Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.
More
Home Business Scotland business

Scottish Government agency admits email bungle – personal details unintentionally leaked

By Keith Findlay
Visitors watch yachts climb the locks of the Caledonian Canal at Fort Augustus.
Visitors watch yachts climb the locks of the Caledonian Canal at Fort Augustus.

The quango responsible for managing Scotland’s inland waterways has admitted a data breach by inadvertently revealing personal details of more than 150 subscribers to its newsletter.

Scottish Canals sent out its latest newsletter earlier this month but accidentally revealed the email addresses of each of its recipients.

Some are believed to be considering legal action over what one has described as a “serious breach of data protection legislation”.

“Many of the emails contain the name of an individual as well as the company they work for.”

An angry email to Scottish Canals from one of those affected and shared with the rest said: “This breach of data protection regulation can have a negative impact on all the individuals involved.

“In my case 156 private individuals or companies now know that I have an interest or connection with Scottish Canals.

“All other receivers of this mail now know that I have an asset (in this case a sailing yacht) on the Caledonian Canal.

Connection

“Many of the emails contain the name of an individual as well as the company they work for. Therefore, a connection can be made between the individual and his/her employer.

“Potentially non-public email addresses are now public and can be used in the best case for spam marketing or in the worst case for fraud.”

The Falkirk Wheel, which connects the Forth and Clyde Canal with the Union Canal.

While recognising the data breach was unintentional, others affected have highlighted that it is nevertheless illegal and “very serious”.

Confirming the breach, a spokesman for Scottish Canals said: “On August 13 2021, a member of staff sent out a regular email update to our boating customers.

“Unfortunately, the recipients of the email were visible to one another. This email was recalled immediately by the member of staff, an apology issued to the recipients and the incident reported internally.”

The locks at Clachnaharry, the eastern entrance to the Caledonian Canal.

The spokesman added: “Safeguarding customer data is very important to Scottish Canals, and we invest in training staff via our e-learning platform and policy management system – which includes the most up-to-date guidance on GDPR (General Data Protection Regulation) and the use of email systems.

“We will take the opportunity to learn from this incident and remind our people of the steps they need to take when handling customer data.”

Compliance with UK data protection rules is overseen by the Information Commissioner’s Office (ICO).

An ICO spokeswoman said: “A key principle of the UK GDPR is that organisations process personal data securely by means of ‘appropriate technical and organisational measures’.

“Doing this requires organisations to consider things like risk analysis, organisational policies, and physical and technical measures.

“People have the right to be confident that organisations handle their personal information responsibly and in line with good practice.

“If they have a concern about the way an organisation is handling their information, the organisation responsible should deal with it and take their concern seriously and work to try to resolve it. If a person is still not satisfied, they can raise their concern with the ICO.”

Kirk Tudhope, of law firm Ledingham Chalmers.

GDPR governs how any business – the “data controller” – should process personal information.

Kirk Tudhope, a partner in the Inverness office of Aberdeen-based law firm Ledingham Chalmers, said: “Most businesses and organisations should identify emails as being a high risk for potential loss of personal data.

“For example, emails or attachments containing sensitive or confidential information that are sent to the wrong person should be reported to the Information Commissioner within 72 hours and could attract a fine or civil claim.”

Big penalties for non-compliance

Fines worth hundreds of millions of euros have been handed out by information commissioners around Europe since the GDPR was introduced in May 2018. There are two tiers of penalties, with a maximum of 20 million euros (about £14.7m) or 4% of global revenue.

Scottish Canals is the public agency of the Scottish Government responsible for managing the country’s inland waterways. Formerly a division of British Waterways, it became a stand-alone public body of the Scottish Government on July 2 2012.