Peter A Clarke

The London Borough of Hammersmith and Fulham has been reprimanded by the UK Information Commissioner’s Office for leaving personal information of 6,528 people, including 2,342 children (worse, of whom 96 were unaccompanied asylum seekers), on its publicly viewable site for almost 2 years. The breach was almost certainly caused by an action by an employee responding to an FOI request made by WhatDoTheyKnow.com in October 2021. In responding to the FOI request the council provided an Excel spreadsheet which contained 35 hidden workbooks. That material was posted on both the Council site as well as the WDTK site. It was WDTK that noticed the data breach when, in November 2023, while doing a review of information on its site it found the personal information and advised the Council. The information was immediately removed from both sites.

This type of mistake is quite common with government agencies.  It is human error.  Often a combination of a lack fo attention to detail and poor privacy training.

The ICO media release provides:

We have reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.  

The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.  

Investigation findings 

The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites. 

In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children.  

In reaching its final decision, we took into account a number of mitigating factors including the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used. We also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.  

Sally Anne Poole, ICO Head of investigations said: 

“It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.  

“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”