Here we go again
"we are an organisation that takes data protection and privacy with the utmost seriousness"
Except when you don't, like when you set up a URL to specifically contain person-identifying data and not a single nitwit in your organization wakes up and says "hey, should we really be doing that ?"
But go ahead and trot out that threadbare carpet with the "we take your security seriously" embroidered on. It's not like that already hasn't been used to the bone, right ?