Ratepayers’ details 'leaked' in Parish email gaffe

Monday 17 July 2017

St Helier residents' privacy may be at risk after an email blunder saw parishioners sent the email addresses of other ratepayers.

The message was sent on Friday afternoon, and the Information Commissioner's Office is now investigating.

Parish workers urgently tried to recall the email in the aftermath of the mistake, but only succeeded in sending the apparent mailing list a second time.

A third email – addressed from Daryn Cleworth, Customer Services Manager for the Parish - arrived shortly after 14:00, and apologised “unreservedly” for the apparent security breach.

“Dear Ratepayer,

“On behalf of the Parish of St Helier, I apologise unreservedly for the previous email you have received.

“The transgression was noticed immediately but unfortunately all attempts by both myself and our IT specialists to retrieve the emails proved fruitless,” it read.

Pictured: An email from parish officials following the mistake, entitled 'St Helier Rates Apology'.

The Office of the Information Commissioner - the statutory authority promoting respect and protection of individuals' private data - was immediately made aware of the error. The Parish of St Helier is now said to be “working closely” with the body.

Parishioners were also reassured that the Parish was, “continuously reviewing [its] processes to ensure that such issues do not occur again.” 

It is unknown at this stage how many people were affected by the apparent leak.

A spokesperson for the Parish commented: "The matter, both internally as well as technologically, is being reviewed, and appropriate steps will be taken where necessary."

Jersey's Information Commissioner Emma Martins has since commented: 

"The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

"It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier."

She added: "The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage."