UK public bodies accidentally release private data at least once a fortnight

Private data, containing personal details of the general public, is accidentally released by public authorities at least once a fortnight, say mySociety.

The volunteer team behind WhatDoTheyKnow, mySociety’s freedom of information website, have dealt with 154 accidental data leaks made by bodies such as councils, government departments and other public authorities since 2009, and these are likely to represent only the tip of the iceberg.

On the basis of this evidence, we are again issuing an urgent call for public authorities everywhere to tighten up their procedures.

How WhatDoTheyKnow works

Under the Freedom of Information act, anyone in the UK may request information from a public body.

WhatDoTheyKnow makes the process of filing an FOI request very easy: users can do so online. The site publishes the requests and their responses, creating a public archive of information.

Public authorities operate under a code of conduct that requires personal information is removed or anonymised before data is released: for example, while a request for the number of people on a council housing waiting list may be calculated from a list including names, addresses and the reason for housing need, the information provided should not include those details.

Accidental data releases become particularly problematic when the data requested concerns the details of potentially vulnerable people.

Hidden data is not always hidden

When users request information through WhatDoTheyKnow, it’s often provided in the form of an Excel spreadsheet. But unfortunately, private data is sometimes included on those spreadsheets, usually because the staff member who provides it doesn’t understand how to anonymise it effectively.

For example, data which is in hidden tabs, or pivot tables, can be revealed by anyone who has basic spreadsheet knowledge, with just a couple of clicks.

By its very nature, data held by our public authorities can be extremely sensitive: imagine, for example, lists of people on a child protection register, lists of people who receive benefits, or as happened back in 2012, a list of all council housing applicants, including each person’s name and sexuality.

Our latest warning is triggered by an incident earlier this month, in which Northamptonshire County Council accidentally published data on over 1,400 children, including their names, addresses, religion and SEN status. Thanks to the exceptionally fast work of both the requester and the WhatDoTheyKnow volunteers, it was removed within just a few hours of publication, and the incident has been reported to the Information Commissioner’s Office. Concerned residents should contact the ICO or the council itself.

Advice for FOI officers

Back in June 2013, we set out the advice that we think every FOI officer should know. That advice still stands:

  • Don’t release Excel pivot tables created from spreadsheets containing personal information, as the source data is likely to be still present in the Excel file.
  • Ensure those within an organisation who are responsible for anonymising data for release have the technical competence to fulfil their roles.
  • Check the file sizes. If a file is a lot bigger than it ought to be, it could be that there are thousands of rows of data still present in it that you don’t want to release.
  • Consider preparing information in a plain text format, eg. CSV, so you can review the contents of the file before release.

Part of a larger picture

Not every FOI request is made through WhatDoTheyKnow—many people will send their requests directly to the public authority. Moreover, we can only react to the breaches that we are aware of: there are, in all probability, far more which remain undiscovered.

But because of WhatDoTheyKnow’s policy of making information accessible to all, by publishing it on the site, it’s now possible to see what an endemic problem this kind of treatment of personal data is.

When we come across incidents like these, we act very rapidly to remove the personal information. We then inform the public authority who provided the response. We encourage them to self-report to the Information Commissioner’s Office, and where the data loss is very serious, we may make an additional report ourselves.

Image: Iain Hinchliffe (CC)

2 Comments

  1. Umm…What Do They Know requests are automatically published, apparently without any controls over whether someone has included their own (or someone else’s) personal data. Is What Do They Know a data controller in this context? Has the data subject given their consent? An a example is below where someone’s full address is now in the public domain thanks to What Do They Know:

    https://www.whatdotheyknow.com/request/citizenship_5

    • J Smith,

      Thanks for drawing that request to our attention. We have now removed the personal information from it.

      During the process of making a request we prominently warn users:

      Everything that you enter on this page will be displayed publicly on this website forever

      Despite this and our other efforts sometimes users will accidentally or inappropriately publish their, or others’, personal information.

      We have a “report this request” button alongside every correspondence thread which can be used for drawing matters such as these to the attention of the site’s largely volunteer administrators. We remove accidentally published personal information, and other extraneous material from requests.

      We do not moderate requests, responses and annotations prior to their publication on our site. We are keen to run our service responsibly and carefully consider any concerns raised or requests to take material down and rapidly act as appropriate.

      A section of our help pages deals with who is responsible for the site and our registration as a data controller:

      https://www.whatdotheyknow.com/help/about#who

      Richard – WhatDoTheyKnow.com volunteer