The Kensington and Chelsea London Borough Council (Council) was recently fined £120,000 (approximately AUD$217,920) by the UK Information Commissioner’s Office (ICO) for the unauthorised processing of personal data belonging to 943 people who owned vacant properties in the Borough.
The Council had received three separate Freedom of Information (FOI) requests from applicants seeking statistical information, including the addresses of empty properties in the Borough. The three FOI applicants all had links to a national newspaper.
In response to this request, the Council created a pivot table that included a list of named owners against the addresses of empty properties in the Borough. The Council used this information to compile a list of the number of empty properties in the Borough and copied and pasted this information into a new Excel spreadsheet to be provided to the FOI applicants. The Council FOI Team checked the spreadsheet and clicked it once to check for hidden data. This spreadsheet was then sent to the FOI applicants.
Unfortunately the FOI Team was not aware that the spreadsheet contained underlying data. By double clicking any cell in the spreadsheet the identities of 943 property owners in the Borough and their addresses could be revealed. The names and addresses of the property owners were published in the newspaper. Some of these property owners were high profile individuals.
This case is another example of the consequences of how simple errors and a lack of staff training can lead to serious privacy breaches and financial consequences to an organisation. Staff training and clear guidance on the use of Excel and the de-identification of data are great ways to mitigate the risk of these sorts of data breaches occurring. Your staff are the frontline in the battle to ensure your privacy compliance.
The full text of the ICO’s monetary penalty notice can be found online.