Hackney Citizen

Hackney Council in personal data breach

Exclusive: Investigation finds residents’ personal data published on council website

Hackney Town Hall with sky

Data protection issues: Hackney Council. Photograph: Hackney Citizen

Papers published on Hackney Council’s website have inadvertently revealed the personal data of a number of residents, an investigation by the Hackney Citizen has found.

Among the personal details discovered were the names, addresses, email addresses and mobile phone numbers of more than thirty residents who had been in touch with the council recently about licensing decisions.

The data featured in documents which had been partially redacted, but redaction had not always been done correctly, allowing personal details to be accessed by anyone who viewed the papers.

The Hackney Citizen analysed council meeting papers published since the start of 2013 and found seven documents which contained personal data. Details in the documents included:

  • the names of 35 residents who had expressed views on license applications, in many cases with the resident’s home addresses;
  • ten email addresses;
  • four mobile phone numbers.

Further personal data could have been available in documents published prior to January 2013.

Among the personal details contained in the papers were the names, addresses and signatures of 20 residents who signed a petition against Future Cinema performances in the former Cardinal Pole School on Victoria Park Road.

In another case, the Hackney Citizen was able to view the name, home address, mobile phone number, email address, web address, and Twitter handle of one resident who had commented on a local licensing decision.

Niall McCormack described himself as “surprised” to find his details available in the meeting papers. “It is vital that Hackney Council take all reasonable steps and precautions to protect the data of the general public”, he said.

The personal data was all contained in supporting documents for meetings of the council’s licensing sub-committees, where decisions are made on license applications and amendments.

The documents had been published on the council website and contained copies of letters, emails and petitions received by the council either in favour of, or objecting to, license applications being considered.

While attempts had been made to redact the personal data, with black marks placed over the personal data, this had not been done properly, meaning the underlying data could be accessed by anyone viewing the documents.

Amongst the council papers in which personal details were found were documents relating to an application for a premises licence by Dalston Organic, an application to review Efes Snooker Club’s licence, and an application to vary the licence of the Hoxton White Horse.

The council was alerted to the data breach prior to publication of this article in order to allow them to take down the documents concerned.

A Hackney Council spokesperson said: “The Council has removed the reports from the website and will look into the matter to determine whether any confidential information contained therein can be accessed by the public or not.”

The Hackney Citizen also passed evidence to the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection law in the UK.

A spokesperson for the ICO said: “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

In a number of cases, copying the content of the documents into word processing software revealed names and contact details. In other cases, anyone with PDF-editing software would have been able to open the council documents and simply remove the redacting marks which the council had placed over personal data.

Hackney Council has previously threatened the Hackney Citizen with an injunction following the publication of a voice recording which, the council alleged, was in breach of the Data Protection Act 1998.

Related:

The improper and disgraceful conduct of Hackney Council

Council threatens Hackney Citizen with legal action

Hackney Council misinforms voters: “No Conservative candidate for Mayor”

Tagged as: , , , , , , , , , , , ,

6 Responses »

  1. “PRIVACY?!! We don’ need no STEEEEENKIN’ privacy!!!” ;-)

    Offensive comment?

  2. I objected to the premises license for Dalston Organic which was granted by the Licensing sub-committee earlier this week. It requires knowledge but little skill to extract metadata from Word documents. Your reporter obliquely refers to metadata when he writes “copying the content of the documents into word processing software revealed names and contact details”. Word docs or docs saved as PDFs automatically include metadata including the authors’ name. The only way to guarantee metadata is not visible or recoverable, is manual removal or third party software. DIY is not difficult or time consuming, and council staff should be required to prove they know how to check for and remove personal metadata.

    Offensive comment?

  3. Thanks for the comment, Denna.To clarify, the personal data I came across was actually in the main body of the documents rather than in meta data – disguised by black rectangles, but the way this had been done meant that in several cases copying the text over to Word brought over stuff that should have been redacted.

    If you think your personal details might have been among that published on the council’s website I’d be interested to hear from you: contact [at] philipnye [dot] co [dot] uk

    Offensive comment?

  4. idiots !

    Offensive comment?

  5. Sloppy work Hackney Council. We redact with Adobe Acrobat when we send out FOI requests. And even then we ‘test’ the swipe and copy to Word just incase….

    Offensive comment?

  6. I would offer my services Hackney Council, but I’m still smarting from being turned down for a Junior Electrician apprenticeship back in 1988….bastards!

    Offensive comment?

Comment