The Information Commissioner’s Office issued a reprimand to the charity
A Scottish housing association has been rapped after it allowed residents’ personal information to be accessible online for five days.
The Information Commissioner’s Office issued a reprimand to Clyde Valley Housing Association (CVHA) – which has now apologised for the breach.
CVHA is a registered charity that manages around 4,700 properties in Lanarkshire and East Dunbartonshire.
The info breach happened after an new online portal allowed users to see personal information, including names, addresses and dates of birth of other residents.
On the first day the portal was live, in July 2022, a resident called the charity to tell them that they could see the information.
The ICO said the customer service adviser who took the call failed to escalate the concern and the information remained accessible online.
Five days later, the charity sent a mass email to residents to promote the portal to them and soon after received four further reports that personal information was visible to other users, which resulted in the charity suspending the portal.
The ICO concluded that the housing association failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach.
Jenny Brotchie, regional manager for Scotland at the ICO, said: “This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained.”
A spokesperson for Clyde Valley Housing Association said: “We take the handling of customers’ data very seriously and apologise for this error.
“We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”
