A data protection breach by Central Bedfordshire Council in which the names of special educational needs and disabilities (SEND) children were published on a public website was “a complete failure of process”, a meeting heard.
The local authority could face a significant fine after the names of dozens of SEND children were included in a response to a parent’s question in an email.
The inquiry asking the council to provide the number of SEND children without school places for this September led to council officers posting a list of the names on the public website whatdotheyknow.com.
Independent Ampthill councillor Mark Smith raised the issue at CBC’s annual meeting.
“The council suffered a major data breach on Monday (May 9) by publishing these children’s names online potentially putting them at risk,” he explained.
“What measures have been taken to address this breach and to ensure this doesn’t happen again?”
Council leader and Conservative Arlesey councillor Richard Wenham replied: “We all agree it’s an urgent question because this is a very regrettable general data protection regulation (GDPR) issue.
“The data containing the names of a number of children were released under a freedom of information request (FOI).
“I would like to thank those who noticed this straight away and brought it to the council’s attention enabling this information to be removed as quickly as possible.
“The council is extremely sorry and has issued a full apology, as well as taking steps to individually contact any parent or carer of a child whose name was published.
“CBC has immediately put extra checks in place. An internal review is in progress to look at all our procedures in this area, including the content and frequency of training for officers.
“The incident was reported speedily to the information commissioner’s office (ICO). As you’d all expect the council will be fully supporting any investigation. CBC will quickly implement any and all recommendations coming from the ICO.”
Councillor Smith added: “I wonder if you’re aware that the email which went out to a certain number of parents compounded this error because it contained the Christian names of different children to the person it was being sent to. I wonder if you could look into that.
“I also want to raise the point I found staggering in the message we were sent out after this breach that this went through two sets of officers.
“The FOI request clearly stated the (parent) wanted statistics, not the names of these children. I find it amazing that our system failed so badly, to go through two sets of officers, a complete failure of process.
“I would like to see measures put in place and that we’re kept informed about this. We’re always reminded we shouldn’t reveal the details of individuals. This is an appalling breach of GDPR.”
Councillor Wenham said: “We were all shocked to see this information released. It would be premature to prejudge the outcome of either the internal review into process or the ICO, if it decides to proceed with an inquiry.
“Additional checks are in place and any recommendations which come out will be speedily implemented, and I imagine will go through due process, including scrutiny.”