The Information Commissioner's Office has fined Islington Borough Council £70,000 after highly sensitive information about residents was published in a response to a Freedom of Information request.
Earlier this year, the council received an FOI request relating to its Housing Performance Team via WhatDoTheyKnow.com, a website that helps members of the public submit requests.
In its response, the council included three spreadsheets that contained information on the housing needs of 2,375 residents. Contained within those spreadsheets was information about whether they had a history of mental illness or had suffered domestic abuse.
The data was not immediately apparent in the spreadsheets but was contained in a number of pivot tables, charts that summarise data. In its penalty notice, the ICO remarked that the data could be "revealed by a user with basic knowledge of Excel".
The information was available on WhatDoTheyKnow.com for three weeks before an website administrator noticed the problem, took down spreadsheets and notified the ICO.
An information governance officer had looked at the spreadsheets before approving them for publication, the ICO found in its investigation, but was "not familiar with pivot tables and was therefore unaware that there was data contained in a pivot table behind the worksheets".
According to logs from WhatDoTheyKnow.com, the spreadsheets were downloaded seven times.
The ICO felt a fine was appropriate because of the number of residents affected, the sensitivity of the data, and the lack of organisational precautions at Islington Council to prevent such an incident
The information governance officer was "not equipped with the knowledge, guidance and information governance tools to check the accuracy and content of the information being sent out", the ICO said in its penalty notice.
"This mistake not only placed sensitive personal information relating to residents at risk, but also the highlighted the lack of training and expertise within the council," said Stephen Eckersley, head of enforcement at the ICO.
"Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way. Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated.”
The council does not plan to appeal the fine.
"We remain extremely sorry for the upset and worry this disclosure may have caused to some people," it said in a statement.
The council carried out a thorough investigation when this disclosure came to light, and we have since put in place more rigorous checks," it added. "The person who released the data did not have sufficient knowledge of spreadsheets to recognise the error or to put it right.
"All of our employees who are tasked with responding to FOI requests have now had additional training with an emphasis on how to prepare information for public release.
"We recognise it is our responsibility to protect people's personal data, and we failed. We're very sorry for that."
