The Information Commissioner's Office (ICO) said that Islington Council was guilty of a serious breach of the Data Protection Act (DPA) after the names, gender, ethnicity and other personal details, including some medical information, belonging to 2,375 individuals were accidentally disclosed. The details related to council housing applicants or existing tenants and were contained in spreadsheets disclosed to the 'What Do They Know' (WDTK) website in response to an FOI request.
The WDTK website allows individuals to submit FOI requests to public bodies and publishes the responses received.
The ICO said that three spreadsheets disclosed to the WDTK site by Islington Council contained personal, and in places sensitive, data that was "hidden" in so-called "pivot tables" within the spreadsheets.
"The hidden spread sheets can be revealed by a user with basic knowledge of Excel," the ICO said in its monetary penalty notice (37-page / 225KB PDF).
The watchdog said failings in the Council's checking procedures, as well as in training and communication were responsible for the mistaken disclosures.
"The pivot table summaries produced in each workbook by the Housing Performance Team should have been copied and pasted (with just the values and not the entire format) on to blank sheets to remove the hidden data sheets," the ICO said. "The data analyst however failed to do this before sending the completed documents to the [Information Governance Officer (IGO)]. The IGO was not informed how this data was produced or what data lay behind the tables and lacked the necessary skills, support and guidance to proactively check this."
The ICO said that there was evidence that the files containing the data had been downloaded seven times before they were spotted and removed from the WDTK site by a site administrator, who also arranged for the content to be removed from Google's search caches.
It said that the case met the criteria needed to justify serving a fine for a breach of the DPA. The ICO can serve organisations with monetary penalties of up to £500,000 if they breach the Act.
In order for a fine to be justified, an organisation must be guilty of a "serious contravention" of the data protection principles in a way that is "likely to cause substantial damage or substantial distress". The breach must also be shown to have been either carried out deliberately or by an organisation or person who knew or should have known about the risk of the breach and the damage or distress it could cause but did not take "reasonable steps to prevent the contravention" happening.
Under the DPA data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
"The data subjects would suffer from substantial distress knowing that their confidential personal data has been disclosed to third parties (via the internet) and that there is the possibility that their data may have been further disseminated and possibly misused," the ICO said. "That is so, even if those concerns do not actually materialise in practice."
Stephen Eckersley, the ICO's head of enforcement, said: "This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise within the council."
"Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way. Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated," he added.
The ICO had issued a recent warning about disclosing "hidden" personal data in response to FOI requests and, in light of this case, has again said that it is investigating similar incidents involving other local authorities.