Search The Bureau Website
28.11.11 State Scrutiny Scrutinising Government

Councils publishing signatures and National Insurance numbers online

Published November 28 2011

By David Pegg

Sensitive personal details, including national insurance numbers and signatures, are being unwittingly published on the Internet by local councils, the Bureau has learned.

Banking and credit organisations have expressed alarm that such confidential information was mistakenly published, warning that it was considerably more detail than would be needed for a fraudster to try and impersonate someone.

The information is contained in Temporary Event Notices, application forms that members of the public must submit in order to be granted licenses for alcohol or music at single events.

Despite being intended only for small functions, the forms demand a slew of personal details, including current and past addresses, complete contact details, dates and places of birth and even previous names. Many councils publish redacted versions of the forms as part of the minutes of their licensing committees, having removed the most sensitive information.

However, several borough and district councils, including Crawley, East Hertfordshire, Kettering, Bridgend and Fenland councils, have all published the complete and unredacted forms on their websites in their entirety, potentially exposing the applicants to identity fraud.

‘Astonishing’
The government anti-fraud organisation CIFAS, which works with major financial institutions including Barclays and Experian to combat identity theft, described the publication of the information as ‘astonishing’.

Spokesperson Richard Hurley told the Bureau: ‘That’s pretty much everything you would need [to commit identity fraud]. ‘The fact that all [the details] are being placed together amplifies the potential risk. Things like place and date of birth tend to be used as security questions, so if they’re published and available – not good.

‘If you consider that an ID fraud can start to be attempted with just your name, date of birth and postcode, that’s alarming enough. If my details were available in that way, I’d be pretty livid.’

An ICO official told The Bureau that it had previously dealt with similar problems regarding the publication of planning applications.

In a statement, an ICO spokesperson said: ‘We have received a complaint about this issue and will now make enquiries’.

The Information Commissioner’s Office can punish public and private bodies that breach the Data Protection Act 1998 with a fine of up to £500,000.

Data-harvesting
The leaks represent further cases of public bodies requesting large quantities of personal information, often under trivial pretexts, then failing to store it securely.

Earlier this year, the Bureau revealed that local councils had lost the personal data of more than 160,000 people over the past five years, with more than 26,000 victims in the first half of 2011 alone. 5,000 children had their data lost or misplaced.

Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, said: ‘The more personal information is collected by authorities, the greater the risk to personal privacy. The fact that councils felt National Insurance numbers were a necessary piece of information is worrying in itself, when it is absolutely not needed, but the fact they were so careless as to publish this information online is incredible.’

‘Time and again we see cases of irrelevant and personal information being collected with absolutely no justification – these cases are a clear reminder of the risk of handing over our own details to authorities who we should be able to trust.’

The Department of Culture, Media and Sport said that the questions were originally included on the forms under the Labour government in order to prevent people from exceeding a limit to the number of licensing applications that can be filed.

‘We take data protection issues very seriously’
The Bureau has approached councils that it has identified as having published the confidential details in order to allow them time to remove the forms in question. A number of councils issued statements in response to our findings.

Fenland District Council: ‘Thank you for bringing this matter to our attention. We take data protection issues very seriously and we have taken urgent action to ensure that the two examples you have given are removed from the website. We have also taken immediate steps to review any similar cases, as well as our processes, to avoid any repetition in the future.’

East Herts Council: ‘East Herts Council has taken immediate action to remove any personal information contained within Temporary Event Notices on our website. We believe there are 17 such notices and we will be writing to those people affected. We apologise that we appear on this list along with a number of other councils and from now on TENs will appear with such information redacted.’

Crawley Borough Council: ‘The council follows strict guidelines to adhere to the Data Protection Act. In this circumstance an oversight led to some personal details being published in a document on the council’s website. This information has now been taken out of the public domain and we’d like to apologise to the person who was affected. The council is investigating this matter and will be taking practical steps to ensure that this does not happen again in the future.’

About The Author

David Pegg
More by David Pegg

More From Scrutinising Government

Crisis at the commission: inside Europe’s response to the coronavirus outbreak

15 July 2020

Thousands of British citizens swept up in immigration spot checks

9 October 2017

Get the data: The crisis in the UK’s affordable housing supply system

18 September 2013

Government property website launched days after failures exposed

25 January 2013

Corporations

Food and Drugs

Justice

Human Rights

PR and Spin

State Scrutiny

Bureau Local