The Information Commissioner’s Office (ICO) has formally reprimanded Clyde Valley Housing Association for failing to protect personal data on its new online customer portal, leading to a significant privacy breach.
Breach and Initial Discovery
The issue came to light on the very first day the portal was launched in 2022, when a resident discovered they could access sensitive documents related to anti-social behaviour cases, as well as personal details such as names, addresses, and dates of birth of other residents. Despite reporting this immediately to a customer service advisor at Clyde Valley Housing Association, the issue was not escalated, and the sensitive information remained exposed for five days.
Further Reports and System Suspension
After the housing association sent out a mass email to promote the new portal, four additional residents reported the same data breach. This prompted the association to suspend the new system. The ICO’s subsequent investigation revealed significant failures in the launch of the portal, including inadequate testing and a lack of clear procedures for escalating data breaches among staff.
ICO’s Findings and Recommendations
Jenny Brotchie, the ICO’s Regional Manager for Scotland, emphasised the importance of data security, especially when introducing new digital services. “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information,” Brotchie stated. She highlighted that the breach was due to “a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.”
The ICO has recommended that Clyde Valley Housing Association undertake rigorous data protection-focused testing before any future portal rollouts, and conduct a thorough review of its data protection training to ensure it is relevant and sufficient. The ICO has also reiterated the necessity for housing organisations to comply with data protection laws and has provided guidelines to help them manage and share resident information lawfully.
The reprimand is available in full here.