Data that was accessible online after freedom of information response included details related to children in care and unaccompanied asylum seekers, an investigation by the UK data watchdog has found
The Information Commissioner’s Office has issued a formal reprimand to a London borough council that exposed online – for a period of almost two years – the personal info of thousands of people, including data related to unaccompanied children seeking asylum in the UK.
In October 2021, the London Borough of Hammersmith and Fulham responded to a freedom of information request by publishing a range of Excel documents, including 35 hidden workbooks.
While the existence of these files “was not apparent… anyone with knowledge of Excel would know how to inspect an Excel spreadsheet for hidden data and therefore could then access the personal data” contained within, according to the reprimand document.
Housed in the hidden workbooks was personal data related to 6,528 people, of which 2,342 were children – whose information “was classed as sensitive, as it included details of looked-after children, 96 of whom were unaccompanied asylum-seeking children”, according to the ICO.
The publication of this hidden data was eventually discovered in November 2023 by WhatDoTheyKnow.com (WDTK) – the charity-run website which helps people submit FOI requests and maintains an archive of published responses.
“Following a review of information on its site, WDTK informed the council the response included personal information,” the ICO said. “The information was immediately removed from both [the council and WDTK] sites.”
The watchdog added that, in deciding to limit the action taken against the London borough to just a reprimand, it took into account that the “information was almost three years old and there was no evidence that it had been inappropriately accessed or used”. The regulator also “considered the remedial action the council took to contain the impact of the breach”, including refreshing guidelines and providing additional training for staff.
Related content
- ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
- ICO: Instead of massive fines, regulation works best when we work alongside organisations
- Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
The reprimand issued to by the ICO to Hammersmith and Fulham contains various recommendations, including an encouragement to consider “implementing the use of our sign-off checklist when releasing information that contains Excel spreadsheets”, as well as requiring all material intended for publication to be “signed off by a manager”.
The data-protection regulator also recommended that the London borough council takes steps to “review and update online training and guidance and continually embed this with staff”.
Sally Anne Poole, ICO head of investigations, added: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen. In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
A spokesperson for the council said: ““None of the hidden data in the historic FOI response was inappropriately accessed or used. We immediately fixed the error when we were notified. And we no longer allow staff to supply information in this format.”
In the past few years, the watchdog has significantly increased the number of reprimands issued to public bodies – while avoiding issuing fines. This new approach to the public sector was first launched in summer 2022 and, following a two-year trial period, the ICO announced late last year that it will continue with the strategy.
With about 60 public bodies having been hit with a public reprimand in the past three years, the commissioner John Edwards said in December that “we’ve seen significant changes made by organisations following a reprimand”.
