Flintshire Council could face legal action over development plan data breach, solicitor warns

A local authority could face legal action after a data breach saw the personal details of dozens of residents published online, a solicitor has warned.

Robert Godfrey said he had been contacted by a number of people impacted after the private information of respondents to Flintshire Council’s Local Development Plan was revealed online in July.

The blueprint sets out locations where up to 7,000 new homes could be built in the county over the next decade and attracted feedback from hundreds of individuals concerned about the potential strain on local services.

When the comments were made public on the authority’s website, it was soon discovered the personal details of some, including their names and contact information, could also be accessed.
Since then they claim to have been contacted and harassed on social media.

The council has apologised to the 66 people affected and referred the incident to the Information Commissioner’s Office.

While the authority said the information watchdog had chosen not to pursue the matter further, Mr Godfrey said he believed anyone impacted by the “serious breach” could have a valid claim for damages.

The head of professional negligence at national law firm Simpson Millar said: “We have had residents contact us who are quite rightly very concerned.

“We are actively working on  potential claims on behalf of people directly affected by this serious breach.

“This is a clear breach of GDPR and data protection rules. The council, by their own admission, were using poor security features to protect confidential information.

“I am confident any person whose details have been accessed could have a valid claim.”

He added: “Some of those affected have had their information published online and been unfairly harassed as a consequence.

“Many will be anxious and fear they will be targeted at home or work in the future.”

He encouraged residents impacted to seek urgent legal advice.

The council has admitted the private details of some people who responded to the consultation were available on a document on its website for three hours.

Despite the data being hidden from view when it was created, officials acknowledged they could have been uncovered “with a conscious effort”.

Members of pressure group Keep Ewloe Green were among those who said their data was accessed and described the breach as “incredibly distressing”.

A senior council official has now stressed the authority dealt with the issue “in a proactive and transparent manner” and urged anyone with outstanding concerns to contact the authority directly.

Gareth Owens, chief governance officer, said: “There was a short window of three hours at the end of July when the names and addresses of 66 respondents to the LDP consultation could be un-redacted by someone minded to do so.

“The council quickly removed the consultation responses, and ensured the redaction could no longer be undone.

“It also contacted all respondents to inform them whether they were within the 66 and issued an apology to those who were.

“The council reported the incident to the Information Commissioner’s Office.

“The ICO has already decided in light of the swift corrective action, the small number of people affected and the low sensitivity of the data that could be uncovered, not to take any further action against the council.”

He added: “The number of enquiries received by the council was limited given the proactive and transparent manner in the matter was addressed.

“Should anyone remain concerned then they are encouraged to contact the council to discuss the incident.”

Flintshire’s LDP is due to be submitted to the Planning Inspectorate by the end of this month, with a public examination set to take place early next year.

Liam Randall – Local Democracy Reporter (more here).