Data loss incidents.

A few weeks ago, I was fortunate enough to be invited to travel to Madrid to share my experiences as a WhatDoTheyKnow volunteer with those who are running their own online FOI sites around the world. Listening to the stories and experiences of all those present was inspiring – their enthusiasm was infectious. One of the topics that came up was the sort of takedown requests that we have to deal with in the UK, and in particular, a number of people spoke to me about instances where public authorities had released personal data in error.

WhatDoTheyKnow (WDTK) does not yet have a public takedown log. I would very much like to see one published. Until then, and in order to paint a picture of the type of data loss incidents that we’ve had to deal with, I’ve compiled my own list of cases where personal data has been released in error. I am publishing below, in a purely personal capacity, a list of 50 such cases that have remained stuck in my mind:

  1. A local council accidentally included car number plate information belonging to 31,378 people who had been issued with parking tickets in a PDF file.
  2. A local council included the names of 75 pupils who had been excluded from local schools in an Excel spreadsheet in error. This meant that other information about them was no longer properly anonymised.
  3. The same local council later accidentally published sensitive personal information about 1,395 children who had had contact with the authority’s social services department. This included the children’s names and information about the reason for the contact e.g. it was suspected that they had been abused.
  4. The same local council also accidentally included the names of 275 council tenants in a spreadsheet, along with other personal information about them.
  5. A local council included sensitive personal data relating to 15,573 individuals in an Excel spreadsheet in error. This included names, addresses, and housing benefit information, along with information about their gender, ethnicity, sexuality and any disability.
  6. A mental health trust accidentally included information in an Excel spreadsheet that could have led to 1,260 patients deemed at risk of suicide being identified.
  7. On a separate occasion, the same trust again included information in an Excel spreadsheet in error that could have led to 647 patients being identified.
  8. A police force included names  and offence details of 188 individuals who had been arrested for indecent assault in an Excel spreadsheet.
  9. A local council sent a PDF file containing highly sensitive medical information about an applicant for supported housing in response to an FOI request.
  10. A university included student numbers and other personal information belonging to over 16,000 students in an Excel spreadsheet by mistake.
  11. A police force published the names of over 2,400 police officers who had been the subject of complaints over a two year period. This information was left in an Excel spreadsheet in error.
  12. A local council included sensitive personal data about 78 children who had been taken into care in an Excel spreadsheet. This included their full names and details about whether they had been victims of abuse or neglect.
  13. A local council accidentally released sensitive personal data relating to 2,376 housing tenants, including their full name, sexuality, ethnicity, age, address, and other information about their circumstances. The information was included in an Excel spreadsheet and no attempt had been made to redact it.
  14. On a previous occasion, the same local council released sensitive personal data belonging to ten individuals who they had decided had made themselves intentionally homeless. The information was again included in an Excel spreadsheet in error. The affected data fields were the same. There have been a further three instances where this council has sent personal data to WhatDoTheyKnow in error.
  15. An NHS trust did not realise that personally identifiable information belonging to over 8,000 patients had been cached by Excel when responding to a request of cancelled operations.
  16. A local council accidentally included the names of 6,781 individuals who had made compensation claims against it in an Excel spreadsheet. The spreadsheet also included details of payouts that they had received and the reasons for the compensation claims being made.
  17. A local council accidentally included the full names of 1,135 applicants for council housing in an Excel spreadsheet. No attempt to redact the information had been made. The spreadsheet also contained details of the outcomes of these applications, housing reference numbers, the dates that the applications were made and the dates which the Council expected the applicants to be made homeless.
  18. A NDPB answered a subject access request via WhatDoTheyKnow. They made no attempt to confirm the identity of the applicant.
  19. A local council accidentally included the name and other sensitive personal data of staff who had been investigated due to child protection concerns in an Excel spreadsheet.
  20. A local council released the names and dates of birth of 810 children who had been taken into care, along with details about why the children had been taken into care. Again, the information had been included in an Excel spreadsheet in error.
  21. A police force released the names and addresses of people who had released speeding tickets. No attempt at redaction had been made.
  22. An executive agency released a PDF document containing the name of a person who it is alleged was sexually assaulted whilst a minor. The document also included names and addresses of offenders and some victims, along with descriptions of charges. No redaction attempt had been made.
  23. The same executive agency sent court papers to a whatdotheyknow request address in error. The correspondence had nothing to do with the original FOI request.
  24. An NHS trust did not realise that the surnames, patient ID numbers and NHS numbers of 488 heart patients had been included in an Excel spreadsheet that they provided in response to a request for general statistics. The spreadsheet contained very detailed descriptions of the surgery that each patient had received.
  25. A university failed to redact the names of staff involved in vivisection from a PDF file. The university believed this would place those individuals at a high risk of harm.
  26. A university combined their response to an FOI request with a response to a subject access request made outside of the site. The university did not take any steps to confirm the identity of the requester.
  27. A police force included the personal information of victims of sex trafficking and possible suspects in an Excel spreadsheet in error.
  28. The same police force had earlier released sensitive personal information belonging to 262 police officers in error. This information was also contained in an Excel spreadsheet.
  29. An executive agency failed to realise that the names and case details of asylum seekers were included in the cache of an Excel spreadsheet that it released in response to a request.
  30. A police force sent an attachment unrelated to the request about disclosing information on named or identifiable children in response to a court order.
  31. A government department released sensitive personal data belonging to 160 convicted criminals in error. The information had been included in an Excel spreadsheet in error.
  32. A local council included the personal data of 50 consultants employed by the council’s social services department in an Excel spreadsheet in error. As well as names and addresses, the spreadsheet also included details of the outcomes of CRB checks.
  33. A local council released full names, gender, age, ethnicity and client ID of 3,023 applicants for council housing who applied to the council between May 2010 and March 2014, as well as details of the outcomes of their applications. The information was contained in hidden columns in an Excel spreadsheet.
  34. An NHS trust released an Excel spreadsheet that contained the sensitive personal data of 2,302 employees. The information had been cached within the document when the trust had used it to create a pivot table.
  35. A local council made the same mistake and accidentally released personal data belonging to more than 800 members of its staff.
  36. Another local council failed to realise that sensitive personal data concerning the health of named employees had been included in an Excel spreadsheet that they released. This information had again been cached when creating a pivot table.
  37. A local council released data on fees for residential care for younger adults in an Excel spreadsheet that was sufficiently detailed that there was a real risk of individuals being identified.
  38. An NHS trust included medical information about the requester in their response to that individual’s request. The Trust took no steps to verify that the requester was the same person as their patient.
  39. A local council sent an unredacted copy of complaints made to the Standards Committee in error when replying to a request for minutes. The reports contained sensitive personal data belonging to complainants, as well as their names, addresses and email addresses.
  40. An independent executive NDPB accidentally included the names of people who had made complaints against police officers in a response to a request.
  41. An NHS trust failed to properly redact a PDF file that they sent in response to a request allowing sensitive personal information belonging to 7 patients to be easily viewed. The unredacted text could simply be copied from behind the black boxes and pasted into a fresh document.
  42. A local council failed to release that sensitive personal data belonging to 40 autistic children had been cached by Microsoft Excel when they created a pivot table. The information included details of their school placements and their full dates of birth.
  43. A local council accidentally included sensitive personal data relating to 70 employees who had been made redundant in an Excel spreadsheet.
  44. An NHS trust accidentally released the names and care details relating to 255 Children. The information had been cached when they created a pivot table in an Excel spreadsheet and included medical information and details of any disabilities that the children had.
  45. A local council sent highly sensitive personal information belonging to a child in their care to a WDTK email address in error. This information was completely unrelated to the original request.
  46. A local council sent a scanned complaint form relating to a social work case to a WDTK email address by mistake. No attempt had been made to redact the document, which contained sensitive personal data belonging to 3 individuals.
  47. A local council accidentally included personal information belonging to 619 members of staff in an Excel spreadsheet, some of which was sensitive personal data.  The document contained over 47,500 hidden rows of data.
  48. A local council accidentally published the names, National Insurance numbers, date of birth and salary information of 732 employees.
  49. A local council did not realise that the names of 726 people who had been issued a fixed penalty notice for littering had been cached by Microsoft Excel when they created a pivot table. The document also included full details of each case.
  50. A local council accidentally included sensitive personal information belonging to 130 care users in an Excel spreadsheet. The information included their names, ages, and information about the cost of their care.

The incidents above represent around a third of the number of data loss incidents that I know about involving FOI responses sent to WhatDoTheyKnow. I fear that the number of such incidents occurring outside of WhatDoTheyKnow will inevitably be much higher still. Since I became a WhatDoTheyKnow volunteer, I have become much less trusting of anyone who is asking for my personal data and I no longer complete the optional diversity questions on forms. The very worst thing about most of the cases that I have described above is that the affected data subjects are usually some of the most vulnerable people in society, who have little choice but to share their information with the state in order to access essential services or to receive justice. They deserve better.

So to public authorities, please think for a moment before you click send. Please check that the file size of your Excel workbook is not significantly larger than you would expect. If you have imported data from an external data source or created a chart or pivot table, check that that data is not cached within the document. Check that you have not embedded any PDF files in your spreadsheet by accident. Know that hiding cells/rows/columns/sheets is not the same as proper redaction. Know that hidden cells can be unhidden with one click and that the password on protected sheets are just as easy to remove. Most of all, if the sensitive personal data of your service users is stored in a system that allows it to be easily exported by junior members of staff who don’t know to do all of the above… then do not be surprised to find your organisation on the next version of this list.

Advertisements