Council does not know how many affected by online data breach

Meath County Council has been unable to say how many planning applications uploaded to its website contained the personal details of applicants following complaints that the council breached the Data Protection Act. Several people have complained that deeply personal details - including driver's licence, bank account number, motor insurance certificate and vehicle registration certificate details - were posted on the internet when the council's new online planning facility went live a week ago. The council said that as soon as it learned of complaints about personal information being available online, it took immediate measures to disable access to the facility. Meanwhile, a councillor has called on the Meath County Manager to have proposals in place by September for a policy which will involve a curtailment on the public availability of personal information belonging to members of the public interacting with the council. Cllr Nick Killian said he had been fighting for 12 years against the easy availability of personal information in council files and said that people were often dismayed that they had to give so much personal details to back up planning applications. One applicant for planning permission - Ian Primrose from Nobber - said that a commencement notice for a new house was available to view on the Meath County Council planning website. It contained his name, address, personal email address and mobile phone number. "I was very annoyed that this information was put into the public domain. I became concerned that I might not be the only person affected and did a search for my local area," he said. He noticed that some of the newer applications all had the supporting documentation available to view, including birth certificates, PPS number, credit union statements and account numbers, bank details, driving licence copies, passport copies, P60s and insurance details. "I was appalled to see such sensitive information freely available on the web. In the space of 10 minutes I could potentially have had enough information to commit identity theft, given the type of information that was available," Mr Primrose said. He said he had informed Meath County Council website administrators and also told the Data Commissioner about the data breach. Mr Primrose said he hoped there would be a "full internal investigation" in addition to the investigation by the Data Commissioner. He hoped also that the result of any investigations would be made public. Rebecca Meade, Castletown, was another planning applicant who had personal details published online. Her birth certificate, driver's licence, bank account number, car insurance certificate and vehicle registration certificate were available online. She said the council's rural housing policy demands that applicants provide proof that they are from the area, or have been living there for some time. "I had to prove that it was our family's land that I wanted to build on. That's why I had to submit documentation. I would have expected that it would all have been kept private. It's just plain stupid to put all that stuff online," she said. Cllr Killian said he had warned the council 12 years ago that the issue of the availability of personal information would eventually cause problems for the council. "Indeed, during one debate on the issue, I pointed out that the day would come when someone would either go to the Equality Authority or the Data Commissioner. The chickens have now come home to roost on this type of personal information being sought. "In my role as councillor over the years, I have advised constituents how to go about preparing to apply for a one-off rural planning application. Applicants are always dismayed that they have to give such personal information," he said. "It bothers me greatly that an applicant with a medical condition is asked to prove this by getting letters from doctors to place on their planning files. Worse still, in cases of marital breakdown, where a spouse is building a home for themselves, legal documentation from solicitors about the marital separation or divorcve is placed on the applicant's file," he added. He said he was well aware that not all applicants told the truth about their applicatioons but a stop had to be put to officials seeking this type of personal information and "placing it then for the public to view". A spokesperson for the council confirmed receipt of a possible breach of data protection on its online planning facility. "As soon as the council became aware of the complaint, immediate measures were taken to disable access to the facility. The matter was reported to the Data Protection Commissioner in accordance with its code of practice," the spokesperson said. She said the system would remain offline until a review of the data management had taken place and the council was satisfied that personal data was protected as provided for in the Data Protection legislation. Planning staff had been advised that, in the event of a request to inspect a planning file by anybody other than the applicant, they must remove any documentation containing personal information. "Planning permission is a public process and guidance notes are issued to applicants and they are warned that every document submitted is part of the public record," the council spokesperson said.