A COUNCIL may have breached data protection rules after publishing personal details including a National Insurance number on its website.

The information was included in an application for a temporary event notice and published on Wychavon District Council’s website for eight days within committee papers.

The standard national form is required by the Government.

The person concerned has raised the issue with the council but has not filed an official complaint or contacted the Information Commissioner’s Office.

Under the Data Protection Act, organisations must have legitimate grounds for collecting and using personal data and be transparent about how they intend to use it.

The maximum penalty for a serious breach of the Act is £500,000 A spokesman for the ICO said it was “seldom, if ever” appropriate for an organisation to make details such as National Insurance numbers public.

“If they plan to publish personal information on their website the individuals concerned should be made aware of this fact before deciding whether to provide the information,” he said.

He said that organisations should not publish more details than are necessary for their specific purposes nor information which risks causing damage or distress to individuals.

Jack Hegarty, Wychavon’s managing director, said the council took its role as a data protection controller “extremely seriously”. He said: “This was a single isolated case and we took action to remove the applicant’s personal information from our website more than two weeks ago.”

He said the same application form was used by every council in the country. “We will be seeking clarification from the Government about what information is required in their prescribed form,” he said.