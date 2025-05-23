Information Commissioner's Office
|Printable version
London council reprimanded for exposing personal details of 6,528 people for almost two years
We have reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.
The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.
Investigation findings
The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. Almost two years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites.
In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children.
In reaching its final decision, we took into account a number of mitigating factors including the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used. We also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.
Sally Anne Poole, ICO Head of investigations recently said:
“It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.
“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
Investigation recommendations
The Reprimand details a number of recommendations we expect the council to take. These recommendations are relevant to all public authorities responding to FOI requests and include:
- Considering implementing the use of our sign off checklist when releasing information that contains excel spreadsheets.
- Considering that all material prepared for disclosure is signed off by a manager.
- Review and update online training and guidance and continually embed this with staff.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Original article link: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/05/london-council-reprimanded-for-exposing-personal-details/
Latest News from
Information Commissioner's Office
Sole trader fined £50,000 after making over 194,000 unlawful marketing calls16/05/2025 10:25:00
We have fined Newcastle based sole trader Darian Bishop, trading as ECO4U, £50,000 for making over 194,000 unlawful marketing calls to people on the UK’s ’do not call’ register.
ICO consultation on the draft updated guidance on encryption14/05/2025 14:25:00
The Information Commissioner's Office (ICO) is consulting on draft updated guidance on encryption.
Statement on cyber incidents impacting retailers07/05/2025 09:10:00
Statement given recently on cyber incidents impacting retailers.
ICO calls for protections for 23andMe customer data02/05/2025 10:10:00
The UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have called for the protection of the sensitive personal data of 23andMe’s customers during and after the genetic testing company’s bankruptcy proceedings.
Statement on British Library’s 2023 ransomware attack30/04/2025 15:20:00
In October 2023, the British Library reported a ransomware attack to us, which escalated because of the lack of multi-factor authentication on an administrator account.
Compensation company fined £90,000 for unlawful marketing calls25/04/2025 10:20:00
We have fined AFK Letters Co Ltd (AFK) £90,000 for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service (TPS), in a clear breach of electronic marketing laws.
Law firm fined £60,000 following cyber attack22/04/2025 14:20:00
We have fined Merseyside-based DPP Law Ltd (DPP) £60,000, following a cyber attack that led to highly sensitive and confidential personal information being published on the dark web.
Come and visit Manchester’s latest exhibition “Our Lives, Our Privacy” to celebrate the ICO’s 40th anniversary03/04/2025 13:20:00
It’s 1984 and nestled away on Charles Street, Manchester, the Information Commissioner’s Office (ICO) has been founded - responsible for overseeing a new law to uphold people’s privacy rights when sharing their personal information.