Cornwall Council Faces Data Breach Investigation After Councillor Receives Complainant Details
A data breach at Cornwall Council has sparked outrage after a local councillor received the personal details of individuals who filed complaints against her. The incident, described as “crazy” by Councillor Dulcie Tudor, has raised serious questions about the council’s data protection protocols and adherence to privacy regulations.
The Incident and Its Origins
Dulcie Tudor, an independent councillor representing Threemilestone and Chacewater, publicly disclosed the data protection lapse on social media. The breach occurred following complaints related to comments she made during a council meeting in November. Specifically, Tudor asked fellow councillor Leigh Frost whether a trans woman was a “real woman.”
The exchange took place within the context of a recent UK Supreme Court ruling in April 2025. The ruling clarified that the legal definition of a woman is based on biological sex, stemming from an appeal by the For Women Scotland campaign group against the Scottish government’s inclusion of transgender women in board representation quotas. While the Equality Act 2010 still protects trans people from discrimination, the ruling has created legal complexities regarding access to single-sex facilities and spaces.
Details of the Data Breach
Typically, Cornwall Council’s complaints process involves sharing complainant names with the individual against whom the complaint is made, unless the complainant explicitly requests anonymity. In this case, four of the ten complainants opted to redact their names. However, the council inadvertently included the full details – including names and contact information – of all ten complainants when forwarding the complaints to Councillor Tudor.
According to Tudor, the information she received included home addresses, email addresses, and phone numbers, data points that should never have been shared regardless of consent. She also noted the potential to identify council officers and elected councillors among the complainants.
Council Response and Further Action
Initially, the council did not explain how the breach occurred or whether the affected complainants had been informed. Tudor subsequently reported the breach to the Information Commissioner’s Office (ICO) on behalf of the complainants and shared the information with the Free Speech Union, which is representing her.
The council later informed Tudor that no wrongdoing occurred given that the complainants’ personal information was redacted in the initial attachments. However, Tudor clarified that the information became unredacted when she opened the files.
Implications and Ongoing Concerns
This incident highlights the critical importance of robust data protection measures within local government. The accidental disclosure of personal information not only violates privacy regulations but also potentially puts individuals at risk. The ICO is likely to investigate the matter further to determine whether Cornwall Council’s data handling practices were adequate and whether any enforcement action is necessary.
As of February 22, 2026, Cornwall Council had not issued a public statement regarding the breach beyond its communication with Councillor Tudor.
Related reading