LewishamNews

Lewisham admits data breach – but downplays impact of exposing contact details of residents

By Robert Firth, Local Democracy Reporter

Personal details of residents who commented on a planning application were published on Lewisham council’s website for almost a year.

The names, addresses and contact details of 156 individuals were uploaded to the local authority’s website for 11 months.

Information about the data breach was disclosed in documents published ahead of a council meeting last Wednesday.

A file containing personal details of residents who had commented on the planning application was uploaded to Lewisham’s website in March 2023, according to a public question about the incident submitted by an individual called Joanne King.

Officials only became aware of the data breach after a member of the public notified the council about it in February this year, according to an answer provided by Councillor Amanda De Ryk, cabinet member for finance.

The council subsequently removed the document containing the residents’ personal details from the website and wrote to those whose details were published.

But Lewisham didn’t inform the Information Commissioner’s Office (ICO), the public body responsible for data privacy, about the incident.

According to Cllr De Ryk’s response, ICO guidance states that the body should only be told about a data breach if it is likely to result in a threat to individuals’ rights and freedoms.

She said that the council had concluded the data published didn’t include ‘special category data’, e.g. details relating to a person’s race, religion, belief, sexual orientation or health.

Cllr De Ryk’s response continued: “In many cases the data breached is already in the public domain (e.g. published on the electoral roll). The data was in the public domain for 11 months without any of the public contacting the council to make us aware of any adverse impact caused by the data breach.

“The council’s data protection officer applied these factors to its breach risk matrix to determine if the breach reached the threshold for notifying the ICO and concluded that it had not.”

The residents whose personal details were published on the council’s website had commented on a planning application relating to Hither Green railway station.

Pictured top: Lewisham council’s headquarters in Catford (Picture: Google Street View)

One thought on “Lewisham admits data breach – but downplays impact of exposing contact details of residents

  • Cllr De Ryk’s response continued: “In many cases the data breached is already in the public domain (e.g. published on the electoral roll).

    This is nonsense. The information in the public domain is now linked to the fact that they commented on the planning application.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.