Names and contact details of officials and supplier staff were clearly visible after contract was inadequately redacted
Personal details of civil servants and supplier staff were erroneously published by the Department for Levelling Up, Housing and Communities and remained online for nearly a month, PublicTechnology can reveal.
On 18 February, the department published details of a contract it had awarded for a supplier to support development of an online service through which citizens can apply to obtain free ‘voter cards’. Incoming legislation is set to require voters to prove their identity at the ballot box, and the voter cards are intended to give those without existing forms of photo identification – such as a passport or driving licence – a means of doing so.
Alongside the procurement notice, DLUHC published the contract itself, which was available on GOV. UK for download as a PDF.
Although an attempt had seemingly been made to redact personal details from the document, this took the form of strikethrough text, which –
as can clearly be seen here – typically does little to impede the ability to read the text in question.
As well as being clearly decipherable in the PDF, the text could also be copied and pasted into a separate document, while clicking on the four email addresses contained in the contract automatically opened a new message to the named individual.
- Council data breaches saw 12% spike in FY21
- MoD to investigate data breach that exposed identities of Afghan interpreters
- What now for the UK’s data-protection regime?
Names, job titles, and email address of two civil servants – one from DLUHC and one from the Cabinet Office – were included, alongside the names, titles, email addresses, mobile phone numbers, and business address of two representatives of the supplier – digital services firm Valtech. The name and job title of another civil servant had also been struck through.
After discovering the breach, PublicTechnology contacted the department’s data-protection officer at about 4.25pm on Friday 11 March.
On the morning of Monday 14 March, a new version of the contract – with all personal information entirely deleted this time – was published on GOV.UK, replacing the previous version. A similar exercise appears to have also been conducted on another contract awarded to Valtech for the development of an “ID verification process” to support the voter card application services.
PublicTechnology asked both the department’s data protection officer and press office for details of how it had responded to the breach, including whether both the affected parties and the Information Commissioner’s Office had been notified, and whether any further remedial action had been undertaken – particularly if the failed attempt at redaction had been replicated elsewhere.
The department did not respond to our requests for information.
Highlighting the problem
DLUHC is far from the first public sector entity to expose personal data via inadequate redaction methods.
In October 2020, PublicTechnology discovered a similar breach at the Cabinet Office, which had failed to remove personal details of officials and supplier staff from a published contract, but had rather simply covered the information with a black highlighter tool – meaning text could still be copied and pasted, and clicking on email addresses still automatically created a new message.
The ICO addresses the issue of how to properly redact documents in a handbook for the public sector called How to disclose information safely – Removing personal data from information requests and datasets.
The guidelines specifically warn against the use of highlighter tools, which can result in merely “hiding data in plain sight”.
“An author might be tempted to use the highlighter tool to add a black box around text marked for redaction,” the guidance says. “It is important to recognise that the information still exists underneath the black box in the original electronic file.”
DLUHC’s contract with Valtech for the development of the voted card application service came into effect on 15 December and will be worth £2.3m to the tech firm. The deal related to the ID verification process was signed on 24 January and is valued at £1.15m.
Each contract runs for an initial term of two years, plus an optional six-month extension.
The Elections Bill, which proposes the introduction of mandatory ID checks at polling stations, has met with fierce opposition from politicians and civil-society groups.
The Electoral Reform Society has said that “evidence from around the world shows that forcing voters to bring photographic ID to the polling station just makes it harder for people to vote – while doing little to increase faith in the integrity of the system”.
“We don’t need to spend millions to put up barriers to people taking part in our democracy,” it added.
The bill was put before parliament in July last year. It has successfully completed all initial stages of its journey through the House of Commons and is currently at committee stage in the House of Lords – the third of five phases it must pass in each house. Once peers have finished their reviews of the legislation, it will return to MPs for consideration of amendments and, finally, royal assent – after which it will pass into law.