Flintshire Council apologises to those affected by serious data breach and refers itself to Information Commissioner

Flintshire Council has apologised after the personal details of ‘small number’ of respondents to a major housing blueprint were made public.

Personal details of people who responded to a consultation were uploaded to the Local Development Plan (LDP) section on the council’s website.

According to the council, “a summary of each comment made was provided along with a link to the original representation but all personal details were hidden from public view – through ‘redaction’.

The council said a “conscious effort” was made to remove that protection by someone accessing its website.

The LDP, a key housing blueprint for Flintshire sets out locations where up to 7,000 new homes could be built in the county over the next decade whilst protecting key green spaces and parks from development.

Councillors agreed to put the LDP out to consultation in July last year.

Since then the council’s Planning Policy Service has been working remotely due to the coronavirus outbreak which has delayed the progress of the LDP.

Without an LDP in place, the community loses some protection against development.

A spokesperson for the Keep Ewloe Green Group, who are fighting against proposals for development in Ewloe, told the Local Democracy Reporter Service: “We are truly disgusted at the incompetence shown yet again by Flintshire County Council.

“All of our personal details, including our addresses, mobile phone numbers and even our places of work have been made publicly available for all to see.

“This is incredibly distressing, especially when dealing with an issue that is so locally sensitive.

“I truly now fear for the safety of many residents, in regard to the content of their comments on the LDP, whether in support or objection.”

The council says it takes the “security of personal information extremely seriously” and has notified all those affected.

It has also referred itself to the Information Commissioner’s Office, Gareth Owens, Chief Officer Governance said;

Once the risk became known the documents were immediately removed from the website. This was done in less than three hours from when they were made publicly available. During that limited time, most of the individual comments posted on the website received no or a low number of ‘hits’.

Having checked our website visitor records we can see that only a few people accessed the document in this short period. Once we became aware of the problem we acted swiftly to correct the document and to prevent further access to the personal data.

As a responsible public body we take the issue of the security of personal information extremely seriously and have notified those individuals whose details were included in the document. We have also informed the Information Commissioner’s Office, with whom we maintain a positive and trusting working relationship and will cooperate fully should they investigate.

The Council is also aware that personal details of a number of individuals have been posted online by those who may have obtained it, or others. Those people targeted have already been contacted by the Council. We believe the republishing of this material is illegal and have provided evidence of the alleged offence to the Information Commissioner’s Office.

We apologise to all affected by this incident. The software used to protect these details was not adequate, and more robust software has already been sourced to ensure the redacted information is securely protected when the documents are re-published shortly.

Any new redacted documents will also be published under the new protection measures that have been put in place.