The quango responsible for managing Scotland’s inland waterways has admitted a data breach by inadvertently revealing personal details of more than 150 subscribers to its newsletter.
Scottish Canals sent out its latest newsletter earlier this month but accidentally revealed the email addresses of each of its recipients.
Some are believed to be considering legal action over what one has described as a “serious breach of data protection legislation”.
“Many of the emails contain the name of an individual as well as the company they work for.”
An angry email to Scottish Canals from one of those affected and shared with the rest said: “This breach of data protection regulation can have a negative impact on all the individuals involved.
“In my case 156 private individuals or companies now know that I have an interest or connection with Scottish Canals.
“All other receivers of this mail now know that I have an asset (in this case a sailing yacht) on the Caledonian Canal.
Connection
“Many of the emails contain the name of an individual as well as the company they work for. Therefore, a connection can be made between the individual and his/her employer.
“Potentially non-public email addresses are now public and can be used in the best case for spam marketing or in the worst case for fraud.”
While recognising the data breach was unintentional, others affected have highlighted that it is nevertheless illegal and “very serious”.
Confirming the breach, a spokesman for Scottish Canals said: “On August 13 2021, a member of staff sent out a regular email update to our boating customers.
“Unfortunately, the recipients of the email were visible to one another. This email was recalled immediately by the member of staff, an apology issued to the recipients and the incident reported internally.”
The spokesman added: “Safeguarding customer data is very important to Scottish Canals, and we invest in training staff via our e-learning platform and policy management system – which includes the most up-to-date guidance on GDPR (General Data Protection Regulation) and the use of email systems.
“We will take the opportunity to learn from this incident and remind our people of the steps they need to take when handling customer data.”
Compliance with UK data protection rules is overseen by the Information Commissioner’s Office (ICO).
An ICO spokeswoman said: “A key principle of the UK GDPR is that organisations process personal data securely by means of ‘appropriate technical and organisational measures’.
“Doing this requires organisations to consider things like risk analysis, organisational policies, and physical and technical measures.
“People have the right to be confident that organisations handle their personal information responsibly and in line with good practice.
“If they have a concern about the way an organisation is handling their information, the organisation responsible should deal with it and take their concern seriously and work to try to resolve it. If a person is still not satisfied, they can raise their concern with the ICO.”
GDPR governs how any business – the “data controller” – should process personal information.
Kirk Tudhope, a partner in the Inverness office of Aberdeen-based law firm Ledingham Chalmers, said: “Most businesses and organisations should identify emails as being a high risk for potential loss of personal data.
“For example, emails or attachments containing sensitive or confidential information that are sent to the wrong person should be reported to the Information Commissioner within 72 hours and could attract a fine or civil claim.”
Big penalties for non-compliance
Fines worth hundreds of millions of euros have been handed out by information commissioners around Europe since the GDPR was introduced in May 2018. There are two tiers of penalties, with a maximum of 20 million euros (about £14.7m) or 4% of global revenue.
Scottish Canals is the public agency of the Scottish Government responsible for managing the country’s inland waterways. Formerly a division of British Waterways, it became a stand-alone public body of the Scottish Government on July 2 2012.
