Data breach: Sheffield Council reprimanded after 8.6 million vehicle number plates were shared on the internet

Sheffield Council has been reprimanded after data about 8.6 million number plates – plus associated dates, times and location of vehicles – was put on the internet.
Watch more of our videos on Shots! 
and live on Freeview channel 276
Visit Shots! now

The huge data breach, one of several highlighted in a report, led to the council having its knuckles rapped by the Information Commissioner’s Office.

The ICO rebuked the council for a lack of control and overall governance of the automatic number plate recognition system. Officers blamed unauthorised access to an IT system.

Read More
Politics is a Funny Business – a brand new podcast for Sheffield
Sheffield Council has revealed data breaches which led to investigations by the Information Commissioner's Office including sharing 8.6m number plates on the internetSheffield Council has revealed data breaches which led to investigations by the Information Commissioner's Office including sharing 8.6m number plates on the internet
Sheffield Council has revealed data breaches which led to investigations by the Information Commissioner's Office including sharing 8.6m number plates on the internet
Hide Ad
Hide Ad

The council says access to the system was removed, data controllership of the system was established and a full audit of the system was completed.

Each year the council is required to log and report any security incidents and personal data breaches.

In 2020/21 there were 262 incidents and 109 were classed as personal data breaches. Of these breaches, eight were reported to the ICO.

The report says most of the breaches involved customer personal data and were caused by human error with emails or post being delivered to the wrong person.

The data breaches reported to the ICO

Hide Ad
Hide Ad

May/June 2020: Due to a paperwork mistake, employers received notifications about benefits paid to their own employee and that of another employer, breaching that individual’s confidentiality.

There were 144 people affected, plus an earlier incident involving business rate debt recovery breached the personal data of 17 sole traders.

The council said the information was disclosed in error. It asked recipients to destroy original letters, people were informed and apologised to and processes were tightened.

The ICO took no further action following several recommendations of good practice.

Hide Ad
Hide Ad

May 2020: A social worker’s bag was stolen from a car whilst visiting a client, containing mobile phone, tablet, notebook, diary, and daily tasks book.

Extensive measures were taken to contain the incident. The ICO closed the case with no further action and made several recommendations.

June 2020: Information was wrongly published on the council’s website for a committee which considers appeals for school placements, where it remained for 48 hours.

The agenda included confidential documents meant only for those council members on the committee.

Hide Ad
Hide Ad

Officers retrieved the information and supported the families. The ICO closed the case with no further action but made several recommendations.

August 2020: A member of the public alleged confidential information from council records had been posted to Facebook. The case was not proved and was closed.

August 2020: An officer wrongly posted several diary sheet templates and a compliment slip to the wrong address following a discussion with a tenant about antisocial behaviour. The person was informed, apologised to and processes tightened. The ICO closed the case with recommendations.

August 2020: A member of staff used unauthorised access to IT systems to look at an anti-social behaviour complaint made against them. The ICO closed the case based on actions taken by the council and reiterated good practice.

September 2020: Exam grades were disclosed in a tribunal hearing which were unknown to the student, who was distressed. The ICO closed the case with recommendations.