The Information Commissioner’s Office (ICO) has issued a reprimand to a housing charity after it found that it made residents’ personal details accessible online for five days.
Clyde Valley Housing Association (CVHA) in Lanarkshire, Scotland, launched an online customer portal in 2022 and a resident discovered on the first day that they could view personal information about other residents, including names, addresses and dates of birth.
Documents related to anti-social behaviour cases were also available through the portal, the ICO said.
The resident called a customer service advisor at the charity to flag the breach, but their concerns were not escalated, and the personal information remained accessible for five days.
Following a mass email to residents promoting the portal, four more residents reported the same breach, and the system was suspended.
The ICO found that the charity failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach.
It recommended that CVHA should ensure it complies with data protection law by undertaking rigorous testing that focuses on data protection prior to the rollout of a portal in the future.
The ICO also urged the charity to review its data protection training to ensure it is relevant and adequate for its staff.
A spokesperson for CVHA said: “We take the handling of customers’ data very seriously and apologise for this error.
“We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”
ICO: ‘Breach was the result of a clear oversight’
Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.
“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained.
“We will take action when people’s personal information is not protected.”
Related Articles