ICO (UK) - London Borough of Hammersmith & Fulham Council
| ICO - London Borough of Hammersmith & Fulham Council | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 24(2) UK GDPR Article 32(1) UK GDPR Article 5(1)(f) UK GDPR Article 5(2) UK GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 21.05.2025 |
| Published: | |
| Fine: | n/a |
| Parties: | London Borough of Hammersmith & Fulham Council |
| National Case Number/Name: | London Borough of Hammersmith & Fulham Council |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | cci |
The DPA reprimanded a local authority over a data breach. The authority accidentally disclosed a large set of personal data in response to a FOI request.
English Summary
Facts
In 2021 the Council of the London Borough of Hammersmith & Fulham (the controller) responded to a freedom of information requiest (FOI) from non-profit group mySociety. As part of the respose, the controller inadvertedly forwarded an Excel sheet containing hidden personal data from more than 6,000 individuals in its response, including more than 2,000 children.
Both the controller and mySociety published the Excel sheet on their respective websites. Two years later, mySociety found the hidden data and notified both the controller and the DPA of the data breach. Both mySociety and the controller immediately removed the sheet from their websites.
In response to the breach, the controller engaged with cyber incident response partners and found no evidence that the hidden data was leaked on the Internet.
Holding
The DPA held that the controller failed to implement appropriate technical and organizational measures to prevent data breaches. In particular, the controller did not provide employees with training and guidelines on how to safely use Excel for FOI responses, did not instruct them to check for hidden data or to convert Excel sheets to the CSV format before disclosure, and did not implement the best practices endorsed by the DPA itself in its guidance.
For these reasons, the DPA found that the controller violated Articles 5(1)(f), 5(2), 24(1) and 32(1) of UK GDPR and issued a reprimand.
The DPA deemed it unnecessary to adopt other measures for several reasons. In particular, the DPA found it unlikely that unauthorized access actually took place, and pointed out that most of the data were already outdated at the time of the breach.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
