A data breach at a London borough council left the personal data of over 6,500 people exposed for almost two years.
The Information Commissioner’s Office (ICO), the UK’s independent regulator for data information rights law, reprimanded Hammersmith and Fulham council for exposing the personal details of these individuals from 2021 to 2023.
The breach occurred in 2021 after the council responded to a Freedom of Information Act (FOIA) made and later published on the website WhatDoTheyKnow.com (WDTK).
ICO head of investigations Sally Anne Poole said: “In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
A total of 6,528 people were affected, including 2,342 children, when their data was included in 10 of the workbooks featured in the council’s Excel spreadsheet WDTK response.
The data included sensitive details such as the unaccompanied asylum-seeking status of 96 children.
In November 2023, almost two years after the response was published, WDTK performed a review of their website and discovered the personal data.
They ed the council and quickly removed the information.
In its investigation into the case, the ICO considered factors such as the age of the published data and there being no evidence of inappropriate access or use of it.
They also noted the council’s remedial actions, which included updating their guidance and procedures and ensuring that staff undertook training.
Poole said: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.”
The ICO reprimand included recommendations for both the Hammersmith and Fulham council as well as all relevant public bodies responding to FOIA requests.
These include an ICO checklist when releasing information containing excel spreadsheets, a manager sign-off for all disclosed materials, and continual review and update of online staff training and guidance.
Hammersmith and Fulham Council confirmed that they immediately fixed the error after they were notified, none of information was inappropriately accessed or used, and that they no longer allow staff to supply information in this format.
Feature image credit: Photo by Joshua Koblin on Unsplash
the discussion