Planning application

Council fined for data breach in planning documents

Basildon Borough Council has been fined £150,000 for publishing sensitive personal information in planning application documents.

An Information Commissioner’s Office (ICO) investigation found that on 16th July 2015, the council received a written statement in support of a householder’s planning application for proposed works in a green belt.

This statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years, including their disability requirements, ages and names.

The council then published the statement in full on its planning portal that same day, without first redacting the personal data.

“This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available,” said Sally Anne Poole, enforcement officer at the ICO.

“Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable.”

The investigation revealed that the error was due to failings in data protection procedures and training.

An inexperienced council officer had not noticed the personal information in the statement and there was no procedure in place for a second person to check the document prior to publication.

The information was only removed on 4th September 2015, when the concerns came to light.

Basildon Borough Council argued that planning law had prevented it from redacting personal data, despite ICO claims that it had done so routinely.

The ICO claimed the practice has also been widely adopted by other local authorities.

ICO rejected the council’s view on the basis that planning regulations could not override people’s fundamental privacy and data protection rights.

It said that publication of planning documents online was a choice rather than a legal requirement.

“Data protection law is clear and planning regulations don’t remove an individual’s rights,” added Sally.

“Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people’s sensitive personal information is protected.”

Leave a comment