The good news: Central Bedfordshire Council in the UK responded to a Freedom of Information (FOI) request from parents campaigning for their children with special educational needs (SEND).
The bad news: Central Bedfordshire Council failed to properly redact the details of ‘dozens and dozens’ of pupils with special educational needs, publishing them on a public website.
Oh dear oh dear. Who needs hackers, eh? All you have to do is make a Freedom of Information Request…
Campaigners for the Central Bedfordshire SEND Action Group were reportedly unimpressed:
Campaigners released a statement saying: “We were extremely concerned, yet unsurprised to learn about the data breach. It is the latest in a long history of incompetence and disregard for the law in relation to SEND families.
“This catastrophic mistake poses a particular safeguarding risk to fostered and adopted children and demonstrates the ongoing culture of negligence toward SEND children that has been ingrained at CBC for at least a decade.”
Central Bedfordshire Council apologised for the goof, and said it had reported the incident to the Information Commissioner’s Office. It also said it would be making changes to its procedures to avoid a repeat of the incident in the future.
Hopefully some appropriate staff training about the importance of protecting the private personal information of individuals will be one of the enhancements the council makes.
I can report something similar. I requested by SAR some medical data for my Mum which I did with full consents from her and as her officially registered carer. When the GP disclosed the data, they'd decided that references to me as her carer were third party data so they redacted them by putting a thin, black biro line through them.
There were some issues with this:-
1) I don't think there is an issue with disclosing my own personal data to me.
2) The context in which my data was included in Mum's records made it easily identifiable to me anyway.
3) The black line was so thin, you could still read everything anyway.
4) Oh and did I mention, took them 5 months to disclose it which earned them a breach from the ICO?
Some organisations just haven't got the hang of this stuff !!