ICO reprimands Clyde Valley Housing Association for exposing personal information on an online portal

The Information Commissioner’s Office (ICO) has recently announced its decision to reprimand Clyde Valley Housing Association (CVHA), for actions it concluded were an infringement of data security, following the release of CVHA’s new customer online portal in July 2022.

Background

CVHA’s new online customer portal went live on 14 July 2022. That same day, a resident of CVHA logged on to the portal and realised they were able to read information relating to other residents. The resident then rang CVHA’s customer service line to report the incident, informing the customer service advisor that they could see information they didn’t believe they should have access to. It is understood that the customer service advisor who received that call failed to then escalate the resident’s concern. This meant the information remained available to view on the portal.

A few days later, CVHA proceeded to send a mass email to all residents, promoting the new, live online portal. Following this email, CVHA received four reports from residents that they were able to view information relating to others. The ICO confirms that on this occasion, the reports received were correctly escalated and all user accounts were locked, which prevented further logins.

Just over an hour later, access to the online portal was fully suspended.

Findings

Following its investigation, the ICO concluded that CVHA failed to conduct adequate testing prior to the online portal going live, leading to accidental access to personal data, as a result of failing to implement appropriate technical security measures. As a result, CVHA was found to have breached the following provision of the UK GDPR:

• Article 5(1)(f) – breach of the data security principle, requiring data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality)”.

When employees at CVHA were questioned in relation to the testing the online portal had undertaken, it was identified that testing simply focused on functionality, and did not consider data security or the likelihood of a breach of personal data. In addition, no further conducting took place once the portal went live, to resolve the functionality errors causing the breach.

Following the breach, technical investigations confirmed that there was a configuration error on a widget which had been made available for residents who had ongoing anti-social behaviour (ASB) cases. This meant that all residents with ongoing ASB cases were able to access all other documents on the portal, linked to ASB. It was identified that 394 data entries linked to ASB were accessible, of which 286 entries contained information capable of identifying individuals, affecting 139 individuals in total. Of those individuals, CVHA indicated that 62 faced a high risk to their rights and freedoms, as a result of the breach.

Overall, the data was accessible for five days, during which time 11 residents logged into the portal and had access to the information.

The ICO confirmed in its outcome letter that it welcomed the remedial actions implemented by CVHA following the breach, which included:

• working with the company who developed the online portal to identify the root cause of the error;

• ensuring that a new version of the portal will not be released until the issues are resolved;

• providing all staff with up to date and relevant data protection training;

• instructing the 11 individuals identified not to share, copy or make any further use of the data they have had access to.

The reprimand

Notwithstanding the actions identified above, the ICO decided to issue a formal reprimand to CVHA in respect of infringements to Article 5(1)(f) of the UK GDPR.

In justifying its decision, the ICO commented on further actions it believes CVHA can implement to improve its compliance with the data protection legislation, these include:

• completing root cause analysis and rigorous testing is undertaken, with a clear focus on data protection and security, prior to the online portal being taken live again;

• conducting a review of the content of data protection training being delivered to staff, to ensure it is relevant and adequate for those receiving it.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would publish details of reprimands on its website. Therefore, despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

In addition, CVHA’s reprimand clarifies that if ICO has future grounds to suspect that CVHA is not complying with its obligations under the data protection legislation, any failure by CVHA to rectify the infringements set out in its reprimand may be taken into account as an aggravating factor in deciding whether to take future enforcement action.

Conclusion

This reprimand serves as a reminder to all registered providers (RPs) that when introducing new methods of handling information and/or new technologies, data protection and security has to remain a primary concern, particularly given the amount of sensitive data RPs have routine access to as part of performing their functions. RPs should continually assess their obligations to conduct a Data Protection Impact Assessments (DPIAs), prior to the introduction of new technologies and ways of handling personal data.  Even where a DPIA is not considered necessary, RPs should be giving full consideration to data security risks prior to introduction, which includes thorough stress testing and breach simulation, to ensure compliance with the data security principle and the ‘data protection by design and default’ approach.

Alongside this, RPs need to ensure that they deliver an appropriate, routine data protection training, taking into account level of data protection responsibility and awareness required in roles across the organisation. By adopting a transparent, clear approach to data protection, security and associated policies and procedures, RPs are mitigating their prospects of criticism from the ICO in relation to a lack of data protection awareness, following a breach. Similarly, appropriate, specific training ensures that data security concerns are identified and managed quickly and effectively, generally mitigating the extent of harm posed to individuals following a breach.

We are happy to support RPs who are looking to discuss/ assess their approach to data protection by design and default and/or routine training, with a view to identifying practical and simple solutions for ensuring compliance moving forwards.