Islington Council has been fined £70,000 by the data protection regulator for a security failing on its parking ticket system website.
Islington’s TicketViewer system allows people to see a CCTV image or video of their alleged parking offence. It was found to have design faults meaning the personal data of up to 89,000 people was at risk of being accessed by others. That data included a small amount of sensitive personal information such as medical details relating to appeals.
The problem came to light in October 2015 when the north London council was told by a member of the public using the system that folders containing personal data could be accessed by manipulating the URL in the user’s browser. It turned out that there had been unauthorised access to 119 documents on the system 235 times from 36 unique IP addresses, affecting 71 people, the Information Commissioner’s Office (ICO) found.
Sally Anne Poole, ICO Enforcement Manager, said: “People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that. Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
TicketViewer dates from 2012 and is hosted separately from other systems. As for the scale of parking tickets in that borough, between 2012 when the system was developed and October 2015, about 825,000 parking tickets were issued and some 270,000 appeals received. Islington referred the case to the ICO and the ICO did not know of anyone actually suffering any damage from the fault.
The ICO said that the council should have tested the system; before going live, and regularly after. In failing to do so, the regulator said, the London borough failed to take the appropriate technical measures to keep personal information secure. This was a breach of the Data Protection Act. For the ICO ruling in full visit the ICO website.
The ICO warns that data protection laws are set to get tougher under the GDPR (general data protection regulation), which is due to apply EU-wide from May 2018. For one thing, while the rules limit the ICO powers to a maximum fine of £500,000, that stands to be raised much higher. As featured in the September 2017 print issue of Professional Security magazine, the Government has published a ‘statement of intent‘ ahead of a Data Protection Bill, outlining how the 1998 Data Protection Act will be replaced to reflect the GDPR.
Picture by Mark Rowe; on-street Islington borough CCTV, Danbury Street, London N1.
