- The MPs' expenses watchdog published the names, addresses, and a phone number for two Dawn Butler staffers.
- The incorrectly redacted receipts also had a link to an order confirmation page with the private data.
- The watchdog is already being sued over a 2017 breach of a salary spreadsheet.
The UK Parliament's expenses watchdog accidentally leaked the names, home addresses, and a phone number for parliamentary staffers working for Labour MP Dawn Butler, Insider can disclose.
On October 8, in response to a freedom of information request, the Independent Parliamentary Standards Authority (IPSA) published the receipts for two laptop stands purchased by Butler for her staff to use.
The receipts contained the unredacted names and home addresses of two of Butler's staffers, who work for the MP in Parliament. Insider has redacted the staffers' personal data.
Links within the receipt were also unredacted, allowing access to the order confirmation pages.
These had the names and home addresses of both aides, as well as a phone number and email address for one of the assistants.
IPSA removed the page after Insider contacted it on Monday evening alerting to the data breach, meaning the information was online for three days.
An IPSA spokesperson told Insider: "We have contacted both the Member of Parliament and the two staff members to explain what happened and offer our sincere apologies for this mistake. We will review our procedures and make any changes needed to avoid future errors."
In a separate letter to Insider, an IPSA official said the organisation takes its information security responsibilities "very seriously," and that "the safety and security of MPs and their staff is our priority."
Butler's office did not immediately respond to Insider's request for comment.
Separately, IPSA is currently being sued by hundreds of political staffers over a 2017 data breach, the Register reported. A spreadsheet was mistakenly published containing MPs' staff names, salaries, hours worked, working patterns, and holiday entitlements. More than 3,000 people were affected.
In a letter to MPs in March 2017, IPSA said the breach did not contain "information relating to the security of the individuals" such as phone numbers or addresses.
Some staff who had their personal data published received compensation payouts, while 216 claimants are still suing IPSA in the High Court.
Possible consequences
The Information Commissioner's Office (ICO), the UK's data regulator, said it had not yet received notification of the recent breach from IPSA.
An ICO spokesperson told Insider: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.
"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it and be able to explain why it wasn't reported if necessary."
One expert suggested the leak could lead to enforcement action by the ICO.
James Castro-Edwards, a data protection lawyer at Arnold & Porter, told Insider: "The unauthorised disclosure of individuals' personal information may amount to a 'personal data breach' for the purposes of the UK GDPR,'" referring to General Data Protection Regulation, the framework for data protection in the UK.
"The ICO has a broad range of powers and may take enforcement action against organisations that fail to adequately protect individuals' personal data."