Thoughts on Tribunal.

“One should not be privy to the contents of the Royal Privy.” Counsel at the initial case management hearing.

Just over four years ago I made an EIR request to the Royal Household asking for the minutes of their social responsibility committee, and last week I received the Upper Tribunal’s verdict on the matter – neither the Sovereign nor the Royal Household are Public Authorities under any of the heads of the legislation. I had a good idea that my appeal would fail after the CJEU judgement in Fish Legal moved the goalposts by rewriting the definition of public administrative functions, but I am happy that the matter was properly and fairly considered and that some useful case law was made along the way.

Others have talked about some of the precedent this has set regarding the interpretation of Article 2(2)(b) of the directive. I would only add, that as paragraph 133 of the judgement makes clear, regulation 2(2)(c) of the EIR makes no reference to the environment, and so is potentially broader than the definition in the directive, allowing bodies who perform public administrative functions that don’t relate to the environment to be caught.

I’m not going to say any more about the judgement as any disagreements would be for an appeal rather than my blog, but I’d like to give you a taste of what is it like to be a litigant in person involved in a First-Tier Tribunal case, that became an Upper-Tier Tribunal case, that required a Judicial Review and participation in a second Upper-Tier Tribunal case before the initial hearing.


The tribunal process is supposed to be accessible to litigants in person, but there is not a lot of guidance or advice available to those who are looking to bring a case. I was fortunate that by virtue of the Cabinet Office’s challenge to the Tribunal’s jurisdiction in my case and, the need for there to be a consistent interpretation of the CJEU judgement, I got to attend and speak at the UT hearing in the Fish Legal case as a sort of practice run.

Here is some of what I learnt as I went along:

Lesson 1 – contact the tribunal in advance of the hearing to find out where you need to be.

Before the case management hearing I had never stepped foot in a court building before. It was perhaps, quite fitting given the subject matter of my case that my first time was at the Royal Courts of Justice. This is exactly what I imagine Hogwarts to be like. Unfortunately, this presented me with my first unexpected problem – where to go. The Upper Tribunal is based up the road in the Rolls building, and as such, the case did not appear on any of the court lists inside the RCJ. The letter that the tribunal sends you doesn’t tell you what courtroom you need to go to either, and there were quite a lot to chose from. I went to the information desk, where staff tried to send me to the Rolls Building, as they had no idea that the hearing was being held at the RCJ, let alone where it was. Thankfully they took pity on me and phoned through to the UT who told them where I needed to go. I got given this rather long set of directions:

10348745_10152660161367400_5879508587945042068_o (2)

I’m sure the stairs move during the hearings.

Lesson 2 – Expect extra paper

I arrived at the case management hearing without much time to spare, where I was handed skeleton arguments and various other bits of paper from the other parties. This also happened at all of the later hearings. At the Fish Legal hearing, the amount of additional papers provided by the Water Companies was so great, that it came spiral bound with tabbed dividers and an index.  This presents some difficulty when you are representing yourself, as you do not have an opportunity to read the papers, let alone to get any help to figure out what they mean.

Lesson 3 – Everyone makes mistakes.

During the case management hearing the barrister sitting next to me knocked over his glass of water and had to build a dam out of ring binders to stop my papers from getting wet.  On day one of Fish Legal when the Tribunal was sitting as the administrative court to hear the Judicial Review, some of the barristers turned up robed and had to change before it started. I have spoken to others who have been to tribunal who were worried that they would not even know what to call the judge. During the Fish Legal hearing, I heard counsel address Charles J as my lord, your honour and sir. If you are bringing a case yourself, don’t be intimidated by the process and worry about making small errors – even the professionals get it wrong on occasion.

Lesson 4 – Make sure you have all the papers that you are meant to

I turned up at the Fish Legal hearing thinking I had been given all the paperwork only to find out that that there were additional folders which I simply did not have. By day 2 I had managed to track down who was meant to have served me with what, and I then received the additional 46 authorities by email, unlabeled and without an index. This made following proceedings quite hard. I’d also decided to use the electronic version of the bundle on my laptop which would have been fine if a) everyone else had not referred to a different version with different page numbering to that which I had been given, and b) if the RCJ had had plug sockets. There were also so many parties involved that when additional papers were circulated during the hearing itself, I was sometimes missed out and I nearly had to interrupt the hearing because of this. It is important to know what you are meant to have received in advance of the hearing. If you think you are missing something or being disadvantaged in some way by it, it is important to speak up.

Lesson 4.1 EIR litigation is bad for the environment.


So much wasted paper.

Lesson 5 – Expect the unexpected

Day one of my hearing was meant to consist of evidence from Professor Blackburn and the Keeper of the Privy Purse, who I got to question under oath, but this took much less time than expected and so I had to make my case that day. I was not helped by the fact that the Cabinet Office dropped a large chunk of their argument at the start of the hearing. This meant that most of my questions to Sir Alan Reid were no longer relevant, and so I had to quickly ditch these on the spot. I then was given a few hours to rewrite the rest of my argument and cross out large parts of it in a nearby cafe. This was one of the more challenging things that I had to do and not an ideal way to prepare for making your case.

Lesson 6 – I wish I’d learnt french.

I speak several languages, but I don’t know a word of french because my husband stole my place in french class at school when we were 13 (he has not yet been allowed to forget it). This presented me with some difficulty when counsel for the Cabinet Office DEFRA decided to read directly from the french version of the directive and the Advocate General’s opinion. I was expecting to hear latin, amused to hear the ancient greek for laying a sewage pipe across another man’s land as an added bonus, but was not expecting arguments on the meaning of individual french words, which were meant to be different to that given to them by the official translators. I also discovered that directives have travaux preparatoires, even if I had to google what that means. I don’t know the correct protocol for submitting evidence in another language, but I always used the english versions in my submissions.

Lesson 7 – Bring a friend

It’s good to have someone to talk to before the hearing, vent at over lunch and to take notes for you about what is happening whilst you’re speaking. During the Fish Legal hearing I was on my own whilst the other parties all had a sizable entourage. It can feel quite intimidating to be the only person in the room who is on your side. When my hearing came I had @FOIkid to keep me company, whose notes (and doodles) were a great help. I wouldn’t have managed to stay as calm as I did without him being there to help me.

Lesson 8 – Your greatest advantage may be your time.

Where other parties are represented by counsel who will have been involved in dozens of cases in the time between you lodging your appeal and any hearing, you will likely only have had one case to think about. I used this time to do research. Where it was said that the Sovereign had no statutory powers, I had time to list of dozens of them, where it was said that a body needed legal personality to be subject to EIR, I had time to make a list of bodies without legal personality that are subject to EIR and so on. I also got to know my arguments inside out which gave me much needed confidence going into the hearing and better enabled me to respond to questioning.

Lesson 9 – If you need more time ask

During the three years that my case took to be heard, the vast majority of the filing deadlines were extended to give the other parties more time.  I was granted an extension once after I had been served documents late. If you need more time and think that you have a good reason to get it, don’t be afraid to ask for an extension.

In conclusion

I was very grateful to the assistance that I received from the lawyers representing the other parties during the course of all the hearings who answered some of the process related questions that I had, gave me general encouragement and even shared documents where I had not been given them. This made the process much easier. I have learnt a lot in bringing this case and would feel more confident in future in bringing other cases should the need arise. I am particularly pleased that as a result of the jurisdictional challenge that arose from my case, the ICO now publishes “decision letters” (where it has ruled that a body is not subject to EIR or FOI) and that these are now equal to decision notices.

The Tribunal system is an important safeguard against mistakes made by a chronically underfunded ICO. It is vitally important that requesters have access to a free and easy appeal route that can consider points of fact as well of points of law. The number of cases that are dealt with by consent order after the  ICO has admitted that it has got the facts wrong, clearly show that it does not always get them right. The changes  proposed by the FOI Commission would make the appeal process even less accessible to those who are unrepresented, when we should be making it as simple as possible for requesters to uphold their information rights.


We need to talk about Brighton.

I’m writing this post in a purely personal capacity and these views are entirely my own and do not constitute the opinions of WhatDoTheyKnow, MySociety Ltd or associated entities. Now that that’s been cleared up, on with the post.

As you may know, Brighton and Hove city council use a MySociety developed system called FOI Register to process FOI requests. This product has its roots in the Alaveteli software, with the idea being that requests and responses made to the Council are published instantly online on their site as well as on WhatDoTheyKnow. This has a number of advantages, including reducing the number of duplicate requests by making information that has been disclosed searchable and removing the temptation that authorities have to only publish responses that are not embarrassing or controversial. This attempt at greater transparency from the Council is to be applauded and it certainly makes a refreshing change from the rarely updated & scarcely populated disclosure logs that you will see from some other authorities. And yet…

Last Sunday I asked for the link between Brighton’s service and WhatDoTheyKnow to be severed. It seems that Brighton & Hove have been publishing the names of FOI requesters who had asked to remain anonymous on their site, and worse, appear to have been uploading the private information of individuals who had decided to make a request to them direct via email. This information was in turn sent automatically to WhatDoTheyKnow. Since becoming aware of this issue I have had to redact personal information from over 130 “anonymous” requests that contained personally identifiable information.

In terms of those who chose to use Brighton’s FOI site, they had not ticked the box to opt in to having their name publicly displayed and so can not be said to have consented to this. Those who contacted the council directly would have had no expectation that their data would be made public in this way and certainly would not expect to find their contact information on WhatDoTheyKnow, which is a third party service.

Last year in response to a similar practice by Staffordshire County Council the ICO said the following (which I agree with):

“Individuals who make freedom of information requests must have their details handled fairly. Many people who have made a request would not expect to have their name linked to published details of the request they have made. If a public authority is considering releasing this information then they must consider why publishing the requester’s name is necessary.”

“While there is a need for authorities to be transparent about the freedom of information process, in most cases this would not extend to revealing names. […]

“At the very least people should be told that their details will be published and given the opportunity to explain to the council why their name should not be disclosed. If having raised it with the authority a person is not happy with the way their details have been handled then we may be able to help.”

In Brighton’s case, their website does not carry an adequate privacy notice. Users of the service are presented with a tick box on the webform labeled “publish my name” next to which is written:

If you choose to publish your name, it will appear online in association with this request and may show up in search engine results.

Ticking this box does result in the requester’s name being hidden, but only if they have not included it in the body of their request. At no point are requesters told that the request itself will be made public either on Brighton’s site or on WhatDoTheyKnow. This has lead to the situation where “anonymous” requests have been displayed on WhatDoTheyKnow as having been made by an “anonymous user” despite the requester’s name, postal address, email and phone number being contained in the body of the request. Other “anonymous” requests have contained information taken directly from email signatures, and have contained messages such as “sent from my iphone”, leading me to believe that these are requests made outside of the FOI Register system. Brighton’s internal guidance states that this information needs to be be removed before publication, but this is not happening in every case.

In addition, whilst looking into this issue I came across a spreadsheet containing large amounts of personal data belonging to very junior employees of the council that had been sent in response to a request in error. This is far from the first time that the council had leaked information in that way. In June 2012 they released a spreadsheet containing the names, ethnicity information, SEN status and other sensitive personal information belonging to children who have been excluded from schools in the area. In March 2014 they released a spreadsheet containing the full names, gender, ethnicity, nationality and other case details of almost 1,400 children who had had contact with the council’s social services department since 2008. In April 2015 they released a spreadsheet containing the full names and addresses of hundreds of housing tenants and their children along with benefit information. This from a council who the ICO made sign an undertaking following an incident in 2011 where an employee’s salary information was emailed to over 2000 council workers by accident.

I do not know if the Council informed the ICO of these incidents or notified the affected data subjects given the risk of harm that the publication of this information could cause. I personally would have liked to see WhatDoTheyKnow report at least two of the incidents, but this was neither discussed properly at the time nor done.

In looking into this issue I came across numerous examples where the Council had redacted information on their own system, yet had not sought to have the same information removed from WhatDoTheyKnow. They have also had possession of a detailed list of over 125 instances where they are continuing to publish the personal information of requesters on their website for over 48 hours now, yet they have still failed to redact the majority of this information. I can not understand why this is the case.

In light of the above, the fact that Brighton’s FOI system is still automatically publishing new requests on WhatDoTheyKnow irks me greatly, though I appreciate that it might not be the easiest thing to switch off. This issue is ongoing and I personally believe very strongly that WhatDoTheyKnow should not be publishing any more until the Council can show that they take the issue of user privacy seriously. This is something that MySociety has always been very strong on in the past, which makes the disappointment that I feel about this even deeper.

As previously stated, the idea behind the system is a good one, but are there changes that could be made to prevent this? There is an argument for implementing a tech solution that delays publication of requests until someone has checked them, but in the vast majority of the cases I have found, someone at the council has read and responded to the request yet not redacted the personal information, so even this would not help. Another alternative would be not to offer the chance for a request to be made anonymously using the system. This would bring it into line with WhatDoTheyKnow where users must use their names to ask for information, and the word public is repeatedly used to ensure that users are clear about what will happen when they make a request. The problem with this approach is that there are situations where individuals have good reason for not wanting their names linked publicly with a particular question or topic and as such, a way of asking for information without their name being linked to it must remain available. This also would not prevent Brighton and Hove’s practice of importing information from outside of the system.

Perhaps the real answer is to simply to ensure that the system is used in a responsible manner.


UPDATE 23/07: The request form is now much improved and makes it much clearer that the request will be public. The council removed the remaining personal information from the anonymous requests this afternoon.

The Cabinet Office and FOI

On 2 June 2015 the ICO issued an enforcement notice to the Department of Finance and Personnel for Northern Ireland (DFPNI) that ordered them to answer four outstanding freedom of information requests that are over six months old. This was only the 4th such notice that the ICO has issued relating to poor FOI performance and the first FOI enforcement notice that the ICO has issued since 2010.

The ICO doesn’t publish a set of criteria that it uses to decide whether it is appropriate to issue an enforcement notice, but taking this latest notice as a guide, it seems that the Cabinet Office would almost certainly qualify. Here is a list of 12 FOI requests made via WhatDoTheyKnow where the Cabinet Office seems to be over 500 working days late in responding. In each case, the Cabinet Office has acknowledged receipt of the request:

  1. On 6 April 2010 a request was made asking for information about specific items of Cabinet Office spending. The Cabinet Office acknowledged receipt on 12 April 2010. This request remains unanswered and a response is now 1,268 working days late.
  2. On 26 May 2010 a request was made asking for information about the cost of rebranding government buildings following the 2010 General Election. The Cabinet Office acknowledged receipt on 2 June 2010. This request remains unanswered and a response is now 1,234 working days late.
  3. On 25 June 2010 a request was made asking for information about open source software use by the Cabinet Office. The Cabinet Office acknowledged receipt on 29 June 2010. This request remains unanswered and a response is now 1,213 working days late.
  4. On 19 August 2010 a request was made asking for information about the Cabinet Office’s receipts and spending budgets for 2009 and 2010. The Cabinet Office acknowledged receipt on 24 August 2010. This request remains unanswered and a response is now 1,176 working days late.
  5. On 27 October 2010 a request was made asking for information about the 2010 IT project review. The Cabinet Office acknowledged receipt on 29 October 2010. This request remains unanswered and a response is now 1,127 working days late.
  6. On 24 December 2010 a request was made asking for information about various Cabinet Office services. The Cabinet Office acknowledged receipt on 4 January 2011 and wrote to the requester on 8 February 2011 to say that they hoped to respond to the request “shortly”. This request remains unanswered and a response is now 1,086 working days late.
  7. On 13 February 2011 a request was made asking for information about spending on first class rail travel. The Cabinet Office acknowledged receipt on 14 February 2011 and wrote to the requester on 19 April 2011 to say that they were working on the request and would let the requester have a response “in due course”.  On 23 May 2011 they started an internal review to investigate why their response was delayed. Both the request and the internal review remain unanswered and a response is now 1,054 working days late.
  8. On 1 August 2011 a request was made asking for various information about Civil Service Learning. The Cabinet Office acknowledged receipt on 2 August 2011. This request remains unanswered and a response is now 942 working days late.
  9. On 24 August 2011 a request was made asking for information about radiation monitoring around the UK. The Cabinet Office failed to acknowledge receipt. On 21 October 2011 they wrote to the requester to say that the request has not been logged on the day it was received due to an “unfortunate administrative error, but that the request had now been “assigned to the relevant department” and that it was “being dealt with swiftly”. This request remains unanswered and a response is now 926 working days late.
  10. On 11 October 2011 a request was made asking for information regarding the decision to separate the roles of Cabinet Secretary and Head of the Civil Service. The Cabinet Office acknowledged receipt on 12 October 2011. This request remains unanswered and a response is now 892 working days late.
  11. On 10 February 2012 a request was made asking for the minutes of the Cabinet Sub-Committee on Devolution Scotland, Wales and the Regions. The Cabinet Office acknowledged receipt on 13 February 2012. This request remains unanswered and a response is now 809 working days late.
  12. On 29 April 2013 a request was made asking for information about FOI requests relating to Bradford and Bingley. The Cabinet Office acknowledged receipt on 29 April 2013 and wrote on 31 May 2013 to say that they hoped to respond by 26 June 2013. This request remains unanswered and a response is now 529 working days late.

Of course, some these requests may have been responded to outwith of WhatDoTheyKnow, but there is no evidence to suggest that this is the case. It seems certain that there will many other requests made using other channels where a response will also be significantly overdue.

The issue of the Cabinet Office’s poor timeliness is not a new one, (see these posts for more examples) and yet the ICO is still reluctant to take meaningful action. The ICO are certainly well aware of the problems that FOI requesters have in trying to get the Cabinet Office to respond to requests, as these recent decision notices demonstrate:

  1. FS50569096, issued on 26 May 2015, relates to a request for information about the number of honours awarded to serving civil servants made on 15 June 2014. The ICO noted that “By the date of this notice the Cabinet Office had yet to provide a substantive response to the request.” The response to this request was at least 213 working days late.
  2. FS50573978, issued on 18 May 2015, relates to a request for the phone number of the unit/department within the Cabinet Office responsible for handling FOI requests made on 7 February 2015. The ICO noted that “By the date of this decision notice the Cabinet Office has still not issued a response to the request, despite the Commissioner also having notified it of the details of this complaint on 30 March, 17 April and 27 April 2015. ” This request remains unanswered and a response is now 62 working days late.
  3. FS50565962, issued on 8 April 2015, relates to a request about the Cabinet Office’s work with the Behavioural Insights Team made on 29 October 2014. The ICO noted that “At the time of writing the CO had failed to respond substantively to the request.” The response to this request was at least 188 working days late.
  4. FS50566237, issued on 18 March 2015, relates to a request for information about the Public Duty Costs Allowance made on 31 October 2014. The ICO noted that “Three further prompts from the complainant sent to the Cabinet Office on 26 December 2014, 1 January 2015 and 23 January 2015 have failed to elicit any response. To date, a substantive response to the request has not been issued.” The response to this request was at least 73 working days late.
  5. FS50565672, issued on 25 February 2015, relates to a request for information about the Carr Inquiry made on 16 October 2014. The ICO noted that “The Commissioner contacted the Cabinet Office on 5 January 2015 and asked it to provide the complainant with a response to his request within the next 10 working days” but “The complainant contacted the Commissioner on 22 January and again on 9 February 2015, to confirm that he had not received a response to his request.”  Despite this request by the Commissioner, as of the date of the decision notice, no substantive response had been provided. The response to this request was at least 69 working days late.
  6. FS50559560, issued on 25 February 2015, refers to a request for information about awards or titles relating to Cyril Smith made on 28 April 2014. The ICO noted that “By the date of this notice the Cabinet Office had yet to provide a substantive response to the request.” The response to this request was at least 186 working days late.

Perhaps part of the problem is that current Information Commissioner considers decision notices to be meaningful enforcement action even in cases where there are a systematic problems and even where multiple DNs have already been issued.  Perhaps a lack of funding for FOI enforcement is to blame. None of this however, explains why the Cabinet Office can continue to get away with it when the DPFNI cannot. Whatever the reason, I think that it will take a change of Commissioner and a change of attitude in Wilmslow before we see anything done and I fear that this website will not need updating for some time to come.

Data loss incidents.

A few weeks ago, I was fortunate enough to be invited to travel to Madrid to share my experiences as a WhatDoTheyKnow volunteer with those who are running their own online FOI sites around the world. Listening to the stories and experiences of all those present was inspiring – their enthusiasm was infectious. One of the topics that came up was the sort of takedown requests that we have to deal with in the UK, and in particular, a number of people spoke to me about instances where public authorities had released personal data in error.

WhatDoTheyKnow (WDTK) does not yet have a public takedown log. I would very much like to see one published. Until then, and in order to paint a picture of the type of data loss incidents that we’ve had to deal with, I’ve compiled my own list of cases where personal data has been released in error. I am publishing below, in a purely personal capacity, a list of 50 such cases that have remained stuck in my mind:

  1. A local council accidentally included car number plate information belonging to 31,378 people who had been issued with parking tickets in a PDF file.
  2. A local council included the names of 75 pupils who had been excluded from local schools in an Excel spreadsheet in error. This meant that other information about them was no longer properly anonymised.
  3. The same local council later accidentally published sensitive personal information about 1,395 children who had had contact with the authority’s social services department. This included the children’s names and information about the reason for the contact e.g. it was suspected that they had been abused.
  4. The same local council also accidentally included the names of 275 council tenants in a spreadsheet, along with other personal information about them.
  5. A local council included sensitive personal data relating to 15,573 individuals in an Excel spreadsheet in error. This included names, addresses, and housing benefit information, along with information about their gender, ethnicity, sexuality and any disability.
  6. A mental health trust accidentally included information in an Excel spreadsheet that could have led to 1,260 patients deemed at risk of suicide being identified.
  7. On a separate occasion, the same trust again included information in an Excel spreadsheet in error that could have led to 647 patients being identified.
  8. A police force included names  and offence details of 188 individuals who had been arrested for indecent assault in an Excel spreadsheet.
  9. A local council sent a PDF file containing highly sensitive medical information about an applicant for supported housing in response to an FOI request.
  10. A university included student numbers and other personal information belonging to over 16,000 students in an Excel spreadsheet by mistake.
  11. A police force published the names of over 2,400 police officers who had been the subject of complaints over a two year period. This information was left in an Excel spreadsheet in error.
  12. A local council included sensitive personal data about 78 children who had been taken into care in an Excel spreadsheet. This included their full names and details about whether they had been victims of abuse or neglect.
  13. A local council accidentally released sensitive personal data relating to 2,376 housing tenants, including their full name, sexuality, ethnicity, age, address, and other information about their circumstances. The information was included in an Excel spreadsheet and no attempt had been made to redact it.
  14. On a previous occasion, the same local council released sensitive personal data belonging to ten individuals who they had decided had made themselves intentionally homeless. The information was again included in an Excel spreadsheet in error. The affected data fields were the same. There have been a further three instances where this council has sent personal data to WhatDoTheyKnow in error.
  15. An NHS trust did not realise that personally identifiable information belonging to over 8,000 patients had been cached by Excel when responding to a request of cancelled operations.
  16. A local council accidentally included the names of 6,781 individuals who had made compensation claims against it in an Excel spreadsheet. The spreadsheet also included details of payouts that they had received and the reasons for the compensation claims being made.
  17. A local council accidentally included the full names of 1,135 applicants for council housing in an Excel spreadsheet. No attempt to redact the information had been made. The spreadsheet also contained details of the outcomes of these applications, housing reference numbers, the dates that the applications were made and the dates which the Council expected the applicants to be made homeless.
  18. A NDPB answered a subject access request via WhatDoTheyKnow. They made no attempt to confirm the identity of the applicant.
  19. A local council accidentally included the name and other sensitive personal data of staff who had been investigated due to child protection concerns in an Excel spreadsheet.
  20. A local council released the names and dates of birth of 810 children who had been taken into care, along with details about why the children had been taken into care. Again, the information had been included in an Excel spreadsheet in error.
  21. A police force released the names and addresses of people who had released speeding tickets. No attempt at redaction had been made.
  22. An executive agency released a PDF document containing the name of a person who it is alleged was sexually assaulted whilst a minor. The document also included names and addresses of offenders and some victims, along with descriptions of charges. No redaction attempt had been made.
  23. The same executive agency sent court papers to a whatdotheyknow request address in error. The correspondence had nothing to do with the original FOI request.
  24. An NHS trust did not realise that the surnames, patient ID numbers and NHS numbers of 488 heart patients had been included in an Excel spreadsheet that they provided in response to a request for general statistics. The spreadsheet contained very detailed descriptions of the surgery that each patient had received.
  25. A university failed to redact the names of staff involved in vivisection from a PDF file. The university believed this would place those individuals at a high risk of harm.
  26. A university combined their response to an FOI request with a response to a subject access request made outside of the site. The university did not take any steps to confirm the identity of the requester.
  27. A police force included the personal information of victims of sex trafficking and possible suspects in an Excel spreadsheet in error.
  28. The same police force had earlier released sensitive personal information belonging to 262 police officers in error. This information was also contained in an Excel spreadsheet.
  29. An executive agency failed to realise that the names and case details of asylum seekers were included in the cache of an Excel spreadsheet that it released in response to a request.
  30. A police force sent an attachment unrelated to the request about disclosing information on named or identifiable children in response to a court order.
  31. A government department released sensitive personal data belonging to 160 convicted criminals in error. The information had been included in an Excel spreadsheet in error.
  32. A local council included the personal data of 50 consultants employed by the council’s social services department in an Excel spreadsheet in error. As well as names and addresses, the spreadsheet also included details of the outcomes of CRB checks.
  33. A local council released full names, gender, age, ethnicity and client ID of 3,023 applicants for council housing who applied to the council between May 2010 and March 2014, as well as details of the outcomes of their applications. The information was contained in hidden columns in an Excel spreadsheet.
  34. An NHS trust released an Excel spreadsheet that contained the sensitive personal data of 2,302 employees. The information had been cached within the document when the trust had used it to create a pivot table.
  35. A local council made the same mistake and accidentally released personal data belonging to more than 800 members of its staff.
  36. Another local council failed to realise that sensitive personal data concerning the health of named employees had been included in an Excel spreadsheet that they released. This information had again been cached when creating a pivot table.
  37. A local council released data on fees for residential care for younger adults in an Excel spreadsheet that was sufficiently detailed that there was a real risk of individuals being identified.
  38. An NHS trust included medical information about the requester in their response to that individual’s request. The Trust took no steps to verify that the requester was the same person as their patient.
  39. A local council sent an unredacted copy of complaints made to the Standards Committee in error when replying to a request for minutes. The reports contained sensitive personal data belonging to complainants, as well as their names, addresses and email addresses.
  40. An independent executive NDPB accidentally included the names of people who had made complaints against police officers in a response to a request.
  41. An NHS trust failed to properly redact a PDF file that they sent in response to a request allowing sensitive personal information belonging to 7 patients to be easily viewed. The unredacted text could simply be copied from behind the black boxes and pasted into a fresh document.
  42. A local council failed to release that sensitive personal data belonging to 40 autistic children had been cached by Microsoft Excel when they created a pivot table. The information included details of their school placements and their full dates of birth.
  43. A local council accidentally included sensitive personal data relating to 70 employees who had been made redundant in an Excel spreadsheet.
  44. An NHS trust accidentally released the names and care details relating to 255 Children. The information had been cached when they created a pivot table in an Excel spreadsheet and included medical information and details of any disabilities that the children had.
  45. A local council sent highly sensitive personal information belonging to a child in their care to a WDTK email address in error. This information was completely unrelated to the original request.
  46. A local council sent a scanned complaint form relating to a social work case to a WDTK email address by mistake. No attempt had been made to redact the document, which contained sensitive personal data belonging to 3 individuals.
  47. A local council accidentally included personal information belonging to 619 members of staff in an Excel spreadsheet, some of which was sensitive personal data.  The document contained over 47,500 hidden rows of data.
  48. A local council accidentally published the names, National Insurance numbers, date of birth and salary information of 732 employees.
  49. A local council did not realise that the names of 726 people who had been issued a fixed penalty notice for littering had been cached by Microsoft Excel when they created a pivot table. The document also included full details of each case.
  50. A local council accidentally included sensitive personal information belonging to 130 care users in an Excel spreadsheet. The information included their names, ages, and information about the cost of their care.

The incidents above represent around a third of the number of data loss incidents that I know about involving FOI responses sent to WhatDoTheyKnow. I fear that the number of such incidents occurring outside of WhatDoTheyKnow will inevitably be much higher still. Since I became a WhatDoTheyKnow volunteer, I have become much less trusting of anyone who is asking for my personal data and I no longer complete the optional diversity questions on forms. The very worst thing about most of the cases that I have described above is that the affected data subjects are usually some of the most vulnerable people in society, who have little choice but to share their information with the state in order to access essential services or to receive justice. They deserve better.

So to public authorities, please think for a moment before you click send. Please check that the file size of your Excel workbook is not significantly larger than you would expect. If you have imported data from an external data source or created a chart or pivot table, check that that data is not cached within the document. Check that you have not embedded any PDF files in your spreadsheet by accident. Know that hiding cells/rows/columns/sheets is not the same as proper redaction. Know that hidden cells can be unhidden with one click and that the password on protected sheets are just as easy to remove. Most of all, if the sensitive personal data of your service users is stored in a system that allows it to be easily exported by junior members of staff who don’t know to do all of the above… then do not be surprised to find your organisation on the next version of this list.