Scottish council accidentally published personal data
Contravening the Data Protection Act, in a mistaken response to a Freedom of Information (FoI) request, Dumfries and Galloway Council released personal information about 887 of its current and former staff, including names, salaries and dates of birth. The information was available online in a spreadsheet for more than two months from 21 March to 1 June, when a complaint was received by the council from a trade union; complaints were also made to the Information Commissioner's Office (ICO) by some affected individuals.
In its news release, the ICO stated that the council had "commissioned an external audit of its procedures for responding to information requests and has said it will address any procedural weaknesses uncovered during the audit by January 2012". The council will also ensure that it complies with the Data Protection Act concerning personal data by introducing appropriate checks. The details of these commitments by the council are included in an undertaking published by the ICO.
The ICO release quoted Ken Macdonald, the assistant information commissioner for Scotland: "Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals' privacy rights. Procedures clearly went wrong in this case and I'm pleased that the council is reviewing its practices in light of the lessons that have been learned."
The nature of the original FoI request has not been made clear. The council publishes a monthly list of requests received and the response to them. For March of this year alone, it lists a total 58 such FoI requests.