Council reprimanded for leaving personal information of more than 6,500 people – including looked after children and employees – exposed through FOI response
The Information Commissioner’s Office has reprimanded the London Borough of Hammersmith & Fulham after the council left exposed the personal information of 6,528 people, a third of them children, for almost two years.
The ICO revealed that the personal data breach occurred when Hammersmith & Fulham responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021.
The response, published on the council’s website and WDTK, contained an Excel spreadsheet with 35 hidden workbooks. The personal data was contained within ten of those workbooks.
Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites.
According to the ICO, of the 6,528 people affected, 2,342 were children.
The personal information relating to the children was classed as sensitive as it included details related to the placement of looked after children, 96 of whom were unaccompanied asylum-seeking children, the watchdog said.
The adult data subjects were employees, ex-employees and agency staff who worked or had worked for the council. The personal data disclosed in this respect was in relation to their employment and their contact details in professional capacity. A small amount of this personal data was special category data.
The ICO said that whilst it was not apparent that the FOI response contained hidden data, anyone with knowledge of Excel would know how to inspect an Excel spreadsheet for hidden data and therefore could then access the personal data.
It was the watchdog’s assessment that Hammersmith & Fulham “did not have adequate or appropriate technical and organisational measures in place to ensure the security of the data it was processing, and to prevent a breach such as this”.
It also determined that the council did not implement adequate and appropriate measures in accordance with UK GDPR when it adopted the practice of using Excel spreadsheets for FOI responses.
The ICO said that in reaching its final decision, it took into account a number of mitigating factors including that the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used.
The watchdog also considered the remedial action the council took to contain the impact of the breach “notably updating guidance and procedures and ensuring staff undertook training”.
The reprimand contains various recommendations which the ICO expects Hammersmith & Fulham to implement. They are not legally binding directions.
The recommendations include that the council:
- consider implementing the use of the ICO’s sign off checklist when releasing information that contains excel spreadsheets
- consider that all material prepared for disclosure is signed off by a manager
- review and update online training and guidance and continually embed this with staff. This should include the correct methods for using spreadsheets, the requirements to check for hidden data and how to check for hidden data.
The ICO said these recommendations are relevant to all public authorities responding to FOI requests.
Sally Anne Poole, ICO Head of investigations, said: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.
“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
A spokesperson for the London Borough of Hammersmith & Fulham said: "None of the hidden data in the historic FOI response was inappropriately accessed or used.
"We immediately fixed the error when we were notified. And we no longer allow staff to supply information in this format."
