ICO issues reprimand against Scottish landlord over data breach

At 7am on 19 July 2022, a mass email was sent to residents promoting the new portal to them, and then at 9.13am a resident contacted CVHA, saying they were able to view other residents’ information.

Three further reports were then received that were correctly escalated and all portal user accounts were locked at 10.30am, which prevented any further logins from residents. Then at 11.48am, the portal was fully suspended.

The ICO said its investigation found that the housing association failed to test the portal appropriately before it went live, and staff were not clear on the procedure to escalate a data breach. 

139 people were affected

As part of the configuration of the portal, there was a widget available for residents who had ongoing anti-social behaviour cases.

There was a configuration error with this widget that allowed residents with an ongoing anti-social behaviour case to access all other documents on the portal, instead of just being able to view their own.

The ICO said that 394 data entries linked to anti-social behaviour were accessible and that 286 of these contained sufficient information to identify people. 

In total, 139 people were affected by this issue with the anti-social behaviour widget. CVHA said that 62 face a high risk to their rights and freedoms, defined by the housing association as “significant invasion of privacy with regards to data of a private or confidential nature, and a risk of financial loss as a consequence of fraud or identity theft”.

However, although the data was viewable for five days, CVHA has confirmed that only 11 residents logged into the portal at the time the data was available.

Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.

“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.

“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected.”

A spokesperson for CVHA said: “We take the handling of customers’ data very seriously and apologise for this error.

“We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”

Remedial steps taken by CVHA

The ICO said it has considered and welcomes the remedial steps taken by CVHA in the light of this incident.

It highlighted that CVHA has been working with the company that helped to develop the portal alongside the landlord, to identify the root cause, and has been ensuring the new version will not be released until the issue has been fully resolved.

The ICO said the housing association has been updating processes to ensure all staff, including agency staff, are provided with up-to-date and relevant data protection training.

The commissioner also pointed out that CVHA has identified the 11 individual users who accessed the anti-social behaviour portal and instructed them not to share, copy or make further use of the data.

The ICO’s recommendations

The ICO has recommended that CVHA should take steps to ensure its compliance with data protection law.

This includes ensuring “rigorous testing” is undertaken that focuses on data protection prior to the roll-out of a portal in the future.

The commissioner said this includes conducting a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.

Hear from the ICO at the Social Housing Finance Conference on 8 May in London. Emma Wright, group manager for the public advice and data protection complaints service, and Melissa Wilde, team manager, both at the ICO, will be speaking on a session entitled ‘Managing business critical relationships effectively at a time of permacrisis’. To learn more about the session and the event as a whole, click here.