipient.
Another email was sent a short time later asking every landlord to ignore and delete the offending message and confirming the council had confessed to the ICO about the breach.
Perth and Kinross Council will now face an anxious wait to discover what action the ICO will take, as the 2018 Data Protection Act gives the power to impose a fine of up to 20 million euro (£17 million).
The list of landlords whose details were exposed includes millionaires, lawyers, police officers, a Justice of the Peace, NHS staff, sportsmen, a well-known TV and radio personality and a number of convicted criminals.
Gloucestershire Police was fined £80,000 by the ICO earlier this year after sending a bulk email that identified victims of child abuse.
In that case, just 56 names and email addresses were visible to up to 52 recipients.
ICO head of enforcement Steve Eckersley said: “The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
A spokesperson for Perth and Kinross Council said: “We can confirm that we have reported a data breach to the Information Commissioner’s Office, as we are required to do by data protection legislation.
“While the names of the individuals concerned are already published via the publicly accessible list of registered landlords, our sincere apologies go to them for the accidental sharing of their email addresses.
“We take our responsibilities as a controller of personal data extremely seriously, and have reminded all staff of the importance of protecting that by steps such as the use of the blind copy function when sending emails.”