Another council fined after data breach

27th August 2013

Another local authority has been fined for leaking residents' personal information.

You'll find information and advice on how to privacy, click here
You'll find information and advice for organisations on the Data Protection Act, click here

The Information Commissioner’s Office (ICO) has served Islington Council with a monetary penalty of £70,000 after personal details of over 2,000 residents were inadvertently released online in reponse to a freedom of information request. The information related to their housing needs and included details of histories of mental illness and domestic abuse.

The application had been made via What Do They Know?, a website which enables individuals to submit requests for information to public authorities. Responses are uploaded to the site and are available to all those wishing to view them.

In June, Islington Council released three spreadsheets relating to the work of its Housing Performance Team, not realising that they contained the details of 2,375 residents who had either submitted applications for council housing, or were council tenants. The details were published on the WDTK website, and remained available until almost three weeks later by an administrator working for the site, who identified the error and removed the information. The website then reported the matter to the ICO.

On investigation, the regulator found that the council had been alerted to the problem shortly after the first spreadsheet was published. However, it failed to correct the error and the other two spreadsheets were released with the same problem.

The data breach occurred due to a lack of understanding of pivot tables, which are used in Microsoft Excel and other spreadsheet programs to neatly summarise large amounts of data. The tables retain a copy of the source data used, and the information is easily accessible if the source data is not removed.

Stephen Eckersley, the ICO's Head of Enforcement, said: “This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise within the council. Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way. Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated.”

ICO Head of Policy, Steve Wood, recently published a blog explaining the problems caused when public authorities fail to recognise the information retained in pivot tables. The regulator is currently investigating a number of other authorities that have also made similar errors.An


Written by

In partnership with