Scottish housing association reprimanded for data breach

The Information Commissioner’s Office (ICO) has reprimanded a Scottish housing association after personal information was made accessible to other residents. 

On the first day of the launch of an online customer portal in 2022, a resident of Clyde Valley Housing Association in Lanarkshire discovered they could access documents relating to other residents’ anti-social behaviour cases. 

These contained information including names, addresses and dates of birth.   

The resident called a customer service advisor at the housing association to flag the breach but their concerns were not escalated and the personal information remained accessible for five days.    

Four more residents reported the same breach after a mass email to residents promoting the portal and the new system was suspended.    

The ICO found the Clyde Valley had failed to test the portal properly before it went live and staff were not clear on the procedure to escalate a data breach.    

Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.  

“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.   

“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained.  

>> See also: How standardised stock condition surveys and better use of data can help us improve stock maintenance

>> See also: Social housing providers ‘not yet ready for Ombudsman’s complaint-handling code’ says Housemark

“We will take action when people’s personal information is not protected.”      

The ICO recommended that the housing association ensure rigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future and to conduct a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.  

CVHA owns and manages around 4,700 properties across Lanarkshire and East Dunbartonshire, and provides services to 3,000 homeowners. 

A spokesperson for Clyde Valley Housing Association said: “We take the handling of customers’ data very seriously and apologise for this error. We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”