Hackney Council in personal data breach
Exclusive: Investigation finds residents’ personal data published on council website
Papers published on Hackney Council’s website have inadvertently revealed the personal data of a number of residents, an investigation by the Hackney Citizen has found.
Among the personal details discovered were the names, addresses, email addresses and mobile phone numbers of more than thirty residents who had been in touch with the council recently about licensing decisions.
The data featured in documents which had been partially redacted, but redaction had not always been done correctly, allowing personal details to be accessed by anyone who viewed the papers.
The Hackney Citizen analysed council meeting papers published since the start of 2013 and found seven documents which contained personal data. Details in the documents included:
- the names of 35 residents who had expressed views on license applications, in many cases with the resident’s home addresses;
- ten email addresses;
- four mobile phone numbers.
Further personal data could have been available in documents published prior to January 2013.
Among the personal details contained in the papers were the names, addresses and signatures of 20 residents who signed a petition against Future Cinema performances in the former Cardinal Pole School on Victoria Park Road.
In another case, the Hackney Citizen was able to view the name, home address, mobile phone number, email address, web address, and Twitter handle of one resident who had commented on a local licensing decision.
Niall McCormack described himself as “surprised” to find his details available in the meeting papers. “It is vital that Hackney Council take all reasonable steps and precautions to protect the data of the general public”, he said.
The personal data was all contained in supporting documents for meetings of the council’s licensing sub-committees, where decisions are made on license applications and amendments.
The documents had been published on the council website and contained copies of letters, emails and petitions received by the council either in favour of, or objecting to, license applications being considered.
While attempts had been made to redact the personal data, with black marks placed over the personal data, this had not been done properly, meaning the underlying data could be accessed by anyone viewing the documents.
Amongst the council papers in which personal details were found were documents relating to an application for a premises licence by Dalston Organic, an application to review Efes Snooker Club’s licence, and an application to vary the licence of the Hoxton White Horse.
The council was alerted to the data breach prior to publication of this article in order to allow them to take down the documents concerned.
A Hackney Council spokesperson said: “The Council has removed the reports from the website and will look into the matter to determine whether any confidential information contained therein can be accessed by the public or not.”
The Hackney Citizen also passed evidence to the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection law in the UK.
A spokesperson for the ICO said: “We will be making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
In a number of cases, copying the content of the documents into word processing software revealed names and contact details. In other cases, anyone with PDF-editing software would have been able to open the council documents and simply remove the redacting marks which the council had placed over personal data.
Hackney Council has previously threatened the Hackney Citizen with an injunction following the publication of a voice recording which, the council alleged, was in breach of the Data Protection Act 1998.