ICO reprimands housing charity for exposing personal information

22 Apr 2024 News

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) has issued a reprimand to a housing charity after it found that it made residents’ personal details accessible online for five days.

Clyde Valley Housing Association (CVHA) in Lanarkshire, Scotland, launched an online customer portal in 2022 and a resident discovered on the first day that they could view personal information about other residents, including names, addresses and dates of birth.

Documents related to anti-social behaviour cases were also available through the portal, the ICO said.

The resident called a customer service advisor at the charity to flag the breach, but their concerns were not escalated, and the personal information remained accessible for five days.

Following a mass email to residents promoting the portal, four more residents reported the same breach, and the system was suspended.

The ICO found that the charity failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach.

It recommended that CVHA should ensure it complies with data protection law by undertaking rigorous testing that focuses on data protection prior to the rollout of a portal in the future.

The ICO also urged the charity to review its data protection training to ensure it is relevant and adequate for its staff.

A spokesperson for CVHA said: “We take the handling of customers’ data very seriously and apologise for this error.

“We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”

ICO: ‘Breach was the result of a clear oversight’

Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.

“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.

“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained.

“We will take action when people’s personal information is not protected.”

For more news, interviews, opinion and analysis about charities and the voluntary sector, sign up to receive the free Civil Society daily news bulletin here.

ICO reprimands housing charity for exposing personal information

ICO: ‘Breach was the result of a clear oversight’

Related Articles

ICO orders Penny Appeal to stop sending unsolicited texts

ICO fines charity £25,000 over ‘negligent’ approach to data protection

ICO clarifies best practice for data sharing in charities

More on

Rob Preston

Charities minister responds as MP proposes right to paid volunteering leave

Labour MPs far less likely than Tories to see charities as ‘too political’, research finds

Young people hear about causes from influencers more than charities, report says

Royal Opera House unveils new name

Podcast interview: What could a general election mean for charities?

Guide Dogs UK plans 160 redundancies after costs ‘rise considerably’

Big charities have become ‘mirror images of the state’, says Paul Streets

Irish homelessness charity targeted in ransomware attack

Charities failing to prioritise class diversity of employees, report says

ICO fines YMCA branch £7,500 for revealing sensitive data of people living with HIV

Search

Browse

Topics

Communications

Finance

Fundraising

Governance & Leadership

Policy & politics

Technology

The Charity Awards