You are viewing 1 of your 1 free articles
A housing association has been reprimanded by the Information Commissioner’s Office (ICO) after it exposed hundreds of residents’ personal information on its online customer portal.
The data protection regulator said that Clyde Valley Housing Association in Lanarkshire made a “clear oversight” by failing to test the portal appropriately before it went live.
On the day the portal launched in July 2022, a resident of the 3,000-home housing association discovered that they could access documents related to anti-social behaviour (ASB) cases and view personal information about other residents, including names, addresses and dates of birth.
The resident called a customer service advisor at Clyde Valley to flag the breach, but their concerns were not escalated, and the personal information remained accessible for five days.
Following a mass email to residents promoting the portal, four more residents reported the same breach, and the new system was suspended.
It emerged that there was an error with a widget available for residents with ongoing ASB cases to access all other documents on the portal. A total of 394 data entries linked to ASB were accessible, and of those 286 contained sufficient information to identify data subjects.
Although the data was viewable for five days, Clyde Valley confirmed that only 11 residents logged into the portal at the time the data was available.
The ICO’s investigation also found that staff were not clear on the procedure to escalate a data breach.
It recommended that Clyde Valley should ensure “rigorous testing” is undertaken that focuses on data protection prior to the roll-out of a portal in the future. In addition, the landlord should review its data protection training.
Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.
“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected.”
A spokesperson for Clyde Valley Housing Association said: “We take the handling of customers’ data very seriously and apologise for this error.
“We have worked very closely with the ICO to review our processes to ensure that this issue cannot be repeated.”
The ICO published advice at the end of last year to help housing associations comply with data protection law.
Already have an account? Click here to manage your newsletters