The Royal Borough of Kensington and Chelsea has been hit with a £120,000 monetary penalty by the Information Commissioner’s Office (ICO) after the council unlawfully identified 943 people who owned vacant properties in the borough.
Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information Act 2000 (FOIA).
The journalists, who worked for a national daily newspaper, had put in freedom of information requests in June 2017 in the aftermath of the Grenfell Tower fire. They asked for the addresses of empty properties in the borough.
The ICO’s monetary penalty notice said the statistical information was no longer held by the council. A member of RBKC’s revenue systems administration team therefore produced a list of named owners against the addresses of empty properties in the borough.
The council did not intend to disclose this information because of the risk of criminal activity.
Kensington & Chelsea’s Council Tax Manager compiled a list of the number of empty properties in the borough to be disclosed to the applicants, copied and pasted the information into a new Excel spreadsheet and sent it to the FOI team.
However, the underlying personal data on the pivot table had not been removed.
A member of the FOI team then scrolled over the spreadsheet and clicked it once to check for hidden data. Double-clicking on any cell would have revealed the identities of the 943 people who owned empty property.
On 21 July 2017, the spreadsheet was sent to the applicants with the underlying personal data still on the pivot table.
On 1 August, the national newspaper published the number of empty properties together with the names of three high-profile owners. One of the journalists also disclosed the response to a data analyst who published the spreadsheet on an online blog for approximately one hour.
Following an investigation, the Information Commissioner found the council in contravention of the Data Protection Act because it:
(a) did not provide the FOI team with any – or any adequate – training on the functionality of Excel spreadsheets or possible alternatives;
(b) had in place no guidance for the FOI team to check spreadsheets for data hidden in any pivot table before they were disclosed under FOI.
This was an ongoing contravention from 1 January 2005 when the relevant part of the FOIA came into force, until the date the security breach was discovered on 1 August 2017 and remedial action was taken, the ICO said.
The watchdog said it was satisfied this contravention was serious “due to the number of affected data subjects, the sensitive nature of the personal data that was disclosed to the applicants in the context of the Grenfell Tower tragedy, and the potential consequences. In those circumstances, the council’s failure to take adequate steps to safeguard against unauthorised disclosure was serious.”
The ICO also noted how, at the time of the security breach, the feeling of social inequality was running high “in this wealthy Borough”.
The council appeared to have overlooked the need to ensure that it had robust measures in place “for no good reason”, it added.
One of the affected data subjects had been visited at home by a journalist with links to the newspaper.
The ICO noted that it had previously issued two monetary penalties – on 30 July 2012 to Torbay NHS Trust and on 28 April 2016 to Blackpool NHS Trust – which had raised awareness about the issue of data that could be hidden in pivot tables.
The watchdog said a number of mitigating features were taken into account in reaching its decision, including that:
- The council reported the incident to the ICO and was co-operative during the subsequent investigation;
- The council took prompt action to ensure that the journalists and the data analyst deleted the spreadsheet from their email accounts and the google cache;
- The high profile data subjects were notified about the security breach;
- The council carried out a full investigation;
- It had now taken substantial remedial action.
However, it considered the fact that the council had received a complaint from an affected data subject as an aggravating feature.
A Kensington and Chelsea Council spokesperson said: “It was an error and we apologise. We accept the fine, and we have reviewed our processes to prevent this happening again.”