Privacy watchdog the Information Commissioner’s Office (ICO) has been busy again, this time fining Islington Council for exposing citizens’ personal data via a parking system website.
The London borough was fined £70,000 following issues with its Ticket Viewer system, which allows people accused of parking offences to view the offence via CCTV footage.
A fault in the system’s design meant 89,000 people were at risk of having their personal information accessed by others. In some cases, this included highly sensitive medical details related to appeals, the ICO claimed.
A member of the public first brought the issue to light, informing the council that by changing the URL, anyone could access system folders containing personal data.
After investigating, it found there had been unauthorized access to 119 documents 235 times from 36 unique IP addresses, affecting 71 people, the ICO revealed.
The watchdog claimed Islington Council should have tested the system thoroughly before it went live and then regularly after that, as per best practice.
“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that,” said ICO enforcement manager, Sally Anne Poole.
“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
The ICO used the announcement to remind local authorities that much work still lies ahead in preparing for the forthcoming EU General Data Protection Regulation when it comes into force in May 2018.
The new law would have required Islington Council conduct a comprehensive privacy impact assessment before launching the Ticket Viewer system.
Fines under the new regime could go far higher than the current maximum of £500,000 which the ICO is able to levy; up to 4% of global annual turnover or €20m (£17m), whichever is higher.