Southend on Sea City Council – Violation Found (United Kingdom, 2024)

On May 17, 2023, the Southend-on-Sea City Council, in Essex, responded to an freedom of information (FOI) request posted on the What Do They Know (WDTK) website (a public platform which allows individuals to submit requests to public bodies within the UK and all the request and the responses from the public bodies are published on the website, making them publicly accessible). The response included a spreadsheet that contained hidden personal data of Council employees, former employees, and associated individuals, such as agency workers. This data included contact details, employment information, salary, health data, gender, and ethnicity. The breach was only identified on October 27, 2023, five months later, when WDTK notified the Council. At the same time, the Council notified ICO about the data breach. The Council’s lack of awareness and preparedness for handling hidden data in Excel spreadsheets was highlighted as the primary cause. Staff had not been adequately trained in using Excel’s “Inspect Document” feature, which would have allowed them to check for hidden data before releasing the document. The ICO acknowledged the Council’s cooperation and transparency during the investigation, as well as the steps taken to mitigate the breach’s impact. However, due to the initial failure to ensure secure data processing, the ICO issued a reprimand, since the Council's failing to adequately protect sensitive employee data due to insufficient Excel training and awareness, emphasizing the need for improved data handling practices to comply with Article 5(1)(f) UK GDPR. In the reprimand, ICO recommended the implementation of all remedial actions to ensure future compliance and to provide training to all relevant staff on using Excel’s “Inspect Document” feature to prevent similar breaches.