ICO (UK) - Southend-on-Sea City Council Reprimand

From GDPRhub
ICO - Southend-on-Sea City Council Reprimand
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 17.03.2023
Decided: 17.10.2024
Published: 17.10.2024
Fine: n/a
Parties: Southend on Sea City Council
National Case Number/Name: Southend-on-Sea City Council Reprimand
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Mgrd

The ICO issued a reprimand to Southend-on-Sea City Council, in Essex, after hidden data on a spreadsheet released as part of a freedom of information request revealed the sensitive personal details of staff, violating Article 5 GDPR.

English Summary

Facts

On May 17, 2023, the Southend-on-Sea City Council, in Essex, responded to an freedom of information (FOI) request posted on the What Do They Know (WDTK) website (a public platform which allows individuals to submit requests to public bodies within the UK and all the request and the responses from the public bodies are published on the website, making them publicly accessible).

The response included a spreadsheet that contained hidden personal data of Council employees, former employees, and associated individuals, such as agency workers. This data included contact details, employment information, salary, health data, gender, and ethnicity.

The breach was only identified on October 27, 2023, five months later, when WDTK notified the Council. At the same time, the Council notified ICO about the data breach.

The Council’s lack of awareness and preparedness for handling hidden data in Excel spreadsheets was highlighted as the primary cause. Staff had not been adequately trained in using Excel’s “Inspect Document” feature, which would have allowed them to check for hidden data before releasing the document.

Holding

The ICO acknowledged the Council’s cooperation and transparency during the investigation, as well as the steps taken to mitigate the breach’s impact.

However, due to the initial failure to ensure secure data processing, the ICO issued a reprimand, since the Council's failing to adequately protect sensitive employee data due to insufficient Excel training and awareness, emphasizing the need for improved data handling practices to comply with Article 5(1)(f) UK GDPR.

In the reprimand, ICO recommended the implementation of all remedial actions to ensure future compliance and to provide training to all relevant staff on using Excel’s “Inspect Document” feature to prevent similar breaches.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                       PROTECTION REGULATION

                               REPRIMAND


TO: Southend on Sea City Council

OF: Civic Centre, Victoria Avenue, Southend-on-Sea, Essex SS2 6ER



1.1 The Information Commissioner (the Commissioner) issues a
reprimand to Southend on Sea City Council (the Council) in accordance
with Article 58(2)(b) of the UK General Data Protection Regulation (UK
GDPR) in respect of certain infringements of the UK GDPR.


The reprimand

1.2 The Commissioner has decided to issue a reprimand to the Council in
respect of the following alleged infringements of the UK GDPR:


     Article 5 (1)(f) of UK GDPR which states that personal data shall be,
      “processed in a manner that ensures appropriate security of the
      personal data, including protection against unauthorised or unlawful
      processing and against accidental loss, destruction or damage using

      appropriate technical or organisational measures (integrity and
      confidentiality)”

1.3 The infringement occurred when a response to a Freedom of
Information (FOI) request was provided to the What Do They Know

(WDTK) website. The response included a spreadsheet which contained
personal data hidden within the files provided. The spreadsheet was a list
of the personal details of Council employees and former employees, and
certain other groups of people associated with the Council such as agency

workers and office holders.

1.4 The list of employees and former employees contained a significant
amount of personal information, including special category data and listed
contact details, employment and pay details, and health, gender, and

ethnicity information.

1.5 The reasons for the Commissioner’s findings are set out below.

1.6 Information had been provided to WDTK on 17 May 2023, in response

to a Freedom of Information (FOI) request. On 27 October 2023, five
months after the response to the FOI request was delivered, WDTK


                                     1advised the Council that an Excel spreadsheet submitted, had been found
to contain the hidden personal data. The incident affected over 2000
individuals and disclosed personal and special category data.


1.7 Although there has been no evidence of the hidden data being used,
the possibility that malicious actors may access and exploit the data
remains.


1.8 A further concern is that the intent of the Council to be transparent
about the breach in their public communications may have alerted those
in possession of the spreadsheet to the hidden data.


1.9 From the evidence presented, the cause of the breach was a lack of
proper checks for hidden data prior to the releasing of spreadsheet. This
can be directly linked to the lack of staff training with Excel software.
Specifically, that staff concerned were not taught how to use the available
‘Inspect Document’ option when checking Excel files. The error still

occurred despite the document being checked by two members of staff
prior to releasing the document to WDTK.

1.10 It is considered that this incident would not have occurred had the
members of staff concerned received training and documented guidance

on hidden data and how to appropriately check a document using the
‘Inspect Document’ function.

1.11 It was a concern that evidence pointed to the Council not being

openly aware of the possibility of an incident of this kind occurring. The
Council therefore did not make staff aware of a function that would have
protected the personal data. This is considered to be evidence of a lack of
understanding by the Council regarding the technology it has been using
for FOI requests.


1.12 Only after this incident occurred did the Council realise that it
needed to increase training and make staff aware of the ‘Inspect
Document’ tool to ensure that spreadsheets would be fully secure when
responding to FOI requests. It would be expected that a public

organisation of this type, particularly one that deals with substantial
amounts of personal data, would have identified this risk, and
implemented steps to prevent an incident of this nature occurring.

1.13 Overall, after reviewing all the evidence provided, this case has

shown a failure to comply with data protection legislation by the
disclosure of special category data. This is due to the failures in training
and awareness of the packages that the Council uses. This has given
cause for concern given the large amount of data subjects, and the

potential for a significant amount of damage to be caused to the data
subjects impacted.


                                      2Mitigating factors


1.14 In the course of the investigation, it was noted that there is no
evidence that the data has, been republished by anyone other than
WDTK. A Google analytics search for the dataset on the internet did not
produce any results.


1.15 Evidence also pointed to a generally satisfactory level of data
protection training for staff, though more specialist training was found to
be lacking.


1.16 The cooperation of the Council with this investigation has also been
a consideration. It was noted that the Council has been extremely open,
transparent, and cooperative with the ICO throughout the course of the
investigative process, something that has been appreciated.


1.17 The investigation has also noted the Council did have some steps in
place to prevent unauthorised disclosures which is evidenced by checks
conducted by two members of staff prior to disclosure to WDTK.

Remedial steps taken by the Council


1.18 The Commissioner has also considered and welcomes the remedial
steps taken by the Council following this incident. The Council has
implemented some wide ranging and appropriate remedial measures to

counter the breach. This is in order to ensure that the personal data of
those affected will remain as secure as possible, as well as measures to
improve the security of the data it provides when responses are provided
to FOI requests going forward.


1.19 The response from the Council immediately after being alerted to the
breach was positive with the Council swiftly confirming the extent of the
breach, verifying the extent of the personal and special category data
disclosed, and implementing its Data Security Incident Management
Procedure. It is noted that the Council took steps to contact all affected

data subjects, which was a significant number.

1.20 The ongoing remedial measures were also noted to be positive, with
further training planned and with increased FOI training. It was also noted
that since the breach, the Council’s FOI policy and procedure has been

updated to avoid the disclosure of Excel spreadsheets where possible but
includes the requirement to use the ‘Inspect Document’ facility when
Excel documents do need to be shared.






                                      3Decision to issue a reprimand

1.21 After considering all the circumstances of this case, including the

mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to the Council in relation to the infringements of Article
5 (1)(f) of the UK GDPR set out above.

1.22 The Council was invited to provide representations. On 28 August

2024 the Council notified the ICO that it did not intend to make and
representations.

Further Action Recommended


1.23 The Commissioner has set out below certain recommendations which
may assist the Council in rectifying the infringements outlined in this
reprimand and ensuring the Council’s future compliance with the UK
GDPR. Please note that these recommendations do not form part of the

reprimand and are not legally binding directions. As such, any decision by
the Council to follow these recommendations is voluntary and a
commercial decision for the Council. For the avoidance of doubt, the
Council is of course required to comply with its obligations under the law.


1.24 If in the future the ICO has grounds to suspect that the Council is
not complying with data protection law, any failure by the Council to
rectify the infringements set out in this reprimand (which could be done
by following the Commissioner’s recommendations or taking alternative

appropriate steps) may be taken into account as an aggravating factor in
deciding whether to take enforcement action - see page 11 of the
Regulatory Action Policy Regulatory Action Policy (ico.org.uk) and Article
83(2)(i) of the UK GDPR.


1.25 The Commissioner recommends that the Council should consider
taking certain steps to improve its compliance with UK GDPR. With
particular reference to Article 5 (1)(f) of the UK GDPR, the following steps
are recommended:


1.   To ensure compliance with Article 5 (1)(f) of UK GDPR the Council
     should ensure that all proposed remedial measures are implemented.

2.   To ensure compliance with Article 5 (1)(f) of UK GDPR the Council
     should ensure that all staff across the Council, who use Excel as part

     of their role are fully trained and conversant with all relevant Excel
     tools, in particular the ‘Inspect Document’ option.







                                      4