County council apologise for data ‘breach’ over invitation to cyber security event

Chichester's County Hall SUS-160818-125926001
Chichester's County Hall SUS-160818-125926001

West Sussex County Council inadvertently revealed the email addresses of scores of business owners – when inviting them to an event on cyber security.

The council has apologised after its invitation to the ‘Keep Your Business Safe Online’ event was emailed to more than 200 individuals without using the ‘blind carbon copy’ option, used to protect the privacy of recipients.

A spokesman said the error was not significant enough to report as a ‘serious data breach’.

But it came just days after the BBC revealed how the county council was subject to an Information Commissioner’s Office (ICO) investigation after details of at least 1,400 carers, foster carers and disabled people were published online in error.

Referring to the cyber event breach, the spokesman said: “An email invite was sent to email addresses supplied by organisations applying for county council grants. As a result of a complaint, we have taken steps to recall the message. We apologise for any inconvenience this may have caused.

“Where there is a potential breach of data we are required to look at the data itself and the impact a breach of this data could have.

“In this case the data involved was not sensitive as it related to email addresses only. Many were already in the public domain and most were organisational rather than personal.”

The BBC reported that the county council posted details of payments of more than £100 as a matter of course.

Details concerning vulnerable residents and their carers should have been removed, however.

The BBC said some of the information had been online for seven years.

In response, the council’s spokesman said: “As soon as the problem was reported to us, we removed the spreadsheet from the website in under 29 hours.

“Although the spreadsheet contained transaction numbers and payment amounts, the only personal details recorded were names. We would like to reassure residents that the spreadsheet did not contain any sensitive personal data which would put individuals at risk in the event that identification through data matching with alternative sources was carried out.

“We accept that persons seeking to identify individuals could do so in some cases by making additional checks through other data sources. It is for that reason we removed the data.”

Data protection incidents were raised by Rustington Liberal Democrat Dan Purchese during question time at last Friday’s full council meeting.

Bob Lanzer, cabinet member for infrastructure and highways, said he shared his concerns, but explained how the council had taken down the information on the first breach as soon as it was made aware of it.

The council is reviewing its approval processes and how its automatic filters are applied.

He also suggested they could look at a warning message if a large number of addresses are carbon copied on a draft email before sending.

He added: “I do share your concerns and we are acting upon them.”