A Private Data Leak by Islington Council – mySociety’s Statement

The local press in Islington has just reported the accidental release of quite a bit of sensitive personal data by Islington council.

One of our volunteers, Helen, was responsible for spotting that Islington had made this mistake, and so we feel it is appropriate to set out a summary of what happened, to inform journalists and citizens who may be interested.

Note – Concerned residents should contact Islington Council or the Information Commissioner’s Office.

On 27th May a user of our WhatDoTheyKnow website raised an FOI request to Islington Borough Council. On the 26th June the council responded to the FOI request by sending three Excel workbooks. Unfortunately, these contained a considerable amount of accidentally released, private data about Islington residents. In one file the personal data was contained within a normal spreadsheet, in the two other workbooks the personal data was contained on four hidden sheets.

All requests and responses sent via WhatDoTheyKnow are automatically published online without any human intervention – this is the key feature that makes this site both valuable and popular. So these Excel workbooks went instantly onto the public web, where they seem to have attracted little attention – our logs suggest 7 downloads in total.

Shortly after sending out these files, someone within the the council tried to delete the first email using Microsoft Outlook’s ‘recall’ feature. As most readers are probably aware – normal emails sent across the internet cannot be remotely removed using the recall function, so this first mail, containing sensitive information in both plain sight and in (trivially) hidden forms remained online.

Unfortunately, this wasn’t the only mistake on the 26th June. A short while later, the council sent a ‘replacement’ FOI response that still contained a large amount of personal information, this time in the form of hidden Excel tabs. As you can see from this page on the Microsoft site , uncovering such tabs takes seconds, and only basic computer skills.

At no point on or after the 26th June did we receive any notification from Islington (or anyone else) that problematic information had been released not once, but twice, even though all mails sent via WhatDoTheyKnow make it clear that replies are published automatically online. Had we been told we would have been able to remove the information quickly.

It was only by sheer good fortune that our volunteer Helen happened to stumble across these documents some weeks later, and she handled the situation wonderfully, immediately hiding the data, asking Google to clear their cache, and alerting the rest of mySociety to the situation. This happened on the 14th July, a Saturday, and over the weekend mySociety staff, volunteers and trustees swung into action to formulate a plan.

The next working day, Monday 16th July, we alerted both Islington and the ICO about what had happened with an extremely detailed timeline.

The personal data released by Islington Borough Council relates to 2,376 individuals/families who have made applications for council housing or are council tenants, and includes everything from name to sexuality. It is for the ICO, not mySociety, to evaluate what sort of harm may have resulted from this release, but we felt it was important to be clear about the details of this incident.

12 Comments

  1. You are simply too good to be true!!!

    Long live MySociety and WhatDoTheyKnow!!!

    More power to your elbows!!!

    My sense is that there is a huge potential for people to analyse and produce reports from your requests and answers. How much of it could be done automatically for ‘smart reviewers’ to analyse and ‘add value’, I wonder???

    With my very best wishes for more and more power to your elbows,
    Sabine

  2. after reading about Islington Councils blunder which they did twice, is quintessential of our councils for they are bogged down with a mountain load of paperwork which will at times be leaked/released through shear carelessness, with so much to categorize arrange and grade there will obviously be mistakes in the making, and being made, they like you and me are after all only human. I like how our society did handle this situation and although some people shall be annoyed that their names and records were publicised (and I sympathise with them) but please remember there has been worse leaks/releases by our so called leaders of our country who make the biggest blunders “EVERY DAY” and manage to cover them up, or feed us with a sheer load of excuses when they are accidentally or intentionally released.

  3. We have recently written to the PM and Bob Kerslake, that good governance is an ideal rarely achieved even within democratic governments. This gross failure is largely due to inept officials being promoted to high office.
    Their lack of accountability means they fail to meet the proper needs of society, such ham-fisted acts normally have the official ‘lid’ put on them.
    My point is we are festooned with public sector incompetence – MPs who should be more aware of this, seem no more than PR units for inept officialdom.

  4. This is valuable information on how ‘data protection’ is abused in favour of those with unhealthy vested interests and used against anyone seeking lawful information on their own or their loved ones’ behalf.

    It seems to me that this data is used to ‘mine’ family histories and circumstances regards to pernicious access to children. I’d like to be proven wrong.

    Thanks for alerting us all to this, it is timely.

  5. Brilliant, brilliant work! You provide invaluable democratic services to we UK citizens with your facilities and ideas, and manage it superbly. Thanks x

  6. Tom,
    Congratulations to all at MySociety for the High Levels of Transparency and Integrity with which this has been handled. Keep up the good work

  7. Well done to Helen and others at MySociety for ‘mopping up’. I hope that you will monitor the ICO’s response and press for punitive action against the council. Successive governments are very keen to acquire personal data, and of course (try to) convince us that its security is paramount. The reality is far too often very different!

  8. Just well done mySociety. I’m not very computer literate having left school before the digital let alone the computer eras so I struggle with a lot of intenet ‘stuff’ but yours is accessible, practical & ethical & I’m very pleased to have come across mySociety.

  9. antigone savva

    The answer lies in the motive and its to scare the Chair Of Housing who has a great deal ogf gay support in asking questions about the cost of PFI and the running of the ALMO which is costly, inneffective and nepotistic and smacks of the old school ‘freemasonary’ which was rampant in the borough. A full inquiry should take place

  10. As someone else said, mistakes will happen and it does not look as though this was anything except an error made through ignorance.

    Everyone working for anyone with data held on a computer (including e-mail) should have this drummed into them:

    Just because you can’t see information, that doesn’t mean no one else can find it.