Latest ICO fine for data breach highlights issues with pivot tables

The Information Commissioner’s Office has fined a London council £70,000 after it released personal details of more than 2,000 residents online following a freedom of information request.

The ICO said the data breach arose out of a lack of understanding of pivot tables used in Microsoft Excel and other spreadsheet programmes.

The watchdog said it was investigating a number of other authorities that had made similar errors.

Islington said it would accept the fine and take advantage of the 20% early payment discount, bringing the total payable down to £56,000.

The incident stemmed out of an FOI request via the What Do They Know website. Responses are uploaded to the site, which means that they are available to all readers.

Islington released three spreadsheets covering the work of its housing performance team.

However, it did not realise that the documents contained the details of residents who were either tenants or had applied for council housing.

The information included details of whether they had a history of mental illness or had been a victim of domestic abuse.

The data remained on the What Do They Know site for a number of weeks when an administrator noticed the error and removed the information. The site reported the issue to the ICO.

An investigation by the watchdog revealed that the council had been alerted to the problem shortly after the first spreadsheet was published.

However, it failed to correct the error – leading to two other spreadsheets being released with the same problem.

Pivot tables summarise large amounts of data, but the tables retain a copy of the source data used. It was this source data – which is hidden from view but can be accessed easily – that Islington failed to remove.

ICO Head of Enforcement, Stephen Eckersley, said: “This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise within the council.

“Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way. Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated.”

Islington Council has apologised for the errors. Its internal investigation into the incident has led to mandatory data awareness training for all staff as well as specific training for those who handle sensitive data.

A spokesman said: "We remain extremely sorry for the upset and worry this disclosure may have caused to some people. The council carried out a thorough investigation when this disclosure came to light, and we have since put in place more rigorous checks.

“The person who released the data did not have sufficient knowledge of spreadsheets to recognise the error or to put it right. All of our employees who are tasked with responding to FOI requests have now had additional training with an emphasis on how to prepare information for public release.”

He added: "We recognise it is our responsibility to protect people's personal data, and we failed. We're very sorry for that."

Read the ICO’s Head of Policy, Steve Wood, blog on the problems with pivot tables.