News release: 19 July 2011
Lancashire Police Authority breached the Data Protection Act by accidentally publishing details of an individual’s complaint on their website, the Information Commissioner’s Office (ICO) said today.
The details were disclosed after the authority failed to redact the information, which was marked as restricted, from two documents before they were published online. The authority also failed to remove the information after the complainant made them aware of the breach on 24 January. This meant that the information was available online for a further four days before it was removed.
The ICO has now ordered the authority to make sure that any information due for release on the authority’s website is checked and correctly redacted before it is made available. The authority has also agreed to introduce a new policy for staff which explains the actions they must take when informed of a possible data breach.
Director of Operations, Simon Entwisle said:
“While it is important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual’s rights to privacy. There can be no excuse for publishing someone’s personal information online, and the fact that the Authority failed to remove it when told makes this case all the more concerning.
“We are pleased that Lancashire Police Authority will now make sure any documents due for release are properly checked by suitably trained staff. This case should act as a warning to all public authorities that information security must be seen as a priority across the organisation.”
Miranda Carruthers-Watt, Chief Executive, of Lancashire Police Authority, has signed an undertaking to ensure that procedures are introduced to make sure that all minutes and agendas are quality assured by an appropriate member of staff prior to being published on the authority’s website. The authority will also develop a policy for staff explaining the actions they should take when receiving notice of a data breach as well as providing appropriate training and support on how to follow it.
View all of our data protection undertakings here
Notes to Editors
The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
Contact our press office on 0303 123 9070 and at ico.gov.uk/press