London Borough of Hammersmith & Fulham Council – Violation Found (United Kingdom, 2025)

In 2021 the Council of the London Borough of Hammersmith & Fulham (the controller) responded to a freedom of information requiest (FOI) from non-profit group mySociety. As part of the respose, the controller inadvertedly forwarded an Excel sheet containing hidden personal data from more than 6,000 individuals in its response, including more than 2,000 children. Both the controller and mySociety published the Excel sheet on their respective websites. Two years later, mySociety found the hidden data and notified both the controller and the DPA of the data breach. Both mySociety and the controller immediately removed the sheet from their websites. In response to the breach, the controller engaged with cyber incident response partners and found no evidence that the hidden data was leaked on the Internet. The DPA held that the controller failed to implement appropriate technical and organizational measures to prevent data breaches. In particular, the controller did not provide employees with training and guidelines on how to safely use Excel for FOI responses, did not instruct them to check for hidden data or to convert Excel sheets to the CSV format before disclosure, and did not implement the best practices endorsed by the DPA itself in its [https://ico.org.uk/media2/for-organisations/documents/2021/2618998/how-to-disclose-information-safely-20201224.pdf guidance]. For these reasons, the DPA found that the controller violated Articles 5(1)(f), 5(2), 24(1) and 32(1) of UK GDPR and issued a reprimand. The DPA deemed it unnecessary to adopt other measures for several reasons. In particular, the DPA found it unlikely that unauthorized access actually took place, and pointed out that most of the data were already outdated at the time of the breach.