In recent news there have been reports of personal data breaches that have resulted from the release of information in response to a freedom of information request. Charlotte Smith looks at the issues involved.
Recently there was a news report that both Norfolk and Suffolk Constabularies have suffered personal data breaches as a result of releasing information in response to a freedom of information (FOI) request asking for crime statistics. In response to the FOI request, raw data was released which included personally identifiable information.
Earlier in August it was reported that the Police Service of Northern Ireland had also suffered a personal data breach after inadvertently disclosing the personal data of police staff in a response to an FOI request. The request asked for the number of officers under particular ranks, but in error a response was provided which released a list of police staff names.
These news stories are also a reminder that personal data breaches can result from the actions of an organisation themselves and will not always be caused by a cybersecurity incident.
Public bodies are under obligations to respond to requests for information in accordance with their obligations under the Freedom of Information Act 2000. In some cases, information within the scope of the request may include personal data which can be exempt from disclosure under the Act. It is usual practice for information to be released in a redacted form with personal data removed.
When carrying out the redactions of personal data from responses to FOI requests, it is important that robust measures are taken to ensure that personal data cannot be found or recovered. Such measures will include the use of technical tools as well as training to ensure that staff in the FOI team know how to identify personal data and apply redactions appropriately.
Breaches caused by errors in the redaction of information is a point the Information Commissioner’s Office (ICO) has taken enforcement action over before. This has included the following actions:
- Thames Valley Police were issued with a reprimand from the ICO in May 2023. The ICO issued the reprimand after information was disclosed which ultimately resulted in suspected criminals learning the address of a witness. The published reprimand from the ICO notes that, the force had not evidenced that the officer who provided the information had received redaction training and that there was no oversight of the redaction process.
- In November 2021, the Cabinet Office was fined £500,000 after a file containing the 2020 New Year Honours list was published online erroneously containing unredacted home addresses. The breach was realised within an hour and a new file was uploaded, but the original file had been cached and continued to be accessible for a short while longer. In total, the file was only accessible for 2 hours and 21 minutes but was accessed 3872 times.
- In 2018, the Royal Borough of Kensington and Chelsea was fined £120,000 after a response to an FOI request released personal data in error. Following the tragic fire at Grenfell Tower, the Council received FOI requests from journalists asking for information about empty properties in the Borough. A spreadsheet detailing the number of empty properties was compiled but the underlying personal data in the pivot table was not removed. Therefore the spreadsheet contained the names of the owners of the relevant empty properties. The ICO found that the Council had not provided adequate training to the FOI team and that there was a lack of guidance on checking spreadsheets for hidden data.
Public bodies will also be aware of the increased scrutiny from the ICO regarding the need to comply with FOI obligations. Before 2022, the last enforcement notice issued by the ICO in relation to FOI compliance was issued in 2015. In contrast, from 2022 – 2023 the ICO has published at least six enforcement notices relating to FOI compliance.
It is as important as ever that public bodies continue to put in place robust procedures which enable them to respond promptly to freedom of information requests, whilst also ensuring public bodies are maintaining compliance with their data protection obligations.
Charlotte Smith is a Senior Associate at Sharpe Pritchard LLP.
For further insight and resources on local government legal issues from Sharpe Pritchard, please visit the SharpeEdge page by clicking on the banner below.
This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any issue raised in this article, please contact us by telephone or email