Gwent Police has apologised after revealing the email addresses of residents who took part in a recent survey.
The 418 addresses were inadvertently revealed by Chief Inspector Jason White after he placed them in the ‘To’ field of the email he was sending, rather than the ‘bcc’ field which hides them from the view of other recipients.
To compound the error, Chief Superintendent Marc Budden replied to all with the following: “Jase Very quickly – can we retrieve these in any way? Speak to SRS. We’ve shared everyone’s emails with everyone else. Marc.”
SRS refers to Shared Resource Service, the body which provides technology services to the public sector in Wales.
Charlotte Lunn, a 37-year-old resident of Caerphilly received the email. She said: “I was stunned that Gwent Police could make such a serious slip up, given how rigorously organisations are held to data protection regulations.
“They sent an apology email out too – without including all the recipients.”
A spokeswoman for Gwent Police said: “An email was issued on Wednesday, October 24, by Gwent Police to gather views on how best to engage with the public to assist us in obtaining information to set our neighbourhood policing priorities.
“In human error, email addresses were disclosed of those who had previously taken part in our ‘Your Voice’ process, which aims to give residents the opportunity to influence the work of their local officers, as well as partner agencies, to tackle those issues that are of most concern to local communities.
“We apologise for any inconvenience caused and immediately tried to rectify this data breach by retracting the email.
“Accordingly, we will ensure we comply with formal procedures under the General Data Protection Regulations.”
The Information Commissioner’s Office is the UK watchdog for data regulation.
An ICO spokesperson said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.
“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”