Councils apologise for data breach

By Christian Barnett - Local Democracy Reporter

Two councils have apologised for sharing the email addresses of thousands of people on a housing waiting list.

Wychavon District Council and Malvern Hills District Council has “sincerely apologised” for accidentally sharing more than 2,600 email addresses of people on the two council’s housing waiting list when contacting them about how to register for the new system.

One person who received the email but wished to remain anonymous said they were concerned the information could give people the wrong impression about their finances.

“I couldn’t believe that so many personal email addresses had been shared especially with the type of content such as social housing,” they said.

“There could be a potential stigma attached – although there shouldn’t be – but this list gives the wrong type of personal information that they wouldn’t otherwise have. Potentially one could make an assumption about someone’s financial situation, and my email address in particular has my full name, as do quite a few others.”

The council said no other information has been shared and the risk remains ‘low’.

Vic Allison, chief executive at Wychavon and Malvern Hills District Councils, said: “We are aware of an error that took place on August 24 where the e-mail addresses of approximately 2,600 customers were accidentally shared.

“An e-mail was sent to individuals on a housing waiting list informing them of instructions to register on a new software system. This e-mail was sent to contacts across both Wychavon and Malvern Hills and customers would have seen the email addresses from their district.

“Since this was identified, we have risk assessed the situation with the support of our legal team and whilst it is unfortunate that e-mail addresses were shared, there were no other identifiable or personal pieces of information shared and therefore, the risk is low. These e-mail addresses have not been shared anywhere else.

“The error was identified straight away and was reported to our data protection lead who, after seeking guidance from the Information Commissioner’s Office, is providing advice and recommendations on next steps.

“We sincerely apologise for any distress that may have been caused by this mistake and we will do all we can to ensure that mistakes such as this don’t happen again going forward.”