WhatDoTheyKnow, a website that automates and publishes freedom-of-information (FOI) requests, has recorded 154 accidental data leaks made by public bodies since 2009.
This amounts to confidential data being wrongly released once every fortnight by local councils, government departments, police, the NHS and other public bodies.
Not every FOI request is made through WhatDoTheyKnow, so the total number of public sector data breaches is likely to be much more.
Under the Freedom of Information Act, anyone in the UK can request information from a public body.
>See also: How to respond to a data breach
Public authorities operate under a code of conduct that requires personal information to be removed or anonymised before data is released.
For example, while a request for the number of people on a council housing waiting list may be calculated from a list including names, addresses and the reason for housing need, the information provided should not include those details.
Accidental data releases become particularly problematic when the data requested concerns the details of potentially vulnerable people.
Regular perpetrators include Islington Borough Council, which has accidentally leaked data five times since 2009, Brighton & Hove City Council four times and the Department of Health three times.
The Home Office, the Cabinet Office, the Foreign Office, the House of Commons, the Ministry of Defence and the UK Supreme Court are also included on the list of public bodies that have fallen foul of the privacy-violating mistake.
Hidden data is not always hidden
When users request information through WhatDoTheyKnow, the answers are often provided in an Excel spreadsheet. Private data is usually leaked when a staff member doesn’t understand how to anonymise it effectively.
For example, data that is in hidden tabs or pivot tables can be revealed by anyone who has basic spreadsheet knowledge with just a couple of clicks.
Data held by public authorities can be extremely sensitive, such as lists of people on a child protection register or, as happened back in 2012, the name and sexuality of all council housing applicants.
The revelation comes after an incident earlier this month in which Northamptonshire County Council accidentally published data on over 1,400 children, including their names, addresses, religion and SEN status.
WhatDoTheyKnow volunteers were able to remove it within a few hours of publication, and the incident was reported to the Information Commissioner’s Office. Concerned residents should contact the ICO or the council itself.
“Because of [our] policy of making information accessible to all, by publishing it on the site, it’s now possible to see what an endemic problem this kind of treatment of personal data is,” said a spokesperson from WhatDoTheyKnow.
Tony Pepper, CEO at encryption service provider, Egress, added: “The fact that these breaches are happening so regularly demonstrates a shocking lack of security, that is completely unacceptable – particularly when you consider the sensitive nature of the data public sector organisations are handling.”