The Information Commissioner's Office (ICO) has found the Lancashire Police Authority in breach of the Data Protection Act after it accidentally published restricted personal data online.
The personal data was related to an individual’s complaint, and was marked restricted in two agenda documents. However, the police authority failed to redact the restricted information before publishing the documents online online.
Despite being alerted to the breach by the complainant on 24 January 2011, the authority also failed to remove the information for a further four days.
On investigation into the incident, it was discovered that the breach occurred because of the incorrect use of a relatively new system for publishing the agenda packs online.
The ICO said that this suggested that not enough training was provided for users prior to the system going live, and that Lancashire Police did not have the appropriate checks and controls in place around the publication of agendas and minutes.
Lancashire Police has now been ordered to ensure that information due for publication on its website is checked and correctly redacted before it is made available. It will also introduce a new policy for staff to explain what they have to do when informed of a possible data breach.
Simon Entwisle, director of operations at the ICO, said: “While it is important that public authorities are transparent about the work they do by publishing information online, this should never be at the expense of an individual’s rights to privacy.
“This case should act as a warning to all public authorities that information security must be seen as a priority across the organisation.”