Islington Borough Council receives a penalty notice for releasing sensitive information in an FOI response

August 27, 2013 |

The Islington Council has been fined £70,000 after disclosing sensitive personal information of more than 2,000 in response to an FOI request.

The media release of the Information Commissioner’s Office (found here) provides:

The Information Commissioner’s Office (ICO) has served Islington Council with a monetary penalty of £70,000 after personal details of over 2,000 residents were released online.

The information was inadvertently released in response to a freedom of information request, and revealed sensitive personal information relating to residents’ housing needs, including details of whether they had a history of mental illness or had been a victim of domestic abuse.

The freedom of information request had been made through the What Do They Know (WDTK) website, which enables individuals to submit requests for information to public authorities. Responses are uploaded to the site and are available to all those wishing to view them.

The council released three spreadsheets on the 26 and 27 June that related to the work of the authorities’ Housing Performance Team. The council failed to spot that the documents contained the details of 2,375 residents who had either submitted applications for council housing, or were council tenants.

These details were published on the WDTK website, and remained available until the 14 July when an administrator working for the site identified the error and removed the information. The website reported the matter to the ICO two days later.

The ICO’s investigation found that the council had been alerted to the problem shortly after the first spreadsheet was published, but failed to correct the error. This resulted in the other two spreadsheets being released with the same problem.

ICO Head of Enforcement, Stephen Eckersley, said:

“This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise within the council. Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way. Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated.”

The breach occurred due to a lack of understanding of pivot tables. These are used in Microsoft Excel and other spreadsheet programs to neatly summarise large amounts of data. But the tables retain a copy of the source data used. This information is hidden from view, but is easily accessible.

Islington Council used the tables to show statistics on how housing had been allocated to residents, but failed to remove the source data, and so sensitive personal data about tenants was revealed.

The mistake made by Islington occured after the Information Commissioner’s office had sounded a warning

It stated:

It’s been a busy few weeks in Wilmslow, with data protection becoming headline news as politicians debated whether names should be included in a high-profile report.

That discussion was around whether more personal information should be included. For some time the ICO has been looking at a specific problem at the other end of the scale: organisations revealing too much personal information.

The issue relates to responses to freedom of information (FOI) requests provided in spreadsheets, which are inadvertently revealing personal information. Public authorities will often respond to requests by supplying the information requested in spreadsheet format. Sometimes that will be in the form of a ‘pivot table’, which can neatly summarise the information, without revealing the underlying personal information the summary is based on.

Unfortunately, it has come to our attention that public authorities are not always properly removing the underlying data before disclosing. Pivot tables, both in Microsoft Excel and other spreadsheet programs, retain a copy of the source data used. This information is hidden from view, but is easily accessible.

An example

Let’s look at a simple example. A public authority has been asked for a breakdown of which departments claim the most in expenses. The data has been provided on a spreadsheet:

The public authority uses a pivot table to total the information, which it then sends to the requestor:

It appears that the public authority hasn’t shared any personal data. However, by simply double-clicking on the table, the requestor can view the original source data, including the personal details of who made the expenses claims:

The problem has come to prominence on freedom of information disclosures made using the WhatDoTheyKnow website, but it is important for any disclosure made under the act, not just via WhatDoTheyKnow: any disclosure under the Freedom of Information Act should be treated as a disclosure to the world.

The risk could also emerge in other scenarios outside of FOI such as data sharing between two organisations, so while primarily aimed at the public sector, it is important that data controllers in the private sector consider this guidance.

The ICO is actively considering a number of enforcement cases on this issue.

We’re working closely with the WhatDoTheyKnow team. Their constructive approach in relation to the issue is appreciated, and we’ll continue to liaise with them about possible breaches. A few weeks ago WhatDoTheyKnow posted a blog containing useful guidance, and we’d very much support these key messages.

Five key messages

We have five key messages for organisations (with a hat tip to WhatDoTheyKnow):

1. Disclosure of hidden personal data in pivot table spreadsheets may be a breach if the Data Protection Act. The data is not secure and is easily accessible, even if not immediately viewable.

2. Avoid using pivot tables for any disclosures or data sharing involving personal data. Consider using CSV files.

3. Check the file sizes before disclosure – larger than expected file sizes should be a trigger for further checks.

4. Ensure your organisation has the right procedures and checklists in place for staff involved in disclosing data.

5. Consider running quick training sessions or drop in surgeries to ensure staff understand how to safely prepare spreadsheets for release.

In short, make sure the right checks are in place before you send. We’ve published two updates to our guide to freedom of information this week to highlight the importance of checking before disclosure. We will revisit the need for further guidance when we have completed our enforcement cases.

We’d also recommend that organisations use the redaction toolkit guidance produced by the National Archives, as well as our general guidance about anonymising data in our related code of practice.

It’s worth mentioning another issue we’re currently focused on: the imminent dataset amendments to the Freedom of Information Act. These amendments will require public authorities to disclose datasets in open reusable formats, which in practice means using a format such as CSV (comma separated variable) will be a requirement. This should remove many of risks of hidden data, as the spreadsheet formatting is taken away, making it clear what information has been included.

We’re expecting these changes to the act to happen in August. There’ll be ICO guidance to accompany the amends, and no doubt an accompanying blog.

The penalty notice, found here, provides:

 This Monetary Penalty Notice is issued by the Information Commissioner (‘the Commissioner’) pursuant to section 55A of the Data Protection Act 1998 (‘The Act’). A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner andspecified in the notice.

Islington Borough Council is the data controller, as defined in section1(1) of the Act, in respect of the processing of personal data carried on by Islington Borough Council (referred to in this notice as ‘the data controller’).
Following a serious contravention of the data controller’s duty, under section 4(4) of the Act, to comply with the seventh data protection
principle, the Commissioner considers, for the reasons set out below, to serve on the data controller notice of a monetary penalty in the sum of £70,000.
Statutory framework
Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the
data protection principles in relation to all personal data in respect of which it is the data controller.
Under sections 55A and 55B of the Act (introduced by the Criminal Justice and Immigration Act 2008 which came into force on 6 April
2010) the Commis sioner may, in certain circumstances, where there has there been a serious contravention of section 4(4) of the Act, serve a monetary penalty notice (‘MPN’) on a data controller requiring the data controller to pay a monetary penalty of an amount determined by the Commissioner and specified in the notice but not exceeding £500,000.
The Commissioner has issued Statutory Guidance under section 55C(1) of the Act about the issuing of monetary penalties which is
published on the Commissioner’s website. It should be read in conjunction with the Data Protection (Monetary Penalties and Notices)
Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010.
This case involves the disclosure of sensitive personal data. Sensitive personal data is defined in section 2 of the Act (in so far as it is
applicable to this case) as follows:
“In this Act “sensitive personal data” means personal data consisting
of information [in so far as applicable to the facts of this case] as to
(a) the racial or ethnic origin of the data subject
(e) his physical or mental health or condition,
(f) his sexual life
(g) the commission or alleged commission by him of any offence…”
Power of Commissioner to impose a monetary penalty
Section 55A of the Act provides that:

(1)The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that
(a)there has been a serious contravention of section 4(4)
[of the Act]by the data controller,
(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c)subsection (2) or (3) applies.
(2)
This subsection applies if the contravention was deliberate.
(3) This subsection applies if the data controller
(a) knew or ought to have known
(i) that there was a risk that the contravention would occur, and

         (ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b) failed to take reasonable steps to prevent the contravention.
Background
On 27 May 2012, a request was made to the data controller under the Freedom of Information Act 2000 (‘FOIA’) via a website called
‘Whatdotheyknow’ (‘WDTK’).
WDTK is a publicly accessible website which enables individuals and organisations to submit requests for information to public authorities. Requests under FOIA and responses to them are uploaded to the site and are available to all those wishing to view them. WDTK is well known in Information Governance circles. Indeed, prior to the response to this request, the data controller had responded to several requests via this site dating back to 1 April 2008. The data controller was therefore familiar with the use of WDTK when responding to requests.
No formal request was sent by the data controller to WDTK or My Society (the host of WDTK) to officially take down the information.
Therefore all correspondence with the attachments sent by the data controller remained publicly accessible on WDTK.
On 14 July 2012, a WDTK volunteer administrator, whilst reviewing success rates of requests, happened to read the exchanges and, upon
seeing personal data on the first workbook, WDTK removed the record from public access. The volunteer did so by completing internal take down documentation and also filed a URL removal request to Google toget any copies of the request page and the spreadsheets removed from their cache. It is noted that WDTK and not the data controller acted to remove this information from its own site and from the Google cache.
Google responded to the request and confirmed the cached copies had been deleted apart from one copy of the cached request pages which was still being shown as pending.
Copies of the data remains on the MySociety servers but can only be accessed by individuals with WDTK administration rights.
WDTK has advised that during the period of time that the informationwas accessible there were ten download requests (excluding the WDTK however a lack of technical training / supervision and checking mechanisms.
Whilst the data controller has provided classroom based training to specific teams in departments that held and processed sensitive data to other departments, at the time of the contravention, the staff involved in the incident had not yet received this training.
Whilst the data controller’s Access to Information Policy states that the IGO is the lead on responding to FOI requests and they take ultimate responsibility, the IGO in this case was not equipped with the skills and training to effectively deal with FOI requests and to recognise when personal data may have been placed at risk when provided in formats such as Excel.
Communication
The failure of the data analyst, who carried out the further statistical analysis on the Excel spreadsheets to convert it into a pivot table facility within the spreadsheets, to communicate this fact to the IGO is considered to be a further contributory factor.
Redaction and anonymisation of data is very important when an agency releases it to a third party, either through the FOI process or other means.  The issue with anonymisation will be particularly important.  With greater sophistication and the lower cost of developing algorithims the chance of aggregating data to identify individuals is more likely than ever before.

When the amendments to the Privacy Act take effect on 12 March 2014 mistakes that Islington made would almost certainly be a breach of the Australian Privacy Principles and probably a serious interference with personal information.  Much of the material released falls into the category of “sensitive information” under the Act.  That could result in a civil penalty action in the Federal Court.

It will be interesting to observe how the jurisprudence develops in Federal Court civil penalty actions.  The court has wide and long experience in trade practices, consumer and corporations penalty actions.  But privacy issues are discrete.  There are similar public interest considerations but also quite different issues where the established principles are not easily translatable.  The UK jurisprudence is likely to be influential.  On quantum the penalty notices of the Information Commissioner will be a useful resource.  In the United States the FTC has been active in dealing with data breaches and has built up an impressive body of law.

 

Leave a Reply