Cheshire West and Chester Council apology after 1,300 private email addresses accidentally shared

Cheshire West and Chester Council  (CWaC) has apologised after more than 1,300 private email addresses were accidentally shared, with at least some of them since having been ‘misused’.

The incident occured when CWaC sent a generic email to 1,326 people in the borough last Friday, advising them of changes to taxi legislation.

But a member of council staff inadvertently failed to use the blind copy function (BCC) to mask all recipient details.  As a result, all email addresses – personal and business – were unintentionally exposed to all recipients in the distribution group.

The council said no other personal data was involved, but in an email seen by the LDRS, the authority warned those affected that at least some of their emails had already been ‘misused’.

The email said: “We do not believe the incident posed any significant risks to individuals in that only email addresses were involved, with the email content itself being generic in nature.

“However, we are aware that a proportion of  the email addresses have been misused by one of the recipients in that they have been used to contact individuals about an unrelated matter.

“As a result of this, that individual would be considered in breach of their own data protection responsibilities not to use data they should not have had access to, and as a result we have taken additional steps to address the issue.”

The email went on to apologise to those affected for any ‘concern or inconvenience’ caused.

It said: “I would like to take this opportunity to apologise for any concern or inconvenience this incident may have caused and assure you that as a service we are taking steps to ensure we address the identified shortcomings in this area.”

A council spokesman told the LDRS that the Information Commissioner’s Office (ICO) – the public body which oversees data privacy – had been informed, but had decided not to take any further action.

The spokesman said: “We reassured them staff have previously received data protection training, and explained the steps we are taking to prevent it happening again in the future.

“The preventative measure we have taken is to recommend that bulk emails of this type are not sent using the standard email system and must now be sent via an approved method. Following assurance of these changes, the ICO has responded to state that no further action will be taken.”

He added: “While we understand incidents such as this may have caused some concern, no additional personal data was involved or put at risk and the ICO agrees with our assessment that the incident poses no risk or detriment.”

Mark Smith – Local Democracy Reporter