Breach details
| What | Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending. |
| How much | 2,375 records. |
| When | 26 June 2012 |
| Why | Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available . |
Regulatory action
| Regulator | ICO | Action | Monetary Penalty notice of £70,000 |
| When | 20 August 2013 |
Why the regulator acted
| Breach of act | Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel). |
| Known or should have known | The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request. |
| Likely to cause damage or distress | The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss. |
BW Observations
| If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak. |
Links
| View PDF of the Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Monetary Penalty Notice Via ICO Website) |