City of Port Phillip leaks personal details in data.gov.au blunder

An unknown number of residents who reported graffiti to a Melbourne-based council have had their personal information inadvertently published on the federal government’s open data portal.

The City of Port Phillip council revealed the data breach on Wednesday, saying that names, phone numbers and email addresses were disclosed in its graffiti management dataset on data.gov.au.

Property addresses “used to identify the location of the graffiti” were also accidently release “in some instances”, which the council said “may link the person reporting the graffiti to that address”.

The data was publicly accessible on data.gov.au - which contains more than 30,000 anonymised datasets - for seven months before it was taken down at the beginning of October.

“Council became aware of the breach on 5 October 2020 and in response conducted an internal investigation,” the council said.

“It was determined that the data breach started in March 2020.

“The dataset was immediately suspended from the data.gov.au website at 8.45 am on 5 October 2020, to prevent any further views/downloads.

“Council has endeavoured to directly contact any persons affected by this breach via email.”

A spokesperson told iTnews that "approximately 764 email addresses and 859 phone numbers were published", of which "53 percent of email addresses belonged to businesses and 28 percent of phone numbers were for landlines or 1300 numbers".

“For transparency, and because we take the protection of personal information very seriously, we reported all of these to the Office of the Victorian Information Commissioner,” the spokesperson added.

The council said the incorrect dataset was selected “during work to automate the generation of the graffiti dataset” and then accidentally approved for publication on data.gov.au.

“As the data was open to the public, Council is not able to confirm who has accessed the data,” it added.

As a result of the accidental disclosure, the council said it had updated the process for publishing open data, and now included a “peer review and sign-off prior to publishing”.

It has also updated “automated generation of data”, so to include only “information that relates to the location of graffiti (street number, street name, suburb, postcode and date submitted)”.

“Council sincerely apologises for the disclosure of personal information and for any distress and inconvenience this may cause,” it said.

“Council regards the protection of personal information to be of great importance and makes every effort to safeguard personal information under its control.

“Council assures that this breach is being appropriately addressed by the organisation, and all endeavours will be undertaken to ensure that future breaches of this nature do not occur.