Cornwall Council data breach involving children's details 'quite unacceptable', parent says
The local authority has issued a statement and apologised to families
Last updated 12th May 2022
A parent whose child’s personal information was published online by Cornwall Council in a data breach has strongly criticised the authority.
The council has apologised for the breach which saw five children’s names, addresses and dates of birth as well as their parents’ personal contact details published online.
The council has also referred itself to the Information Commissioner’s Office (ICO) and said that it will cooperate with any investigation.
The error happened on Monday when documents for school transport appeals were published online erroneously.
Among the documents were an Education Health and Care Plan (EHCP) for one child and also a teenager’s personal mobile telephone number and email address.
The slip-up was spotted by the Local Democracy Reporting Service (LDRS) which alerted the council on Monday afternoon.
Parents of one child call breach "quite unacceptable"
However, one of the parents whose child’s details were leaked said that the first she heard of it was when the LDRS got in contact with her about it the following day.
The parent, who has asked not to be identified, said: "The first I heard of the GDPR breach was from your email which I forwarded onto my husband. Cornwall Council did send each of us an email regarding the breach which, in my case, had a receipt time stamp of 15.20 hrs and in the case of my husband 14.20 hrs.
"I am sure that you can imagine our shock at the details of a minor, our personal contact information and the full details of the appeal being published.
"It is quite unacceptable that such a situation could have occurred and would appear to demonstrate a certain level of negligence at Cornwall Council.
"As you are aware, in this digital age, such occurrences can have serious unexpected consequences".
The couple said that they would be speaking with Cornwall Council directly to discuss the issue.
Cornwall Council offers "full apology" to families affected
In a statement about the breach Cornwall Council said: "As soon as the council became aware, the information was removed from the website and the families concerned were informed and offered a full apology.
"The council has notified the Information Commissioner’s Office and will fully cooperate with any formal investigation.
"Cornwall Council takes its compliance with data protection requirements extremely seriously. No loss of control of data is acceptable and the council is clear that when this happens staff must immediately report it.
"Every incident of data loss is treated extremely seriously and thoroughly investigated to minimise any possible harm and to find ways of preventing it happening again. Procedures are regularly reviewed and changed in order to reduce the risk of data loss.
"We always work to minimise the likelihood of such losses occurring. For example, we regularly raise awareness amongst staff and councillors through formal training and publicity campaigns.
"In addition, all staff are required to read and agree to key information security policies, so they are aware of their duty to protect the information in their care.
"All council laptop computers and memory sticks are encrypted so that if they are lost their contents cannot be accessed".