The watchdog said local authorities cannot cite the requirements of planning law as a reason for failing to redact sensitive personal data on planning documents they make publically available on their website.
The ICO issued its warning as it confirmed that it had fined Basildon Borough Council in Essex £150,000 after it published sensitive personal information about a family which was contained on a document submitted to it as part of a planning application. The local authority was responsible for a serious breach of the Data Protection Act, the watchdog said.
According to the ICO, Basildon Borough Council had claimed that planning law prevented it from redacting personal data contained within planning documents. However, the ICO said planning regulations "could not override people’s fundamental privacy and data protection rights", and said local planning bodies are not under a legal obligation to publish planning documents online.
The ICO's enforcement manager Sally Anne Poole said: "Data protection law is clear and planning regulations don’t remove an individual’s rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people’s sensitive personal information is protected."
In its monetary penalty notice (21-page / 4.53MB PDF), the ICO said that a document submitted to Basildon Borough Council in support of a planning application contained details of a traveller family's "disability requirements, including mental health issues". The proposed development works were intended for green belt land where the family had been living, it said.
The statement submitted referred to members of the family by name, their age, the location of their home, as well as their disability requirements, the ICO said.
The council posted the statement in full on its online planning portal where it remained for approximately six weeks, it said. The ICO said data protection failings meant that the personal data in the document was not redacted before the statement was published by the council.
"The statement was passed to a planning technician who was responsible for validating the planning application and checking that personal data had been appropriately redacted before it was published on Basildon's website," the ICO said. "That planning technician, however, was inexperienced in checking the contents of documents relating to planning applications which contained sensitive information. He did not notice the information about the family that was embedded in the statement and therefore did not make any redactions."
"No procedure was in place for a second person to check such documents before they were uploaded onto the portal," it said.
Poole described the breach as "a serious incident".
"Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable," she said.