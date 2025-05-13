Bedford Borough Council, Image: LDRS

Bedford Borough Council has altered a set of publicly published spending data after mistakenly including personal names.

Sign up to our daily newsletter Sign up Thank you for signing up! Did you know with an ad-lite subscription to Bedford Today, you get 70% fewer ads while viewing the news that matters to you. Learn More Sorry, there seem to be some issues. Please try again later. Submitting...

But the council said it has decided not to report the incident to the Information Commissioner’s Office (ICO).

The four payments for storage facilities were recorded in the April 2021 procurement purchase cards file, published under the Local Government Transparency Code.

Advertisement Hide Ad

Advertisement Hide Ad

Councils can offer storage for residents requiring temporary accommodation, and these payments initially named three individuals.

The council has not commented on whether these individuals were council employees or residents receiving support.

After being contacted by the Local Democracy Reporting Service (LDRS), the council removed the four payments, but without any accompanying note to indicate that the published file was incomplete.

The council later republished the dataset with the payments for storage restored, but with the names removed.

Advertisement Hide Ad

Advertisement Hide Ad

The LDRS asked the council why it didn’t add a note explaining the removed payments while they were missing.

Its webpage claims “This page displays links to files detailing all payments to suppliers made by procurement purchase card”.

A council spokesperson said: “We are reviewing these records to ensure that the correct and appropriate data has been published.

“Any records which need to be modified will be re-uploaded at the earliest opportunity.

Advertisement Hide Ad

Advertisement Hide Ad

“The information is published as part of the council’s commitment to transparency.

“An organisation must report a data breach to the Information Commissioner’s Office (ICO) without undue delay, and where feasible, within 72 hours of becoming aware of the breach.

“This reporting requirement applies if the breach is likely to pose a high risk to the rights and freedoms of individuals, or if it involves sensitive personal data.”

“As the data that was published only contained the first names and surnames and, in some circumstances, only the first initial and surname, the breach does not meet the threshold for reporting to the ICO.”

Advertisement Hide Ad

Advertisement Hide Ad

The three names the LDRS found all included the first name and surname.

Richard Hancock, data protection officer, GMO GlobalSign, said: “Everybody understands that mistakes do happen, it’s how you deal with those mistakes that is a key differentiator.

“Articles 33 and 34 [of the General Data Protection (GDPR) Regulation] makes it very clear that where there is a risk to the rights and freedoms of data subjects then notification of such breach must be made to a supervisory body (the ICO in this case) and the data subject respectively.

“Had the data been encrypted, pseudonymised or masked in some other way then there would be less risk.

Advertisement Hide Ad

Advertisement Hide Ad

“However, it wasn’t and therefore there is indeed a high risk to the individuals concerned.

“The right thing to do here is to inform all affected data subjects assuring them that remedial actions have been implemented and to self-report the event to the ICO with all relevant information.

“They can then make an informed decision as to the next steps, whether that be enforcement action or more of an advisory response.

“These actions also fulfil the council, as data controller, obligations for transparency in their processing,” he said.

The ICO doesn’t comment on individual cases, however, it said that not all breaches have to be reported, but organisations are expected to assess the risk.