Sensitive personal information of people living in the Welsh county of Ceredigion was compromised after the Ceredigion Council uploaded documents on its website that contained names, addresses and medical conditions of residents.
The presence of such sensitive information on Ceredigion Council’s website was discovered by James Davies of Borth near Aberystwyth who promptly informed the Information Commissioner’s Office about the breach. He had discovered a similar breach on the Council’s website back in 2007, and told the BBC that some of the documents he discovered recently were the same ones he discovered eleven years ago.
“I am concerned that the files could have been publicly available on the council’s website for the intervening 11 years. I am shocked that vulnerable people were still at risk of their data being in the public domain so many years after I originally drew attention to the issue,” he said.
Sensitive documents were uploaded first in 2007
According to Cambrian News, documents published on the Council’s website were part of the council Cabinet agendas and reports for 2004 and 2007 and included “commercial information about leases, land sales and grant applications, as well as personal details of council house allocations and grants for home building work required because of medical reasons”.
“Within the exempt information, six of the reports included personal details of people who had made applications under council-run grant schemes, including grants to enable people with disabilities or health problems to carry out building work on their homes.
“Those six reports include personal details around the applicants’ personal circumstances, with some of the reports including medical details, names, ages and addresses, as well as details of the grants provided and the work that was carried out on properties,” the website added.
Following the disclosure of the breach, Ceredigion Council issued an apology to all affected individuals and said it was putting in place new measures to “improve the system”.
“The council wishes to apologise for this error and there is an ongoing investigation into the exempt information that was available online and measures are being put into place to improve the system. The council has also made a self-referral to the ICO. The outcome of the investigation will be presented to councillors when investigation is complete,” said a Council spokesperson.
The presence of confidential medical records on the Council’s website for all to see attracted the ire of many who criticised the Council for not ensuring the confidentiality of such data.
One for the Guinness Book of Records I think. Documents containing people's names, addresses and medical conditions have been available on Ceredigion Council’s website since 2007 when the breach was first reported. https://t.co/GCvbaQs77m
— Mrs B (@lbinsley) August 30, 2018
— Glyn ap Myfyr (@Welshbeard) August 30, 2018
The news about Ceredigion Council exposing sensitive information of citizens on its website comes just a week after the Perth and Kinross Council leaked email addresses of over 1,000 local landowners one of the Council’s employees sent an email to all of them without masking their email addresses.
There have been many other instances, in the recent past, of local councils exposing personal details of citizens either because of human error on part of employees or due to a lack of cyber security processes. Earlier this year, thousands of children with special needs or in care were rendered vulnerable after their personal details were shared by the Leicester City Council with as many as 27 travel companies.
Last year, the Basildon Council in Essex was fined £150,000 by the Information Commissioner’s Office for disclosing sensitive personal information in a planning application. In the said application, the Council had revealed sensitive personal information about a traveller family which stayed in a green belt zone for several years. Leaked personal details included mental health issues and other disabilities.