Solihull Council has experienced 537 data breaches since 2020, but only 11 of those were reported to the Information Commissioner’s Office (ICO), newly released information reveals.
The figures, released via a Freedom of Information (FOI) request by the Solihull Journal, have prompted concerns about transparency, data protection standards, and the Conservative-led council’s handling of sensitive resident information.
The Council refused to release details about the nature, causes, or resolution of the incidents, citing the excessive time it would take to review all reports — estimated at 90 hours — as justification under Section 12(1) of the Freedom of Information Act.
In response, Liberal Democrat Group Leader Councillor Ade Adeyemo described the situation as “shocking,” highlighting a lack of openness and scrutiny from the Council leadership.
“On its own, 537 data breaches is a shocking figure. Just as shocking is the fact that Solihull Council has reported itself 11 times since 2020 to the Information Commissioner’s Office (ICO),” he said.
“Of particular concern is the refusal of the Conservative administration to accept that there are vulnerabilities in the council’s systems for collecting cash payments over the phone. Despite the evidence of a massive data breach involving 380 residents, the Cabinet Portfolio Holder for Resources repeatedly stated in Full Council that the council’s payment systems are secure.”
Councillor Adeyemo further raised questions over the Council’s failure to inform elected representatives about breaches that could affect residents’ personal data and financial information.
“I have seen many reports of the council’s systems over the last five years. However, I cannot recall any reports of data breaches being disclosed to councillors. At the very least, the Audit Committee should have been informed about such serious data breaches, to enable proper investigation and scrutiny.”
“Transparency and withholding information from opposition groups has been an ongoing problem under the Conservative administration that runs Solihull Council. I will now call on the council to urgently let us know the nature of these data breaches and what has been done to make sure that they don’t happen again.”
“It should not take exposure by way of a Freedom of Information request for the Conservatives to do the right thing for Solihull.”
Despite repeated requests from The Solihull Journal, Solihull Council declined to comment on the revelations.
Legal Context
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations are required to report certain personal data breaches to the ICO within 72 hours of becoming aware of the incident, if the breach is likely to result in a risk to the rights and freedoms of individuals. The ICO also expects organisations to assess the severity of each breach and document decisions when choosing not to report.
The fact that over 98% of Solihull Council’s data breaches were not reported to the ICO raises significant questions about how risks were assessed – and whether affected residents were informed when appropriate.
With no public record or formal report made to councillors, the Council’s approach has come under fire for lacking basic accountability mechanisms
An ICO spokesperson told The Solihull Journal: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”