Clyde Valley Housing Association reprimanded for customer portal data breach
The Information Commissioner’s Office (ICO) has issued a reprimand to Clyde Valley Housing Association (CVHA) after personal information was accessible to other residents on an online customer portal.
On the first day the portal launched in 2022, a resident discovered they could access documents related to anti-social behaviour cases and view personal information about other residents, including names, addresses and dates of birth.
The resident called a customer service advisor at CVHA to flag the breach, but the ICO said their concerns were not escalated, and the personal information remained accessible for five days.
Following a mass email to residents promoting the portal, four more residents reported the same breach, and the new system was suspended.
The ICO’s investigation found that the housing association failed to test the portal appropriately before it went live and staff were not clear on the procedure to escalate a data breach.
Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information. This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected.”
The ICO recommended that Clyde Valley Housing Association should take steps ensure its compliance with data protection law, including:
- Ensuring rigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future
- Conducting a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.
The regulator has previously issued a blog reminding housing organisations of their obligations under data protection law and providing practical steps to support them to process and share residents’ personal information lawfully.
A spokesperson for Clyde Valley Housing Association told Scottish Housing News: “We take the handling of customers’ data very seriously and apologise for this error. We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”