ICO fines Kensington & Chelsea £120,000 after massive data breach

The information was accidentally included in a freedom of information (FOI) response about the number of empty properties in the borough.

In the wake of the Grenfell Tower fire in June 2017 Kensington & Chelsea council received three FOI requests for statistical information on empty properties in the borough. The FOI applicants were sent a spreadsheet with the requested information, but it included underlying personal data about 943 property owners, contained in a pivot table.

The requests were from national newspaper journalists and in August one newspaper published the statistics, together with the names of three high-profile property owners. The spreadsheet was disclosed by one of the journalists to a data analyst who posted it on a blog for a short period of time.

Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said public bodies needed to keep personal data protection in mind when fulfilling FOI requests.

"This should be a warning to public authorities processing freedom of information requests that they need to be careful when making the appropriate redactions. They shouldn't forget about their data protection obligations and they need to be mindful of any personal data in the documentation – the assumption being that a disclosure pursuant to a freedom of information request is a disclosure into the public domain," she said.

"With the scalability of social media disclosures of personal data should be treated with caution, as, once disclosed, the public authority has no control over the extent to which the personal data could be combined with personal data held by third parties to reveal private information or to draw inferences about the individuals affected," said Wynn.

The ICO found that Kensington & Chelsea had failed to take appropriate organisational measures against the unauthorised processing of personal data. It had not given its FOI team any training on the functionality of spreadsheets and had no guidance for the team to check for hidden data before an FOI disclosure.

In its penalty notice (17 page / 3.27MB PDF) the ICO added that the contravention was serious due to the number of affected data subjects, the sensitive nature of the data, particularly as it was disclosed in the wake of the Grenfell Tower tragedy, and the potential consequences of the disclosure.

It is not the first time a public body has fallen foul of hidden data in a spreadsheet. In 2016 Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 for a similar contravention of the Data Protection Act, and in 2013 the ICO warned bodies about the issue.