Sunday 22 October 2017

Ratepayers’ details 'leaked' in Parish email gaffe

Monday 17 July 2017

Ratepayers’ details 'leaked' in Parish email gaffe

St Helier residents' privacy may be at risk after an email blunder saw parishioners sent the email addresses of other ratepayers.

The message was sent on Friday afternoon, and the Information Commissioner's Office is now investigating.

Parish workers urgently tried to recall the email in the aftermath of the mistake, but only succeeded in sending the apparent mailing list a second time.

A third email – addressed from Daryn Cleworth, Customer Services Manager for the Parish - arrived shortly after 14:00, and apologised “unreservedly” for the apparent security breach.

“Dear Ratepayer,

“On behalf of the Parish of St Helier, I apologise unreservedly for the previous email you have received.

“The transgression was noticed immediately but unfortunately all attempts by both myself and our IT specialists to retrieve the emails proved fruitless,” it read.

st helier email

Pictured: An email from parish officials following the mistake, entitled 'St Helier Rates Apology'.

The Office of the Information Commissioner - the statutory authority promoting respect and protection of individuals' private data - was immediately made aware of the error. The Parish of St Helier is now said to be “working closely” with the body.

Parishioners were also reassured that the Parish was, “continuously reviewing [its] processes to ensure that such issues do not occur again.” 

It is unknown at this stage how many people were affected by the apparent leak.

A spokesperson for the Parish commented: "The matter, both internally as well as technologically, is being reviewed, and appropriate steps will be taken where necessary."

Jersey's Information Commissioner Emma Martins has since commented: 

"The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

"It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier."

She added: "The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage."



Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.

Posted by John Henwood on
I got the-email-that-should-not-have-been-sent, but hey, stuff happens and we all make mistakes. I hope the individual responsible isn't given an unduly hard time over the error.
Posted by Simon Langlois on
I'm all for open government and transparency, but in this case, for the sake of the disclosed recipients, it would have been better to have kept quiet about it as I'm sure that 99.9% of people would not have noticed.

Drawing attention to their mistake has now drawn unwanted attention and this will probably lead to us noticing an increase in unsolicited emails and spam; I get enough of that already!

The sequence of emails on 14th July seemed to be:
08.18 - received an exact copy of the Notice of Assessment email sent out on 25th April;
12.30 - email requesting us to ignore previous email (but openly showing all recipients!)
13.33 - email just saying they would like to recall previous email (but again, showing all recipients in open CC!)
14.15 - email apologising.

Staggering, that having made the CC mistake at 12.30, they proceeded to do the exact same thing again an hour later! Nothing like learning from your mistakes, and that was nothing like learning from your mistakes.
To place a comment please login