ICO (UK) - Clyde Valley Housing Association
ICO - Clyde Valley Housing Association | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(f) GDPR Article 58(2)(b) GDPR UK Data Protection Law |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 25.07.2022 |
Decided: | 18.04.2024 |
Published: | 18.04.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Clyde Valley Housing Association |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | Ian Taylor |
Clyde Valley Housing Association have received a reprimand from the commissioner because of an infringement that occurred in July 2022 when they released a new customer portal with data subjects personal information visible to all other residents.
English Summary
Facts
Clyde Valley Housing Association was established in 1996 and provides social housing to the Lanarkshire and East Dunbartonshire areas of Scotland. It is a registered charity that owns and manages around 4,700 properties and provides services to 3,000 homeowners.
Clyde Valley Housing Association released a new customer portal. The portal went live on 14 July 2022. On the same date, a resident logged into the portal and found that they were able to view personal information about other residents. The resident called Clyde Valley Housing Association and spoke to a customer service advisor, and told them that they could see information that they felt they shouldn’t have been able to see. The customer service advisor who received the call then failed to escalate this concern, which led to this data remaining viewable on the portal for a further 5 days until further residents reported the issue and Clyde Valley Housing Association suspended the portal.
Holding
Following an investigation, the Commissioner issued a reprimand to Clyde Valley Housing Association in accordance with Article 58(2)(b) of the UK General Data Protection Regulation (UK GDPR), having determined that Clyde Valley Housing Association failed to carry out adequate testing prior to the online customer portal going live, leading to accidental access of personal information due to a lack of appropriate technical measures. This demonstrated a failure to keep residents data secure against unauthorised processing, and as a result was an infringement of Article 5(1)(f) of the UK GDPR.
The decision to issue an reprimand was taken after considering the remedial steps taken by Clyde Valley Housing Association and the portal development company. The Commissioner also recommended that Clyde Valley Housing Association should consider taking certain steps to improve its compliance and ensure staff are appropriately trained to deal with data protection matters.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Clyde Valley Housing Association have received the following reprimand because of an infringement that occurred in July 2022 when they released a new customer portal. This portal included personal data of data subjects and residents found they were able to view personal information such as names and addresses about other residents. A resident reported this to Clyde Valley Housing Association, however this concern was not escalated appropriately which led to data remaining viewable on the portal for a further 5 days until further residents reported the issue and Clyde Valley Housing Association suspended the portal.