Management > Identity

ICO hits Kensington and Chelsea with £120K fine over Data Protection Act breach

David Bicknell Published 17 April 2018

Breach caused by council not providing FOI team with adequate training and guidance to check spreadsheets for data hidden in pivot tables before FOI disclosure

 

The Information Commissioner’s Office (ICO) has fined the Royal Borough of Kensington and Chelsea £120,000 for a serious breach of the Data Protection Act.

The fine, which could be reduced by 20% of £96,000 if payment is made by May 10, relates to a breach of the seventh data protection principle which says that “appropriate technical measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The ICO argued that the council had unlawfully identified 943 people who owned vacant properties in the borough. Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information Act 2000 (FOIA).

The background to the case has its roots in the tragic Grenfell Tower fire which broke out on June 14 last year causing 71 deaths.

In the aftermath of the fire, the council received three separate Freedom of Information (FoI) requests for the statistical information used in a report in specifically, and specifically the addresses of empty properties in the Borough.

However, the ICO’s judgement said, the statistical information was no longer held by the council and a member of the ‘Revenue Systems Administration’ team produced a pivot table that included a list of named owners against the addresses of empty properties in the borough. The council did not intend to disclose the information because of the risk of criminal activity.

The council tax manager then compiled a list of the number of empty properties in the Borough to be disclosed to the applicants, and copied and pasted the information into a new Excel spreadsheet and sent it to the FOI team. However, the underlying personal data on the pivot table had not been removed.

A member of the FOI team then scrolled over the spreadsheet and clicked it once to check for hidden data. Double clicking on any cell would have revealed the identities of 943 empty property owners in the Borough and their addresses, the ICO judgement said. 

However on July 21 2017, the spreadsheet was sent to the applicants by email with the underlying personal data on the pivot table, and subsequently  the number of empty properties in the Borough was published on the newspapers’ website together with the names of three high profile owners.

The ICO found that the council had contravened the Data Protection Act by not providing the FOI team with any or adequate training on the functionality of Excel spreadsheets or possible alternatives, and had in place no guidance for the FOI team to check spreadsheets for data hidden in any pivot table before they are disclosed under FOI.

The ICO judgement pointed out that the Commissioner’s office issued two monetary penalty notices on 30 July 2012 at Torbay NHS Trust and 28 April 2016 at Blackpool NHS Trust, which raised awareness about the issue of data that could be hidden in pivot tables. The Commissioner’s office had also published a blog on 28 June 2013 entitled, “The risk of revealing too much.”   

 

 








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.