ICO reprimands London council for exposing personal details of 6,528 people for almost two years

The Information Commissioner’s Office (ICO) has reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.

The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.

Investigation findings

The council’s response included an excel spreadsheet which contained 35 hidden workbooks. Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites.

In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children.

In reaching its final decision, the ICO took into account a number of mitigating factors including the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used. The ICO also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.

Sally Anne Poole, ICO Head of investigations, said: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.

“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”

Investigation recommendations

The reprimand details a number of recommendations the ICO expects the council to take. These recommendations are relevant to all public authorities responding to FOI requests and include:

• Considering implementing the use of the ICO sign off checklist when releasing information that contains excel spreadsheets.
• Considering that all material prepared for disclosure is signed off by a manager.
• Review and update online training and guidance and continually embed this with staff.

-ends-

Notes to editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 
4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.