|Breach of act
||Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
|Known or should have known
||The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
|Likely to cause damage or distress
||The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.