Those who give personal information to public authorities are entitled to expect that it will be carefully handled in accordance with the Data Protection Act 1998. In one case where that sadly did not happen, a council was fined £75,000 for systemic failings that led to sensitive details concerning a vulnerable family appearing online.
The council received an application to vary conditions attached to a grant of planning permission. It was accompanied by a planning statement in which the applicant gave details about his family, including disability requirements and mental health issues. The statement was uploaded onto the council’s planning portal in un-redacted form and remained visible to all Internet users for almost two months.
After the error emerged, the council reported itself to the Information Commissioner, who imposed a £150,000 fine. Although the breach was not deliberate, she found, amongst other things, that the council had no effective system in place to ensure the redaction of such statements by its planning technicians.
The planning technicians had received no, or no adequate, training in respect of data protection issues and there was no procedure in place to ensure that statements were cross-checked before being posted online. The facts of the case emerged as the First-tier Tribunal upheld the council’s appeal against the amount of the fine. Although the breach was serious, substantial mitigation was available to the council and the penalty was halved to £75,000.