Spreadsheet error leads to £70K data breach fine for London council

Data breaches

Islington Council will not appeal a 70,000 data breach fine handed to it by the Information Commissioner's Office (ICO) for accidentally disclosing local residents personal details.

The council received the fine after personal details about more than 2,000 local residents were inadvertently published online.

The information formed part of the council's response to a Freedom of Information (FOI) request about the ethnicity and gender of local residents the council has rehoused.

In doing so, the council also passed on details about whether or not said residents had a history of mental health issues or had suffered from domestic abuse.

The FOI request was submitted by the What Do They Know website, which allows people to search through responses to similar requests from public authorities.

The council supplied three spreadsheets as its response in June 2012, but failed to spot the documents contained details of 2,375 council tenants or those who had applied for council housing.

This is because the spreadsheets contained pivot tablets, which are used in Microsoft Excel to summarise large amounts of data, but they also retain a copy of the source material.

The information is hidden from view, but is still accessible, which is how the data came to be in the public domain.

The information was available on the What Do They Know website until 14 July when one of the site's administrators spotted the error, before reporting the issue to the ICO two days later.

The data protection watchdog claims that an investigation into the matter revealed the council was alerted to the issue when the first spreadsheet was published, but did nothing to correct the problem.

A further two spreadsheets were also published that were affected by the same issue.

In a statement to IT Pro, Islington Council apologised for the breach and the distress it may have caused local residents.

The local council also confirmed it intends to pay the fine as soon as possible, so it can take advantage of the ICO's 20 per cent early payment discount.

By doing so, the organisation should see its penalty reduced to 56,000.

"The council carried out a thorough investigation when this disclosure came to light, and we have since put in place more rigorous checks," the statement reads.

"The person who released this data did not have sufficient knowledge of spreadsheets to recognise the error or to put it right."

As a result, the council staff responsible for responding to FOI requests will now receive addition training on how to prepare data for public release, the statement confirmed.

Stephen Eckersley, the ICO's head of enforcement, added: "Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way.

"Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated," he concluded.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.