Cornwall Council faces a significant data breach after disclosing unredacted personal details—including addresses and phone numbers—of individuals who filed complaints against a councillor, raising serious GDPR compliance concerns.
Cornwall Council has compromised the personal data of multiple citizens through improper handling of complaint documents, exposing names, home addresses, email addresses, and phone numbers despite explicit redaction requests. The breach occurred during an investigation into complaints against Dulcie Tudor, an independent councillor for Threemilestone and Chacewater, who publicly criticized the council's data handling as "crazy" after receiving the unredacted files.
Technical Breakdown of the Failure
Ten individuals filed complaints against Tudor following her questioning during a November council meeting about whether a trans woman qualified as "a real woman" under the UK Supreme Court's April 2025 ruling (Equality Act 2010 interpretation). Four complainants explicitly requested anonymity via standard council procedures. However, when the council forwarded all complaints to Tudor as email attachments, it included:
- Full names of all ten complainants
- Residential addresses
- Personal email addresses
- Phone numbers
Crucially, Tudor stated that although the council claimed the files were redacted before transmission, the sensitive data became visible upon opening the attachments. This suggests critical flaws in either:
- Redaction methodology: Use of insecure techniques (e.g., black bars in PDFs instead of permanent deletion)
- Document workflow: Failure to validate output files before distribution
- Access controls: Lack of encryption for sensitive communications
Compliance Violations and Escalation
The breach violates multiple GDPR principles enforced by the UK's Information Commissioner's Office (ICO), including:
| GDPR Principle | Violation Detail |
|---|---|
| Data Minimization | Collected excessive personal data beyond complaint requirements |
| Integrity/Confidentiality | Failed to protect data via technical measures |
| Lawful Processing | Disclosed data without consent (4 complainants explicitly withheld consent) |
The council reportedly failed to immediately notify affected individuals or confirm whether it reported the incident to the ICO. Tudor independently alerted the ICO and shared documents with the Free Speech Union, further disseminating the exposed data.
Systemic Vulnerabilities
This incident reflects broader failures in Cornwall Council's data governance:
- Inadequate Training: Staff mishandled redaction requests despite established protocols
- Technical Debt: Suspected reliance on outdated document editing tools without validation checks
- Risk Amplification: Tudor identified that leaked data could reveal whether complainants were council officers or elected officials—information she emphasized should never be accessible
No council systems were compromised externally; the breach resulted entirely from internal procedural failures. Cornwall Council has not provided technical details about the file formats or redaction tools involved, nor explained why personal identifiers weren't stripped from metadata.
Implications for Public Sector Data Handling
Public bodies managing sensitive citizen data must implement:
- Automated redaction software with audit trails (e.g., Adobe Acrobat Advanced Redaction)
- Mandatory pre-distribution file validation checks
- Role-based access controls limiting data visibility
- Annual GDPR compliance drills simulating breach scenarios
The ICO can impose fines up to £17.5 million or 4% of annual turnover for such violations. Cornwall Council's ongoing silence exacerbates reputational damage and potential liability. Organizations handling sensitive data should treat this breach as a case study in operational negligence—verifying document workflows remains non-negotiable for compliance.
Comments
Please log in or register to join the discussion