County Hall gates

Council refers itself to Information Commissioner's Office

Lancashire County Council has referred itself to the Information Commissioner's Office following a data breach involving its new HR and finance system. 

At this point there is no evidence that personal data has been publicly available, only that this information has been visible to internal users should someone want to find it. 

This breach occurred as a result of the implementation of the new HR and finance system and not an external cyber attack. 

The system, which was introduced just before Christmas, is used by Lancashire County Council, West Lancashire Borough Council, Lancashire Fire and Rescue Service and Lancashire schools and academies.  

The breach primarily relates to personal email addresses and phone numbers.  

The only people who will have been able to see information are those in the organisations with either a HR, Payroll, Pensions Finance, Procurement or Hiring Manager role profile.  

In addition, the data was not easily viewable and required users to actively search for it.   

Lancashire County Council informed the Information Commissioner's Office as is standard procedure following any data breach. 

An examination of the system has been undertaken and safeguards put in place to ensure additional breaches have been prevented.  

Lancashire County Council have both masked personal data and increased its security. 

Staff at all the organisations will be kept updated throughout the investigation. 

Angie Ridgwell, Chief Executive of Lancashire County Council said: "I recognise that any breach of data can be extremely concerning for a variety of reasons and would encourage all staff to remain vigilant  

“A number of issues have been identified and we have responded to each to ensure the security of the system, as well as adding extra layers for protection.  

"No-one who was not a registered user of this system has been able to access it, and we have improved our auditing function to better track how our data is being utilised. 

"We do take data security and confidentiality very seriously.  

"All staff are required to complete annual Information Governance training to support them in their roles and we have a robust system in place to manage and learn from significant events."