The UK Electoral Commission is facing an ICO investigation after inadvertently releasing details of donors to a pro-union campaign group on its website.
The Electoral Commission failed, when it published a response to their Freedom of Information request to Scotland in Union, to redact information on 168 individuals who had donated to Scotland in Union. The Union campaigns to promote Scotland in the UK following the 2014 Scottish independence referendum.
While the information in the original spreadsheet was encrypted when sent to the Electoral Commission, due to a technical error, personal information on the donors (which had been redacted when published online), could be viewed if cut and pasted into another document. The donors’ information was then circulated widely on social media. The Electoral Commission, on discovering the error, notified the ICO.
While the ICO will now conduct its investigations and decide whether to impose any penalties (including any fine), the media attention and investigations highlight the dangers of not adequately protecting personal data, especially as data on trade unions is classified as sensitive (“special category” under the GDPR) personal data.