Hastings Borough Council data breach on eve of new rules

On the eve of strict new data regulations being introduced a council email about the changes accidentally revealed people's personal data.

Hastings Borough Council's culture team sent out correspondence about the General Data Protection Regulation (GDPR), which comes in on Friday.

It provides Europeans with new data protection rights.

The authority has apologised after revealing the email addresses of all recipients to each other.

On Twitter, external John Pratty said: "Our Borough Council just sent out their GDPR email for arts list people asking for a simple opt-in or opt-out email reply.

"Unfortunately they CCd everyone. Yes, everyone. Want to buy a good arts contact list? #GDPRday"

A spokesman for the East Sussex council said: "This was human error, an apology was immediately sent out afterwards. Our most sincere apologies."

The member of staff did not blind copy (Bcc) in all contacts, which would have ensured the email addressed were not revealed.

A follow-up email asked to reply and then delete the previous correspondence.

Had the email been sent on Friday, it would have constituted a breach of personal data.

Under the new rules businesses must report any data breaches to the Information Commissioner's Office within 72 hours if they have "potential negative consequences for individuals".