|Breach of act
|Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
|Known or should have known
|Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
|Likely to cause damage or distress
|The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.