TROWBRIDGE Town Council has been found to have breached General Data Protection Regulations following a complaint from a taxpayer.
Paul Jubbie told the Information Commissioner’s Office the council had infringed his data protection rights by disclosing his email address to other people.
Mr Jubbie told the town council’s annual meeting on May 19 his personal details had been “compromised” by the council’s failure to take adequate GDPR security measures.
He said: “Everybody who was invited to take part in this meeting had their email addresses shared with 50-60 other people. That is in breach of GDPR article 32 and GDPR article 5.
“People’s personal email addresses should not be getting shared without their consent.
“I am really concerned again that my email address has been shared with 50 people.”
Mr Jubbie said the Information Commissioner’s Office had ruled in his favour a month ago and had asked the council to take six actions to correct the situation.
The ICO said: “Trowbridge Town Council should ensure staff are aware when sending emails to Bcc and not ‘CC’ or ‘TO’ when sending out bulk emails.
“Trowbridge Town Council should ensure that disclosure of personal data does not occur when sending out emails.”
The council has also been told to improve its procedures to protect personal data. This will include all staff being sent on GDPR refresher training courses, all data being processed being subject to appropriate organisational and technical security measures, and to look at the ICO’s website for further information and guidance.
At the town council’s full council meeting in March, town clerk Lance Allan said officers had been advised by their Data Protection Officer not to respond to Mr Jubbie’s complaint as he had indicated he might take legal action against the council.