The ICO has reprimanded a Housing Association after personal information was made accessible to other residents on an online customer portal. A resident discovered they could access documents related to anti-social behaviour cases and view personal information about other residents, including names, addresses and dates of birth, on the first day that the portal was launched.

394 data entries linked to anti-social behaviour were accessible, and of those 286 contained sufficient information to identify data subjects. 62 residents compromised by the data breach faced a high risk to their rights and freedoms.

The ICO’s investigation found that the housing association failed to test the portal appropriately before it went live, and staff were unclear on the procedure to escalate a data breach. The testing plan for the portal did not focus on data protection or the possibility of a breach. Once the portal went live, the Housing Association did not conduct any further testing of the portal to ensure its correct functionality.

The breach demonstrated a failure to keep residents data secure against unauthorised processing, an infringement of Article 5(1)(f) of the UK GDPR.

TIAA Advised Action
  • You must have a DPO if you are a Housing Association or if your core activities include large scale monitoring of individuals or processing special category data.
  • Ensure your organisation has an up-to-date DPA policy and staff receive DPA training.
  • Consider DPA implications when putting new systems in place and check their functionality.

Source Housing association reprimanded for exposing personal information on online portal | ICO