Ochil View Housing Association accidentally shared a message with the details of people who are renting one of their homes.
The Alloa-based service provides homes for rent and sale across West Fife and Clackmannanshire.
The data leak occurred on Tuesday, January 7 as Ochil View sent out an email to advertise their Meet, Heat and Eat Events for 2025.
Within the main body of the message, the email addresses of around 200 recipients were included, with some containing the names of the residents involved.
The Alloa-based housing association provides homes for rent and sale across Clackmannanshire and West Fife.
The Advertiser spoke with one of the affected tenants, who did not want to be named and said that this was the second time Ochil View had done this, claiming a similar data leak happened last year.
They said: “Once is bad enough but doing the same thing again the following year is just incompetence.
“In this day and age, there are many strange people out there, cyber criminals, the usual.
“So to have something that can clearly identify some people and then state no breach has been committed is just wrong.”
Immediately after the data leak, Ochil View sent out a follow-up email asking people to delete the last email.
The tenant the Advertiser spoke with said they were also asked to reply confirming they had done so.
Ochil View said they were investigating the incident, but insisted that nothing sensitive or confidential had been leaked.
Chief executive Anne Smith said: “An email was sent by Ochil View Housing Association to some of our tenants in error.
“The content of the email that was sent was generic, not specific to individual recipients and did not reveal anything particularly sensitive or confidential about them.
“We take compliance with our responsibilities under the UK General Data Protection Regulation (GDPR) very seriously and are currently liaising with our data protection officer, who is investigating this matter and advising us on next steps.”
Under the UK GDPR, personal data is regarded as “any information relating to an identified or identifiable natural person”.
This refers to someone “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name”.
The Advertiser contacted the Information Commissioner’s Office (ICO), who monitor and respond to breaches of GDPR.
They said they could only act if the organisation (Ochil View) reported the data leak, but members of the public can get in touch to report concerns.
A spokesperson for the ICO added: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.
“All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”