Brit housing association blabs 3,500 folks' sexual orientation, ethnicity in email blunder A UK housing association blurted 3,500 people's sensitive personal data as part of a bungled "please update your contact details" email exercise, The Register has been told. Watford Community Housing (WCH) sent the email on the night of 23 March to people it thought were its tenants. The email included a spreadsheet with 3,544 …
This morning there was an article on the main BBC news website page*, detailing the precise opposite.
Gay people, who because of the virus "had no choice"** but to live at home with their "homophobic" parents. Is "heterophobia" a thing, and how it seems acceptable to abuse their parents.
* Not apparent 30 mins ago, don't know if its been moved or deleted.
** Everyone has a choice, could they not move in with their friends, even if platonically? It's a bit sad when they don't even have a friends couch to turn to.
Ethnicity data should be anonymous. Any time I've been asked to fill in an ethnicity questionaire as an employee or applicant it has been a separate form with no name, NI or other identifying details on it. This should be no different and even if it were such data should not be stored in an unencrypted Excel spreadsheet then emailed to randos.
Usual for gender, sexuality and race there is a "prefer not to say" answer.
"Prefer not to say" is a just a synonym for "Actually, I'd prefer not to have this job/service/home" as it will instantly mark you down as a likely member of the awkward squad. They are not supposed to use it against you, but what's to stop them?
Fill it in as white British straight male/female, whatever you actually are, or as close to it as you plausibly can, unless the organization makes a huge deal of being highly something-tolerant - in which case be that.
Then you'd be wrong. If you don't know the people you serve then how do you know whether you are discriminating against them, intentionally or otherwise? Then, of course, you can also answer accusations of discrimination such as "You don't house gay black women" with "Well actually...".
why do they have some of this info in the first place? And why do they still need it? I mean sexual orientation? What has that to do with getting you into community housing? I cant think of a single reason why you would need that.
It sounds like the data controllers over at WCH are suffering from data hoarder syndrome. Remember folks - Just because you might get some info does not mean you need to collect it or keep it...
That's easy. Get the homophobic racist evicted. Problem solved.
Everything is easy for those who don't have to do it.
On what grounds could you evict them? "Homophobic racist" isn't a reason a landlord can present to a court. A sizable proportion of the population would be on the streets if it were.
They'll be needing an 'Are you a violent homophobic racist? Y/N' question then!
There are various legal requirements for public bodies to do equality and diversity Impact Assessments. In my experience it's always emphasised that answering the deeply personal questions is optional, so preferably anyone with 'closet status' sexuality or religion doesn't blab it, but that's probably not the case.
No, it was Gilbert Harding.
I believe the original question was "Do you intend to overthrow the government of the United States?" The idea was that overthrowing the government was quitelegal, but lying on an immigration form could get you into trouble.
They let Harding in, and that was why (after he revealed it) the form was amended.
It is a bit like Alan Turing filling in the form to apply for the Home Guard and, as it said that by signing the form you put yourself under military discipline, he didn't sign it. Nobody noticed till he announced he was leaving.
I was actually going to make a joke there about there needing to be an "Are you homophobic?" column, or an "are you racist" column?
But figured that would be just being stupid. But there you go first reply, someone stating thats the reason. *shakes head*
Tell me then good Sir, how do you know in one flat you have a homophobic racist and in another you have "civil people"? Do tell, in which column is that in the tables? How was that info collected?
How was that info collected?
By the police tipping the council off that they've had to issue a warning to the homophobic racist and that anyone reporting a further problem to the council regarding that tenant should be directed straight to the police re. this case number.
Is it essential to know an individual's ethnicity, religion, sexual orientation or even blood group in order to house them.
Simply being an individual or family in need of a home should be enough, obviously then a housing association may need to check financial and criminal backgrounds but the above, why?
When Bristol council wanted to introduce a residents parking scheme in our area the paperwork that they made available outlining the proposals included seperate 2-3 page "impact assesments" on how the proposal would affect women, enthnic minorities, LGBTetc people, elderly, children, and other groups as they had to demonstrate that they'd considered the implications of equalities legislation as otherwise they'd be open to judicial review (as was case of Heathrow 3rd runway where court ruled that until they added info to demonstrate it was within the climate law that couldn't procede). So HA's doubtless collect all this info so that if someone challenges a decision on the basis that they "don't house anyone from xxxx minority" they'll have the evidence to show that they do.
Well that's stupid. Because treating impact assessments as a box-ticking exercise misses the chance to actually benefit from thinking about it.
Potential issue one - moving the bus stop 100m up the road to facilitate the residents parking spaces places it directly outside the local BNP office, causing increased risk of violence to LBGetc & ethnic minorities.
Potential issue two, replacing disability parking spaces in this street with residents only parking impacts the disabled & elderly users of the podiatry clinic at no.5.
Potential issue three - restricting parking on this street to residents only will increase the parking pressure on the next street over which contains a primary school and a nursery.
It seems to be a fiull house: keeping personal data in the sensitive category without it being necessary (so far as we can see); keeping it in an unencrypted spreadsheet, then mailing it to world+dog.
I bet the person responsible has had little or no training in data protection and GDPR.
I really hope they informed the ICO before this was published.
They emailed the entire spreadsheet to everyone, saying "please update your row"?
Good thinking Batman.
Quite apart from the privacy breach, how would they plan to merge up to 3500 returned spreadsheets that each differ by just one row?
Unfortunately, this is typical of the level of thought that goes into much business planning these days. It'll be interesting to see how well it survives the current emergency situation.
"Oh well, just change all of them!"
That rule only applies for people called "Perky Pat".
"how would they plan to merge up to 3500 returned spreadsheets that each differ by just one row?"
I have met people who have used Excel for decades who would probably think that when everyone updated their individual row, the master copy would also be automagically updated.
A long time ago I took over a Housing Association application and discovered that the forms for every single aspect of the database were in a single program and thus anyone who need access to, say, property maintenance schedules could see anything else, such as rent arrears for any tenant. I made a start on unpicking it before I left. Back in the day neither the original client nor the developers seemed to have noticed nothing wrong with the original version of that. It sounds as if someone at WHA might not have either.
I presume this is an extract of data held in a "proper" database, and that that database has a "proper" authentication heirarchy. In which case, the extract has been carried out by someone with the highest level of access to that data who can be identified and "advised".
If my presumption is wrong, and the primary storage medium is a spreadsheet, then they have an even more serious issue. As Mike 137 infers, lord knows what the master spreadsheet would have looked like once the amendments started coming back and updates made.
Storing the data in a spreadsheet is perfectly acceptable. The GDPR does not specify the medium nor mechanism of storage nor means of securing the data, just specifying principles.
Storing the data in a spreadsheet and allowing some numpty free access to it when it includes sensitive personal data (a special category) is utterly wrong. Fine if access to the spreadsheet was highly restricted but when it's been sent unencrypted in an email it's plainly obvious that this is almost certainly not the case.
It's probably stored in an unencrypted form on a cloud service with cloud copies hosted in datacentres where the regime has effectively zero data protection for individuals.
A problem there is (e.g.), Version Control. How does one ensure that the file you are looking at is the latest version?
The simplest scenario where this potentially falls down is two people on a LAN trying to edit it at the same time. One of these people should see a Read Only message which means they may still edit it and temporarily save it somewhere else then, later, overwriting the master with the new copy, (incidentally, trashing the edit carried out by the first user).
If the temporary file is left on disk, without deleting it, someone is going to come along later and assume it's the master file.
All very well having procedures to advise people not to do this, but the original article proves that people don't think things through particularly well.
I speak from long experience at observing how many companies manage their data.
It's not so many years ago since a council, not a dozen miles from me, had two different coloured job application forms.
If you went into the council office to fill in a job application, you got asked "what school did you go to?". You got one or the other colour form depending on your answer.
The reason ? Catholics attended certain schools, and Protestants (and others) attended specific other ones.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
