Local Authority Reprimanded After Data Protection Breach

The Information Commissioner's Office (ICO) has issued a reprimand to a local authority in respect of a breach of Article 5(1)(f) of the UK General Data Protection Regulation.

The local authority had included a spreadsheet in its response to a Freedom of Information (FOI) request. The spreadsheet contained hidden data consisting of personal information relating to employees and former employees of the local authority, including contact details, employment and pay details, gender and ethnicity.

The ICO concluded that the breach had been caused by a lack of proper checks for hidden data before the spreadsheet was sent, and would not have occurred if staff had received appropriate training and guidance on hidden data and appropriate checking of documents. The spreadsheet had been checked by two members of staff prior to its release.

However, the ICO noted that there was no evidence that the data had been republished by anyone other than the organisation that had made the FOI request. Evidence indicated that the local authority's data protection training for staff was generally satisfactory, although more specialist training was needed. The local authority had been transparent and cooperative throughout the ICO's investigation.

The ICO also took into account that the local authority had implemented measures to counter the breach and to improve the security of data it provides when responding to FOI requests in the future.

Considering all the circumstances of the case, the ICO decided that the appropriate course of action was to issue a reprimand.