COUNCIL bosses have reported themselves to the data regulator after they erroneously sent out names and full addresses of Barrow taxi drivers to other cabbies.

In October Barrow Borough Council wrote to 24 taxi drivers licensed to work in the town to remind them that their vehicle's mid-term test was due.

However a printing error meant that the other side of the letter contained the names and addresses of other taxi drivers.

Such a mistake is referred to as a personal data breach and comes under legislation covered by the recent changes to privacy law commonly known as GDPR.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, both accidental and deliberate.

Organisations which hold personal data, such as a local authority, must notify the Information Commissioner's Office within 72 hours of becoming aware of a data breach.

If the breach is likely to adversely affect the personal data or privacy of the individuals concerned then the organisation is required to notify those affected.

Once Barrow Borough Council staff discovered the error the 24 people whose details had been sent to other taxi drivers were contacted by letter.

In the letter the council's public protection manager Graham Barker apologised for the data breach.

He wrote: "Changes have already been made to our IT system to prevent this from occurring again and I sincerely apologise for this error."

Mr Barker told The Mail the council didn't consider the breach likely to adversely affect the privacy of the individuals concerned.

He added: "We contacted the small number of individuals involved because we wanted to be open and transparent about this error, to offer our apologies and to let them know that we have put controls in place to prevent it occurring again."

One affected taxi driver commented to The Mail on condition of anonymity: "The council has access to huge amounts of personal data, thousands of people, and you'd expect there would be serious consequences for whoever made a mistake like this."

Mr Barker's response in full:

There were 24 individual licence holders name and address details. As my letter explains, the ‘reminder letters’ printed back to back, as print settings had reverted to double-sided [The default setting is single sided].

The letters were enveloped mechanically as there were no enclosures. The template letter has now been amended to two pages long and as such, should the printer defaults change again, the same error cannot occur.

We have assessed the risk to the individuals and determined that it is unlikely to result in adverse effects occurring as stated in Article 29 of the General Data Protection Regulation (GDPR).

The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy.

It can also include any other significant economic or social disadvantage to those individuals.

The GDPR requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely to result in a risk of such adverse effects taking place.

Where there is a likely high risk of these adverse effects occurring, the GDPR requires the controller to communicate the breach to the affected individuals as soon as is reasonably feasible.

Although the council has determined that this breach it is unlikely to result in adverse effects, we contacted the small number of individuals involved because we wanted to be open and transparent about this error, to offer our apologies and to let them know that we have put controls in place to prevent it occurring again.