Council issued with reprimand following leak of personal details of employees

October 18, 2024

The Information Commissioner has issued Southend-on-Sea City Council with a reprimand after the personal details of council employees were accidently leaked in response to a Freedom of Information (FoI) request.

The Commissioner found the cause of the breach was a “lack of proper checks” for hidden data prior to the releasing of the spreadsheet.

The infringement of the UK GDPR occurred when a response to a FOI request was provided to the What Do They Know (WDTK) website.

The response included a spreadsheet which contained personal data hidden within the files provided – including the personal details of Council employees and former employees, and certain other groups of people associated with the Council such as agency workers and office holders.

The Commissioner noted: “The list of employees and former employees contained a significant amount of personal information, including special category data and listed contact details, employment and pay details, and health, gender, and ethnicity information.”

Although the watchdog found no evidence of the hidden data being used, it warned that the possibility that malicious actors may access and exploit the data remains.

The watchdog concluded that Southend had shown a “failure to comply” with data protection legislation by the disclosure of special category data, attributing this to “the failures in training and awareness of the packages that the Council uses”.

The Commissioner noted that following the incident, the authority has implemented some “wide ranging” remedial measures to counter the breach, including measures to improve the security of the data it provides when responses are provided to FOI requests going forward.

However, it recommended the following further action to:

ensure that all staff across the council, who use Excel as part of their role are fully trained and conversant with all relevant Excel tools, in particular the ‘Inspect Document’ option; and
ensure that all proposed remedial measures are implemented.

Cllr Cowan, leader of Southend-on-Sea City Council, said: “Following our self-reporting of a potential data breach to the Information Commissioners Office at the start of November 2023, we have now received their formal response.

“We welcome the Information Commissioner’s findings and for their recognition of our swift remedial steps to strengthen our approach to Information Governance and the action taken since. We have updated our Freedom of Information protocols, provided additional staff training, and introduced more stringent checks to ensure that personal data remains secure.

“We accept the ICO’s recommendation regarding providing further training, which is already being progressed.”

Lottie Winson

Council issued with reprimand following leak of personal details of employees

Experienced data protection consultant joins Act Now Training as associate

Information Commissioner criticises water company over failure to respond to EIR requests properly

Information watchdog launches data protection audit framework to help organisations improve compliance

Police force issued with £750k fine for “serious” data breach involving staff data

A guide to UK data protection law with relevant provisions of the Data Protection Act 2018

A Practical Guide to GDPR for Schools

Information Rights

Cornerstone on Social Housing Fraud

Cornerstone on Information Law

Essential Law for Cemetery and Crematorium Managers

Making Decisions Judicially - A Guide for Decision-Makers

Director - Law and Governance (Monitoring Officer)