London council gets £70,000 penalty for data breach

The Information Commissioner's Office (ICO) serves Islington Council with penalty of £70,000 for releasing over 2,000 residents’ details online

The Information Commissioner’s Office (ICO) has served Islington Council with a monetary penalty of £70,000 for releasing over 2,000 residents’ details online.

The information was inadvertently released in response to a freedom of information (FoI) request in contravention of the Data Protection Act.

The data included sensitive personal information relating to residents’ housing needs, including details of whether they had a history of mental illness or had been a victim of domestic abuse.

The FoI request had been made through the What Do They Know (WDTK) website, where responses are uploaded and published. 

The council released three spreadsheets in June that related to the work of the authorities’ Housing Performance Team.

However, the council failed to spot that the documents contained the details of 2,375 residents who had either submitted applications for council housing, or were council tenants.

These details were published on the WDTK website and remained available until 14 July, when an administrator working for the site identified the error, removed the information and reported the matter to the ICO.

The ICO’s investigation found that the council had been alerted to the problem shortly after the first spreadsheet was published, but failed to correct the error. This resulted in the other two spreadsheets being released with the same problem.

“This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise in the council,” said ICO Head of Enforcement, Stephen Eckersley.

The ICO investigation found that the breach occurred due to a lack of understanding of pivot tables used in spreadsheet programs to summarise large amounts of data.

The tables retain a copy of the source data used and, although this information is hidden from view, it is easily accessible.

Islington Council used the tables to show statistics on how housing had been allocated to residents, but failed to remove the source data, and so sensitive personal data about tenants was revealed.

 The ICO’s Head of Policy Steve Wood recently published a blog explaining the problems caused when public authorities fail to recognise the information retained in pivot tables.

The ICO is currently investigating a number of other authorities that have also made similar errors.

Read more on Privacy and data protection