30 June, 2017
A local authority has been fined £150,000 by the Information Commissioner's Office (ICO) for publishing sensitive personal information about a family in Online Planning Documents.
Basildon Borough Council breached the Data Protection Act when it published a statement supporting a householder's planning application for proposed works in a green belt area. The statement contained sensitive personal data relating to a traveller family who had been living on the site for many years, including the names of family members, ages and private medical information.
An inexperienced council officer did not notice the personal information, and published the full statement online without redacting any of the relevant personal data.
Even though the council had a practice of redacting personal data from planning documents, it argued that it was required to include the full contents of any application as part of its local authority planning register and the council would have been obliged to show the full contents of the planning application and accompanying statement to any member of the public who asked to see it.
The ICO firmly disagreed and reiterated that planning regulations did not override people's fundamental privacy and data protection rights.
In any event, the ICO confirmed that if this was their policy then this should have been made clear to applicants, so that they could make informed decisions about what personal and sensitive personal data they wished to adduce in support of their planning application.
All organisations, including local authorities must ensure that they have appropriate procedures in place to guarantee that personal information is handled and processed in an appropriate manner and in accordance with the Data Protection Act. Organisations should ensure that staff are fully trained and crucially that safeguarding procedures are implemented to ensure information is checked before being published online.