One Source Dec 19 Deputy Director

Tower Hamlets Dec 19 Updated 600

Caselines Information Law
Slide background
Slide background

Council fined £150k for publishing sensitive data in online planning documents

Basildon Borough Council has been fined £150,000 by the Information Commissioner’s Office (ICO) for publishing sensitive personal information about a family in planning application documents that were made publicly available online.

An investigation by the watchdog found that on 16 July 2015 Basildon received a written statement in support of a householder’s planning application for proposed works in a green belt.

Such statements are only required where proposed works fall within certain designated areas such as green belt, a national park or an area of outstanding natural beauty. Of the approximately 1,500 planning applications received by Basildon each year, only 2-3% relate to these designated areas.

The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years. In particular, it referred to the family’s disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home.

Article continues below...

Videobites

To turn subtitles off, click on 'CC' on the toolbar and select 'None'

To turn subtitles off, click on 'CC' on the toolbar and select 'None'

To turn subtitles off, click on 'CC' on the toolbar and select 'None'

To turn subtitles off, click on 'CC' on the toolbar and select 'None'


In July 2015, Basildon’s policy and established approach was that personal data (and in particular sensitive personal data) would be redacted from documents such as the statement before they were published as part of the electronic register of planning applications which the council made available through a web-based portal.

Basildon however published the statement in full, without redacting the personal data, on its online planning portal later on 16 July.

The ICO investigation concluded that this was due to failings in data protection procedures and training. An inexperienced planning technician did not notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online, the watchdog said.

The information was only removed on 4 September 2015 when the data protection concerns came to light. 

Basildon submitted to the ICO that, notwithstanding its established procedure (and the procedure adopted by other local authorities), it was not legally permissible to redact any information from the statement which the council decided to publish online.

The local authority argued that:

  • It was obliged under the Town and Country Planning (Development Management Procedure) (England) (Order) 2015 to include the full contents of any application – including unredacted planning statements of the kind at issue – as part of its local authority planning register. The council would therefore have been obliged to show the full contents of the planning application and accompanying statement to any member of the public who asked to see it.
  • It had a power, though not a duty, to make its planning register available to the public by means of a website. If it chose to do so, then it had no power to redact any details from that register.

The ICO said it did not accept those submissions, for these reasons:

  • The 2015 Order could not be construed so as to oust individuals’ rights under the DPA, Directive 95/46/EC or Article 8 of the European Convention on Human Rights.
  • The Commissioner acknowledged that Basildon was under a duty to make the ‘planning application’ available to members of the public. She was not persuaded that this duty encompassed ‘every single item of information’ which an individual includes in any document he or she submits in support of a planning application. The Commissioner was not persuaded that Parliament would have intended such a publication duty to be so far-reaching as to admit of no exceptions. She was therefore not persuaded that Basildon was precluded by law from redacting any information from the statement in the planning register which was available for public inspection.
  • In any event, disclosure on a website was materially different to the right to inspection. “Even on Basildon’s legal analysis, it chose to make its planning register available online. That choice cannot override individuals’ rights under the DPA, Directive 95/46/EC or Article 8 ECHR." (ICO's emphasis)
  • In any event, if – as Basildon contended – every single item of information submitted with a planning application should have been made publicly available on its website, this should have been made clear to applicants, so that they could make informed decisions about what personal and sensitive personal data they wished to adduce in support of their applications. “A failure to provide such information may render the resultant publication unfair, contrary to the first data protection principle. The Commissioner had not, however, considered whether that principle was breached here. This is because the publication of the sensitive personal data in the statement occurred due to a shortcoming in Basildon’s organisational measures….”

The ICO also rejected a submission by the council that because of an earlier published decision of a planning inspector relating to the same site and family, the affected individuals could have had not reasonable expectation of privacy in respect of the contents of the statement.

The monetary penalty notice can be viewed here.

ICO Enforcement Manager Sally Anne Poole said: "This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available. Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable."

She added: "Data protection law is clear and planning regulations don’t remove an individual’s rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people’s sensitive personal information is protected."

A Basildon Council spokesman said: “The council has been given 28 days in which to lodge an appeal against this decision. We are taking advice and considering our position.”

Slide background