Plymouth City Council has acknowledged a significant data breach after an email intended for nearly 300 home-schooling families was sent with all recipients' email addresses visible. The error, which occurred during a routine communication, exposed the personal contact details of 297 families, raising concerns about privacy and data protection.
The council issued an immediate apology for the oversight, stating that it deeply regretted the error and understood the distress it may have caused. The email, which was sent without using the 'BCC' (blind carbon copy) function, meant that every recipient could see the email addresses of all other families on the distribution list.
Following the incident, Plymouth City Council has confirmed that it has reported itself to the Information Commissioner's Office (ICO), the UK's independent authority set up to uphold information rights. The ICO will now assess the breach to determine if any data protection laws, such as the General Data Protection Regulation (GDPR), have been violated and what, if any, enforcement action is required.
This incident is not isolated, with several other local authorities across the UK having faced similar issues in recent years. Such breaches typically occur due to human error and highlight the ongoing challenge for public sector organisations in managing large-scale communications while adhering to stringent data protection standards.
The council has stated it is undertaking a comprehensive review of its email communication protocols and staff training to prevent any recurrence. The aim is to reinforce best practices in data handling and ensure that sensitive information is protected when communicating with residents.