This month the Information Commissioner’s Office (ICO) reprimanded Clyde Valley Housing Association, a registered provider of social housing, for exposing the personal data of 139 people after the launch of a new online customer portal. To realise the benefits of new systems there needs to be confidence that the systems are being deployed appropriately and lawfully and Tozers can assist you with this process.
Why were Clyde Valley Housing Association reprimanded?
Because they infringed Article 5(1)(f) UK GDPR which requires a data controller to ensure that personal data “is processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
When Clyde Valley Housing Association’s new online customer portal went live in July 2022 a resident logged in and could view personal data about other residents. They reported this but it was not escalated so the data remained viewable on the portal. When the Association sent a mass email to encourage their residents to login, three further reports were escalated and all portal user accounts were locked.
When questioned about the testing plan the Association stated that:
· “The testing plan did not identify any issues with data security and simply tested functionality”; and
· The testing “did not focus on data protection or the possibility of a breach”.
When the portal went live, the Association did not conduct any further testing of the portal to ensure it complied with data protection laws.
The full reprimand can be viewed here.
What is the ICO and what does it do?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:
· Issuing notices that require you to provide certain information.
· Issuing enforcement notices that require you to take, or refrain from taking, particular steps or action.
· Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
Can you challenge a monetary penalty by the ICO?
Yes. If the ICO intend to issue a monetary penalty they will send a notice of intent which you can challenge by sending written representations within a strict timeframe. Time is of the essence when you receive a notice of intent so it is crucial that you seek legal advice without delay.
In December 2023 we acted on behalf of a client who was issued with a notice of intent for over £180,000 as a result of a data breach. We sent written representations which were successful – resulting in the investigation being dropped and the fine waived in its entirety.
What are the key takeaways and how can Tozers help?
The online portal had technical glitches and it resulted in a significant invasion of privacy. The ICO recommended that Clyde Valley Housing Association should ensure that rigorous testing is undertaking that focuses on data protection prior to the portal being rolled out in the future and conduct a review of the content of data protection training to ensure that it is relevant and adequate.
Reprimands and penalty notices are posted publicly by the ICO and they have significant consequences on your business’ reputation. Tozers’ expert data protection team can help you comply with the regulatory framework by:
· Providing advice and guidance.
· Discussing data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.
· Drafting bespoke data protection policies.
· Providing training to staff.
· If the worst happens, providing written representations to the ICO to dispute any penalty notice.
Get in touch today
Lawyers play a crucial role in navigating the complex legal landscape surrounding data protection and the deployment of new systems that process personal data. If you require advice, speak to one of our legal experts today in a no-obligation phone call.
