Failure to use Excel spreadsheets properly led to disclosure of addresses of vacant properties and names of owners
The Information Commissioner’s Office (ICO) has hit the Royal Borough of Kensington & Chelsea with a £120,000 fine after mistakes with digital records led it to unlawfully identify 943 people who owned vacant properties in the borough.
Names of the owners and the addresses of their unoccupied homes were sent to three journalists who had requested statistical information under the Freedom of Information (FoI) Act.
The incident occurred in the aftermath of the Grenfell Tower fire in June of last year in which 71 people died. It led to calls for empty homes in the surrounding area to be requisitioned to provide housing for the people who had been evacuated from the tower.
At the end of June the council received three requests for statistical information used in a report in 2015; specifically the addresses of empty properties in the borough.
As the council no longer held the information, different sources were combined to produce an Excel spreadsheet that included named owners against the addresses of empty properties. This was not originally intended to be disclosed, but an oversight led to it being included as hidden data on the spreadsheet made available to the FoI applicants: it could be revealed with a double click.
This led to the publication on newspaper websites of the number of empty properties with details of three high profile owners. In addition, the spreadsheet was published on one journalist’s online blog for an hour.
Inadequate training
The ICO decided that Kensington & Chelsea failed to take appropriate organisational measures against the unauthorised processing of personal data. Specifically, it did not provide its FoI team with adequate training on how to use Excel spreadsheets or their alternatives, and had no guidance in place to check for data hidden in any pivot table before disclosure under FoI.
All this was likely to cause damage and distress to the subjects, the ICO ruled, and that it was appropriate to impose a fine.
“The commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA, and this is an opportunity to remind data controllers who use spreadsheets that personal information can be hidden from plain sight,” it said in its ruling.
Picture by Chiral John, CC BY 2.0 through flickr