Parents of disabled children in Bristol were left reeling yesterday, after a huge data breach from Bristol City Council saw personal information emailed out to the city’s residents.
On Monday morning at 09.25am, an email from the Disabled Children and Specialist Services department regarding an online consultation, failed to correctly use the blind carbon copy. This resulted in an estimated number of at least 1000 disabled children’s full names and parental email addresses – many featuring the full names of the parents – visible to its recipients.
Parents received blocks of names from A-H, H-R or R-Z in the data blunder. At 10.18am, the original sender attempted to recall the email.
The email was informing parents of a consultation regarding a new service aiming to support parents and their children with the early identification of additional needs.
The A – H section – which was sent to us from the council as part of the data breach – went to 455 recipients.
The link in the email originally showed the consultation as opening on the 09 November 2020, but was changed shortly after the data breach to read 23 November 2020.
A parent, who asked not to be named, said: “I can’t believe what they’ve done. They already sent my child’s finalised EHCP to the wrong address a couple of years ago. Now this. My child would be really embarrassed if he found out.”
Bristol Send Justice released a statement saying: ‘The council’s IT system should simply not allow for this kind of incident to happen. This is highly sensitive information being handled and more robust processes and systems should be put in place to mitigate human error which can and does happen without malice. We would like to see the outcome of the investigation, which should include measures to make sure so many hundreds of children’s personal information cannot be processed in this way again.’
Director of Children and Families, Ann James, finally sent an apology to parents affected at 17.17 apologising ‘unreservedly’.
The email said: ‘As you may be aware there was a breach of the General Data Protection Regulation (GDPR) this morning which affects you.
‘This means that personal information was shared this morning, which should not have been. We did not use ‘blind carbon copy’ when sending an email to you this morning, and as a result your child’s name and your email address could be viewed by everyone who received the email. This breach was caused by human error and I apologise unreservedly for any distress that this may have caused you or your family.
‘To mitigate this situation we have attempted to recall the email and would ask that anyone still in possession of the email delete it. We have informed our Data Protection team who will report this incident to the Information Commissioner’s Office (ICO). This is in line with the accepted process for reporting data breaches, and we will comply fully with their protocol.
‘I sincerely apologise for this error and want to reassure you that we have taken steps to find out what happened and why to help prevent this happening again. Following a personal data breach an investigation is carried out into the causes. Where staff are found to be at fault the matter is addressed as a training issue, and where there have been failures in policy or process any necessary changes are made to reduce the risk of a similar incident occurring in the future. All staff are aware of their GDPR obligations and must take mandatory data protection and information security training annually.
‘In addition to an internal investigation, the ICO will also provide recommendations which Bristol City Council will act upon. If you have concerns about how Bristol City Council has handled your data, you can contact firstname.lastname@example.org. As stated above, we have reported this incident to the ICO, however, should you wish, you may independently refer this matter to them via their website, ico.org.uk.’