“Incompetent” council leaks details of students with special educational needs

"Incompetent" council leaks details of students with special educational needs

The good news: Central Bedfordshire Council in the UK responded to a Freedom of Information (FOI) request from parents campaigning for their children with special educational needs (SEND).

The bad news: Central Bedfordshire Council failed to properly redact the details of ‘dozens and dozens’ of pupils with special educational needs, publishing them on a public website.

Oh dear oh dear. Who needs hackers, eh? All you have to do is make a Freedom of Information Request…

Sign up to our free newsletter.
Security news, advice, and tips.

Campaigners for the Central Bedfordshire SEND Action Group were reportedly unimpressed:

Campaigners released a statement saying: “We were extremely concerned, yet unsurprised to learn about the data breach. It is the latest in a long history of incompetence and disregard for the law in relation to SEND families.

“This catastrophic mistake poses a particular safeguarding risk to fostered and adopted children and demonstrates the ongoing culture of negligence toward SEND children that has been ingrained at CBC for at least a decade.”

Central Bedfordshire Council apologised for the goof, and said it had reported the incident to the Information Commissioner’s Office. It also said it would be making changes to its procedures to avoid a repeat of the incident in the future.

Hopefully some appropriate staff training about the importance of protecting the private personal information of individuals will be one of the enhancements the council makes.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on ““Incompetent” council leaks details of students with special educational needs”

  1. Martin

    I can report something similar. I requested by SAR some medical data for my Mum which I did with full consents from her and as her officially registered carer. When the GP disclosed the data, they'd decided that references to me as her carer were third party data so they redacted them by putting a thin, black biro line through them.

    There were some issues with this:-
    1) I don't think there is an issue with disclosing my own personal data to me.
    2) The context in which my data was included in Mum's records made it easily identifiable to me anyway.
    3) The black line was so thin, you could still read everything anyway.
    4) Oh and did I mention, took them 5 months to disclose it which earned them a breach from the ICO?

    Some organisations just haven't got the hang of this stuff !!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.