Islington Borough Council

Breach details

What Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.
How much 2,375 records.
When 26 June 2012
Why Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator ICO
Action Monetary Penalty notice of £70,000
When 20 August 2013

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).
Known or should have known The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.
Likely to cause damage or distress The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.