Significant data breach during Council procurement exercise

Details of “hundreds, potentially thousands” of vulnerable people, including children, have been emailed to taxi firms who responded to a Council tender notice for vulnerable adults and children in care.

The 23MB spreadsheet was e-mailed by officers of Leicester City Council’s Passenger and Transport Services Team (PATS) earlier this month to 27 taxi companies who had expressed an interest in the Council’s procurement exercise.

Despite the magnitude of the data breach, it took over 24 hours before a recall email was issued by the Council alerting recipients to the error and warning that any unauthorised disclosure or copying of the information would constitute a breach of the Data Protection Act.

The Council has now referred itself to the Information Commissioner’s Office for investigation and, if the experience of others is anything to go by, may face significant enforcement action by the ICO, including a civil financial penalty.

The events in Leicester are a timely, if unfortunate, reminder that whilst attention may be focussed on preparing for the entry into force of the General Data Protection Regulation (GDPR), that data protection basics must continue to be observed and that a pubic procurement exercise with all its attendant emphasis on openness and transparency does not obviate the need to continue to apply legislative requirements about the protection of sensitive personal information.

Original sources –

BBC Leicester

Leicester Mercury