London Borough of Harrow (22 008 875)

Category : Adult care services > Transport

Decision : Upheld

Decision date : 15 Dec 2022

The Ombudsman's final decision:

Summary: Ms X complains about the Council’s handling of her mother’s blue badge application and data breach by its contractor causing distress. The Information Commissioner has considered the data breach. The Council has accepted it was at fault. It has already apologised and offered a suitable remedy. So, we are discontinuing our investigation into the complaint.

The complaint

  1. I have referred to the complainant as Ms X. She complains for her mother Mrs Y about the way the Council’s contractor dealt with her blue badge application. Ms X says the contractor used a wrong email address for Mrs Y and sent her information to someone else. Ms X remains unhappy with the response from the Council and contractor and says it has caused distress to Mrs Y and the family.

Back to top

What I have and have not investigated

  1. I have investigated the Council and its contractor’s response to the matter. I have not considered the data breach as that is a matter for the Information Commissioner (ICO) who has already decided the issue.

Back to top

The Ombudsman’s role and powers

  1. We investigate complaints about councils and certain other bodies. Where an individual, organisation or private company is providing services on behalf of a council, we can investigate complaints about the actions of these providers. (Local Government Act 1974, section 25(7), as amended)
  2. The Ombudsman investigates complaints about ‘maladministration’ and ‘service failure’, which we call ‘fault’. We must also consider whether any fault has had an adverse impact on the person making the complaint, which we call ‘injustice’. We provide a free service but must use public money carefully. We do not start or may decide not to continue with an investigation if we decide:
  • there is not enough evidence of fault to justify investigating, or
  • any fault has not caused injustice to the person who complained, or
  • any injustice is not significant enough to justify our involvement, or
  • we could not add to any previous investigation by the organisation, or
  • further investigation would not lead to a different outcome, or
  • we cannot achieve the outcome someone wants, or
  • there is another body better placed to consider this complaint,
  • it would be reasonable for the person to ask for an organisation review or appeal.

(Local Government Act 1974, section 24A(6))

  1. We normally expect someone to refer the matter to the Information Commissioner if they have a complaint about data protection. However, we may decide to investigate if we think there are good reasons. (Local Government Act 1974, section 24A(6), as amended)

Back to top

How I considered this complaint

  1. I have considered the information provided by Ms X and spoken to her about the complaint. I considered documents from the Council and its responses to Ms X’s complaints.
  2. Ms X, Mrs Y and the Council had an opportunity to comment on my draft decision. I considered any comments received before making a final decision.

Back to top

What I found

  1. Mrs Y applied to the Council for a blue badge to use in a vehicle. The Council uses an independent company I will refer to as Company B to act on its behalf to assess travel concession applications. Company B dealt with the application. Ms X contacted Company B a few months later as the family had not received a response. Ms X found Company B had invited Mrs Y to attend a mobility assessment as part of the application. Company B declined Mrs Y’s application as she failed to attend the assessment.
  2. Ms X found Company B had sent its response to a wrong email address for Mrs Y. Ms X said the family were unaware of the assessment appointment and complained about a breach of data as Mrs Y’s medical information had been sent to the email address. Ms X said the email was in use as it had not ‘bounced back’ as invalid.
  3. Company B investigated the matter. It told Ms X a temporary worker at the company had input personal information from Mrs Y’s application into its computer system. Unfortunately, the worker had put in a wrong email address for Mrs Y. Once the matter had been brought to Company B’s attention it sent Mrs Y a second invite for a medical assessment. But acknowledged it had used the incorrect email address again as it had failed to change it. And it sent a second letter to Mrs Y declining her application to the incorrect email address after the assessment.
  4. Company B acknowledged it had used the wrong email address due to human error and sent an email containing potentially sensitive medical information about Mrs Y. Company B found the email address appeared to be registered but it had no reason to believe the owner had made use of the information. Company B recognised it raised a privacy concern for Ms X and Mrs Y and offered to fund an identity protection service for her for a year. This helps to identify any fraudulent activity and provides support if a person becomes a victim of fraud. Company B confirmed it logged the incident as part of its quality process which would be looked at in a quality audit by an external company.
  5. Ms X remained unhappy with Company B’s response as she felt it had made many errors and failed in its duty of care towards Mrs Y. Ms X said Company B were late in informing the ICO about the breach. So reported the incident to the ICO and to the Council. Ms X asked for the identity protection service to be in place for longer and financial compensation because of the impact onto Mrs Y’s health. Company B confirmed it had reported the matter to the ICO.
  6. Ms X also appealed the decision to decline Mrs Y’s blue badge application. This was upheld on appeal and Mrs Y awarded a blue badge.
  7. The Council responded to Ms X’s complaint. It considered it had been a genuine error by Company B who had kept the Council informed of its actions throughout the incident. The Council considered Company B had carried out appropriate and proportionate remedial action including full disclosure the ICO and Council. It noted Company B had made an offer of £150 in compensation as a gesture of goodwill for any distress caused. The Council also apologised for the breach of data.
  8. The Council considered Company B’s offer of compensation and the protection identity service for 12 months to be a suitable amount. It did not agree with Ms X that the breach was so damaging that a higher compensation amount should be offered.
  9. The ICO considered Ms X’s complaint about the data breach. It decided not to take any further action and closed the case. It made recommendations to Company B to ensure its policies and procedures were fit for purpose. It reminded Company B of the need to report incidents within 72 hours of being aware they had occurred.

My assessment

  1. As paragraph two explains the ICO is the appropriate body to consider complaints about data breaches and it is better placed to consider the concerns. So, there are no good reasons for us to consider the matter further or comment on the data breach. This is because the ICO has considered the complaint but decided to take no further action. The ICO made recommendations to Company B about its data protection policies and procedures.
  2. I recognise the matter has caused distress to Ms X and Ms Y. However, the incident has been investigated and considered by Company B and the Council. As Company B act on the Council’s behalf, the Council is ultimately responsible for its contractor’s actions. Both have accepted it was at fault and there was a data breach caused by human error. The Council and Company B have apologised for the breach. They have offered Mrs Y £150 compensation and 12 months of identify protection service. This is reasonable action for the Council to take as it will offer Mrs Y some protection against any possible fraudulent action. Company B and the Council’s consideration of the matter has been thorough. Because of this and the remedy already offered, I do not consider I can achieve anything further for Ms X and Mrs Y through further investigation or achieve a different outcome. So, I intend to discontinue my investigation into the complaint .

Back to top

Final decision

  1. I am discontinuing my investigation into the complaint. The Council has accepted it was at fault and has offered a suitable remedy. I do not consider I can achieve anything more for Ms X and Mrs Y through further investigation or achieve a different outcome

Back to top

Investigator's decision on behalf of the Ombudsman

Print this page

LGO logogram

Review your privacy settings

Required cookies

These cookies enable the website to function properly. You can only disable these by changing your browser preferences, but this will affect how the website performs.

View required cookies

Analytical cookies

Google Analytics cookies help us improve the performance of the website by understanding how visitors use the site.
We recommend you set these 'ON'.

View analytical cookies

In using Google Analytics, we do not collect or store personal information that could identify you (for example your name or address). We do not allow Google to use or share our analytics data. Google has developed a tool to help you opt out of Google Analytics cookies.

Privacy settings