UK council faces data breach claim after mishandling trans complaints
(2026/02/22)
- Reference: 1771752849
- News link: https://www.theregister.co.uk/2026/02/22/cornwall_council_complaints_breach/
- Source link:
A UK councillor has dubbed her local authority's data breach "crazy" after the personal details of individuals behind a series of complaints were revealed to her.
Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the [1]data protection gaffe via social media following complaints about comments she made during a November council meeting.
Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.
The context
The comments were made in the meeting, which in part discussed the UK Supreme Court's ruling in April 2025 that the legal definition of a woman was based on their biological sex.
That ruling came after the For Women Scotland campaign group appealed against the Scottish government's decision to add transgender women to board representation quotas, arguing that such protections should apply only to a person's sex as they were born.
The Supreme Court ruled that the definition was as described in the [2]Equality Act 2010 that a person's gender should legally be designated by their birth sex.
The Act still provides protections for trans people from discrimination, but it means trans women may encounter legal difficulties in accessing same-sex facilities and spaces.
In a [3]video posted to her Facebook page , Cllr Tudor explained that the complaints process typically sees complainant names shared with the individuals to whom their claim pertains, unless consent for the information is explicitly withdrawn.
Four of the ten complainants opted to redact their names from the complaints, which are sent to the relevant person – in this case, Cllr Tudor. However, in passing the complaint on, the council included the details of all ten.
[4]
Moreover, regardless of whether consent is given or not, the subjects of complaints should never normally see the complainants' home addresses, email addresses, or phone numbers, but in this case all these data points were shared with Cllr Tudor.
[5]Attackers have 16-digit card numbers, expiry dates, but not names. Should org get £500k fine?
[6]Legacy systems blamed as ministers promise no repeat of Afghan breach
[7]Students bag extended Christmas break after cyber hit on school IT
[8]UK watchdog urged to probe GDPR failures in Home Office eVisa rollout
She went on to suggest that with the information she was handed by the council, she could have seen which complainants were council officers and which were elected councillors, without confirming either were involved.
"It's crazy," she said. "I shouldn't know that."
[9]
[10]
At the time of posting her video, the council had not explained how the breach occurred, whether they had informed the complainants about the situation, or whether it had reported itself to the [11]Information Commissioner's Office (ICO).
Cllr Tudor said that because of these complaints, she had to pass the information on to the Free Speech Union, which is representing her, as part of her response, meaning the information was shared even more widely. She also said that she informed the ICO on the complainants' behalf.
[12]
The councillor posted an update saying the council told her that no wrongdoing occurred "because when the complaints were sent to [her] as attachments, the complainants' personal information was redacted."
She wrote: "Want to know how it became unredacted? I opened the files!"
The Register contacted Cornwall Council for a response but it did not immediately reply. ®
Get our [13]Tech Resources
[1] https://www.theregister.com/2024/10/24/uk_proposes_new_data_law/
[2] https://www.theregister.com/2010/11/08/equality_act_flaw_undermines_compromise_agreements/
[3] https://www.facebook.com/reel/1937701213503427
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2026/02/20/ico_wins_battle_in_protracted_fight/
[6] https://www.theregister.com/2026/02/11/uk_afghan_breach_probe/
[7] https://www.theregister.com/2026/01/06/nuneaton_school_cyberattack/
[8] https://www.theregister.com/2025/12/12/ico_home_office_evisa/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/12/08/ico_home_office_rfr/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the [1]data protection gaffe via social media following complaints about comments she made during a November council meeting.
Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.
The context
The comments were made in the meeting, which in part discussed the UK Supreme Court's ruling in April 2025 that the legal definition of a woman was based on their biological sex.
That ruling came after the For Women Scotland campaign group appealed against the Scottish government's decision to add transgender women to board representation quotas, arguing that such protections should apply only to a person's sex as they were born.
The Supreme Court ruled that the definition was as described in the [2]Equality Act 2010 that a person's gender should legally be designated by their birth sex.
The Act still provides protections for trans people from discrimination, but it means trans women may encounter legal difficulties in accessing same-sex facilities and spaces.
In a [3]video posted to her Facebook page , Cllr Tudor explained that the complaints process typically sees complainant names shared with the individuals to whom their claim pertains, unless consent for the information is explicitly withdrawn.
Four of the ten complainants opted to redact their names from the complaints, which are sent to the relevant person – in this case, Cllr Tudor. However, in passing the complaint on, the council included the details of all ten.
[4]
Moreover, regardless of whether consent is given or not, the subjects of complaints should never normally see the complainants' home addresses, email addresses, or phone numbers, but in this case all these data points were shared with Cllr Tudor.
[5]Attackers have 16-digit card numbers, expiry dates, but not names. Should org get £500k fine?
[6]Legacy systems blamed as ministers promise no repeat of Afghan breach
[7]Students bag extended Christmas break after cyber hit on school IT
[8]UK watchdog urged to probe GDPR failures in Home Office eVisa rollout
She went on to suggest that with the information she was handed by the council, she could have seen which complainants were council officers and which were elected councillors, without confirming either were involved.
"It's crazy," she said. "I shouldn't know that."
[9]
[10]
At the time of posting her video, the council had not explained how the breach occurred, whether they had informed the complainants about the situation, or whether it had reported itself to the [11]Information Commissioner's Office (ICO).
Cllr Tudor said that because of these complaints, she had to pass the information on to the Free Speech Union, which is representing her, as part of her response, meaning the information was shared even more widely. She also said that she informed the ICO on the complainants' behalf.
[12]
The councillor posted an update saying the council told her that no wrongdoing occurred "because when the complaints were sent to [her] as attachments, the complainants' personal information was redacted."
She wrote: "Want to know how it became unredacted? I opened the files!"
The Register contacted Cornwall Council for a response but it did not immediately reply. ®
Get our [13]Tech Resources
[1] https://www.theregister.com/2024/10/24/uk_proposes_new_data_law/
[2] https://www.theregister.com/2010/11/08/equality_act_flaw_undermines_compromise_agreements/
[3] https://www.facebook.com/reel/1937701213503427
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2026/02/20/ico_wins_battle_in_protracted_fight/
[6] https://www.theregister.com/2026/02/11/uk_afghan_breach_probe/
[7] https://www.theregister.com/2026/01/06/nuneaton_school_cyberattack/
[8] https://www.theregister.com/2025/12/12/ico_home_office_evisa/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/12/08/ico_home_office_rfr/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZrh0OQwGnFUsOJROniz0QAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Guide to redaction
that one in the corner
Step 1) Select the text and change the background colour to black.
"But, but I did do redaction, see: now it looks just like those CIA memos you see in all the movies"
Step 2) Remember to never, ever "Save as..." plain text before attaching to an email; there is a reason we insist every recipient go out and buy Word whenever they complain[1]
[1] nothing to do with this case per se, but I was once emailed a "private and confidential form to be completed" Word document and told to expect the password in another email a day later. I completed the form and returned it within the hour - because Libre Office had no idea this was supposed to be "protected", it certainly wasn't even so much as rot13 "encrypted", so it opened without any fuss. Described this to the originator in the face to face and was met with a blank stare, to the horror of the wife, who had accompanied me and also has to deal with confidentiality in a professional capacity (medical).
Simple explanation: Everyone knows how to use computers and email so there's no point wasting money training them, is there?