The Information Commissoner's Office (ICO) has issued a reprimand to a Scottish housing association after personal data was made accessible to residents on an online customer portal.

When the portal was launched by Clyde Valley Housing Association, a resident found that they could access documents relating to anti-social behaviour cases, as well as view personal information about other residents, like names, addresses, and dates of birth.

The ICO said that while the resident flagged the breach to a customer services employee at the housing association, their concerns were not escalated. This meant that the personal details remained accessible for five days.

Following a mass email to residents promoting the portal, four more residents reported the same breach, and the new system was suspended.

The ICO’s investigation found that the housing association failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach. 

"This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal," said Jenny Brotchie, regional manager for Scotland, ICO. “We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained."

Following its investigation, the ICO recommended that Clyde Valley Housing Association should take steps to ensure its compliance with data protection law, including making sure rigorous testing is undertaken prior to the rollout of a portal in the future and carrying out a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.

---