Bristol City Council Data Breach Revealed Names Of Disabled Children

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Mass email from the council contained the names and email addresses of children with special educational needs and disabilities

Bristol City Council has suffered a damaging data breach and the Information Commissioner’s Office (ICO) has been informed.

Earlier this week, the council sent out a mass email to hundreds of people, as part of a consultation asking for people to take part in a survey about a new support service.

The only problem was the names and email addresses of hundreds of children who are either disabled or have special educational needs, was visible to all recipients.

Mass email

The email has been seen by the BBC, which reported that the email had been sent by the disabled children and specialist services department of the council on Monday morning, 23 November.

A parent, who wished to remain anonymous, and who received one of the emails, told the BBC it was “a fundamental breach of trust and data.”

“It really signifies the disdain that they have for families with disabled children,” the parent reportedly said. “It’s such a lack of concern for us. I feel this really exemplifies their indifference to the plight of disabled children in Bristol.”

According to the parent, there were 487 names of children and their carers visible on the email she received, and those names were all between “H and L” alphabetically, “so there will be a lot more.”

“Ironically, it’s about a survey that they want us to fill in to tell them how they can improve their services,” she reportedly said. “It’s very difficult to put into words how ridiculous and unnecessary it is.”

And it seems that council has realised the mistake, which could potential involve a hefty fine from the ICO.

“We are aware a breach of the General Data Protection Regulation (GDPR) has occurred and we have been in contact with those affected and have apologised,” a Bristol City Council spokesman told the BCC.

“This case has been referred to the Information Commissioner’s Office (ICO) and we will comply fully with their protocol,” he added. “Following a personal data breach an investigation is carried out into the causes.”

The problem stems from the fact that the email’s recipient list was not hidden on the mass email.

The council has reportedly apologised to parents and asked everyone who received the email to delete it.

Council fines

The ICO has a record of handing out stiff penalties to councils for data breaches over the past decade.

In 2011 the ICO imposed a penalty of £120,000 on Surrey County Council for disclosing individuals’ personal data on three separate occasions.

Also in 2011 Ealing and Hounslow Councils lost laptops that contained sensitive personal data. The ICO fined Ealing Council with a £80,000 fine, whereas Hounslow Council was fined £70,000.

In 2012 Stoke-on-Trent City Council was ordered by the ICO to cough up £120,000 after a “serious breach” that saw sensitive information on a child protection legal case, being emailed to the wrong person back in December 2011.

That same year the ICO also fined Cheshire East Council £80,000 for failing to have adequate security measures in place when emailing personal information.

Also in 2012 the ICO fined Telford and Wrekin Council with a £90,000 fine, for two data breaches, involving staff working in Safeguarding Services disclosing sensitive information of vulnerable children.

Then in 2013 the ICO fined the North East Lincolnshire Council £80,000, after a teacher in 2011 lost a memory stick with information about hundreds of children with special educational needs.

In 2017 the ICO fined Basildon Council £150,000 for publishing the personal information of a family online.

Also in 2017 the ICO fined Gloucester City Council £100,000 for leaving sensitive personal information open to attack.