The Information Commissioner’s Office (ICO) has reprimanded the London Borough of Hammersmith and Fulham after it left exposed the personal information of over 6,000 people for almost two years.
The personal data breach occurred when the council responded to a freedom of information (FoI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021.
The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information, and an Excel spreadsheet that contained 35 hidden workbooks.
Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information - which was immediately removed from both sites.
In total 6,528 people were affected, with 2,342 being children, some of whom were looked after and 96 unaccompanied asylum seekers.
Mitigating factors
In reaching its final decision, the ICO took into account a number of mitigating factors, including that the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used. It also considered the remedial action the council took to contain the impact of the breach, notably updating guidance and procedures and ensuring staff undertook training.
Sally Anne Poole, ICO head of investigations, said: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.
“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
The reprimand details a number of recommendations the ICO expects the council to take. These are: to consider implementing the use of the ICO sign-off checklist when releasing information that contains excel spreadsheets; consider that all material prepared for disclosure is signed off by a manager; and review and update online training and guidance and continually embed this with staff.
