Council published residents' details on website

Google Lewisham Council HQGoogle
Lewisham Council said the breach did not meet the threshold for notifying the Information Commissioner’s Office

A south-east London council published personal details of residents who commented on a planning application on its website for almost a year, it has emerged.

The names, addresses and contact details of 156 people were uploaded to Lewisham Council’s website and remained online for 11 months.

Information about the data breach was disclosed in documents published ahead of a council meeting last week.

The council said the information had been removed and the breach did not meet the threshold for notifying the Information Commissioner’s Office (ICO), the public body responsible for data privacy.

A file containing personal details of residents who had commented on the planning application was uploaded to Lewisham’s website in March 2023, according to a public question submitted ahead of the meeting.

The planning application related to Hither Green railway station.

Officials only became aware of the data breach after a member of the public notified the council about it in February, Amanda De Ryk, the council's cabinet member for finance, said.

The council subsequently removed the document containing the residents’ personal details from the website and wrote to those whose details were published.

Labour councillor Ms De Ryk said ICO guidance states that the body should only be told about a data breach if it is likely to result in a threat to individuals’ rights and freedoms.

Ms De Ryk said the council concluded the data published did not include "special category data", including details relating to a person’s race, religion, belief, sexual orientation or health.

"In many cases the data breached is already in the public domain," she said.

"The data was in the public domain for 11 months without any of the public contacting the council to make us aware of any adverse impact caused by the data breach.

“The council’s data protection officer applied these factors to its breach risk matrix to determine if the breach reached the threshold for notifying the ICO and concluded that it had not.”

An ICO spokesperson said: “We do not appear to have received an incident report on this matter at this stage.

“For awareness, not all breaches need to be reported to us. Organisations must, however, notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary."

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, X and Instagram. Send your story ideas to [email protected]