The huge data breach, one of several highlighted in a report, led to the council having its knuckles rapped by the Information Commissioner’s Office.
The ICO rebuked the council for a lack of control and overall governance of the automatic number plate recognition system. Officers blamed unauthorised access to an IT system.
The council says access to the system was removed, data controllership of the system was established and a full audit of the system was completed.
Each year the council is required to log and report any security incidents and personal data breaches.
In 2020/21 there were 262 incidents and 109 were classed as personal data breaches. Of these breaches, eight were reported to the ICO.
The report says most of the breaches involved customer personal data and were caused by human error with emails or post being delivered to the wrong person.
The data breaches reported to the ICO
May/June 2020: Due to a paperwork mistake, employers received notifications about benefits paid to their own employee and that of another employer, breaching that individual’s confidentiality.
There were 144 people affected, plus an earlier incident involving business rate debt recovery breached the personal data of 17 sole traders.
The council said the information was disclosed in error. It asked recipients to destroy original letters, people were informed and apologised to and processes were tightened.
The ICO took no further action following several recommendations of good practice.
May 2020: A social worker’s bag was stolen from a car whilst visiting a client, containing mobile phone, tablet, notebook, diary, and daily tasks book.
Extensive measures were taken to contain the incident. The ICO closed the case with no further action and made several recommendations.
June 2020: Information was wrongly published on the council’s website for a committee which considers appeals for school placements, where it remained for 48 hours.
The agenda included confidential documents meant only for those council members on the committee.
Officers retrieved the information and supported the families. The ICO closed the case with no further action but made several recommendations.
August 2020: A member of the public alleged confidential information from council records had been posted to Facebook. The case was not proved and was closed.
August 2020: An officer wrongly posted several diary sheet templates and a compliment slip to the wrong address following a discussion with a tenant about antisocial behaviour. The person was informed, apologised to and processes tightened. The ICO closed the case with recommendations.
August 2020: A member of staff used unauthorised access to IT systems to look at an anti-social behaviour complaint made against them. The ICO closed the case based on actions taken by the council and reiterated good practice.
September 2020: Exam grades were disclosed in a tribunal hearing which were unknown to the student, who was distressed. The ICO closed the case with recommendations.