Council discloses personal data inappropriately

Portsmouth City Council, when responding to a subject access request, provided sensitive health information about another individual to the requestor.

Under data protection laws, individuals have a right to request companies and organisations to see all personal data held about them. In responding to such requests, companies and organisations must ensure that any information relating to anyone other then the requesting party is not disclosed by redacting this information.

This process was not carried out by Portsmouth City Council which resulted in information about the health of a third party being disclosed to the requesting individual.

The Council informed the Information Commissioner’s Office (“ICO”) of this error and the ICO carried out an investigation which found that the individual who carried out the subject access request was neither an employee of the council nor contracted to provide such services to the Council. The training provided about how to deal with subject access requests was found to be inadequate and the Council has entered a formal undertaking with the ICO.

Through the undertaking, the Council agrees to ensure that all relevant staff are  fully trained in how to handle subject access requests and that checks are put in place to ensure that third-party data is dealt with in accordance with the Data Protection Act. The Council has also agreed that in future, any individuals tasked with redacting material from subject access requests will either be employed by the Council directly, or otherwise enter into a formal contract to provide this service

Comments are closed.