A Lanarkshire housing association have been reprimanded after residents’ personal information was “exposed” on an online customer portal.
Clyde Valley Housing Association (CVHA), based in Motherwell, has been issued a reprimand by the Information Commissioner’s Office (ICO) after a data breach involving personal information.
A resident of the association discovered that they could access documents related to anti-social behaviour cases and view personal information about other residents, including names, addresses and dates of birth.
CVHA’s customer service team were contacted in relation to the breach on the portal – which was launched in 2022 – by the resident but the ICO claim it was not “escalated”.
The report found the information was available for five days after it was flagged and that four more residents reported the same breach following a mass email promoting the portal, which was then suspended.
The ICO said the housing association had “failed” to appropriately test the portal before it went live and that members of staff were “not clear on the procedure to escalate a data breach.”
It was recommended to CVHA by the ICO that it “ensures rigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future.”
The report also concluded that the association should “conduct a review of data protection training to ensure that training provided is relevant to, and adequate for, the staff members receiving it.”
Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.
“This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained.
“We will take action when people’s personal information is not protected.”
The association is a registered charity that owns and manages around 4,700 properties and provides services to 3,000 homeowners.
A spokesperson for Clyde Valley Housing Association said: “We take the handling of customers’ data very seriously and apologise for this error.
“We have worked very closely with the Information Commissioner’s Office to review our processes to ensure that this issue cannot be repeated.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country