Council issued with reprimand following leak of personal details of employees
The Information Commissioner has issued Southend-on-Sea City Council with a reprimand after the personal details of council employees were accidently leaked in response to a Freedom of Information (FoI) request.
The Commissioner found the cause of the breach was a “lack of proper checks” for hidden data prior to the releasing of the spreadsheet.
The infringement of the UK GDPR occurred when a response to a FOI request was provided to the What Do They Know (WDTK) website.
The response included a spreadsheet which contained personal data hidden within the files provided – including the personal details of Council employees and former employees, and certain other groups of people associated with the Council such as agency workers and office holders.
The Commissioner noted: “The list of employees and former employees contained a significant amount of personal information, including special category data and listed contact details, employment and pay details, and health, gender, and ethnicity information.”
Although the watchdog found no evidence of the hidden data being used, it warned that the possibility that malicious actors may access and exploit the data remains.
The watchdog concluded that Southend had shown a “failure to comply” with data protection legislation by the disclosure of special category data, attributing this to “the failures in training and awareness of the packages that the Council uses”.
The Commissioner noted that following the incident, the authority has implemented some “wide ranging” remedial measures to counter the breach, including measures to improve the security of the data it provides when responses are provided to FOI requests going forward.
However, it recommended the following further action to:
- ensure that all staff across the council, who use Excel as part of their role are fully trained and conversant with all relevant Excel tools, in particular the ‘Inspect Document’ option; and
- ensure that all proposed remedial measures are implemented.
Cllr Cowan, leader of Southend-on-Sea City Council, said: “Following our self-reporting of a potential data breach to the Information Commissioners Office at the start of November 2023, we have now received their formal response.
“We welcome the Information Commissioner’s findings and for their recognition of our swift remedial steps to strengthen our approach to Information Governance and the action taken since. We have updated our Freedom of Information protocols, provided additional staff training, and introduced more stringent checks to ensure that personal data remains secure.
“We accept the ICO’s recommendation regarding providing further training, which is already being progressed.”
Lottie Winson