Publishing pivot tables online leads to disclosing personal data…and a fine from the ICO

Responding to a FOI request often requires making sure no personal data in included. But when releasing information contained in pivot tables [a data summarisation tool -], extra care is needed. The ICO has recently fined Islington Council £70,000 for breach of the Data Protection Act, which resulted from the Council not understanding that personal data was disclosed in its response to a FOI request. The ICO says that Microsoft Excel and other spreadsheet programs retain a copy of the source data used, and this information is hidden from view, but easily accessible.

In the case of Islington Council, personal details of over 2,000 residents were accidently released online in response to a FOI request made through the What Do They Know (WDTK) website, which lists responses from public authorities. According to the ICO, Islington Council used the tables to show statistics on how housing had been allocated to residents, but failed to remove the source data, and so sensitive personal data about tenants was revealed.

This raises concerns over disclosures under the dataset amendments to FOIA, which enter into force on 1 September. Steve Wood, ICO’s Head of Policy Delivery, however, reassures organisations in his blog: ‘These amendments will require public authorities to disclose datasets in open reusable formats, which in practice means using a format such as CSV (comma separated variable) will be a requirement. This should remove many of [the] risks of hidden data, as the spreadsheet formatting is taken away, making it clear what information has been included.’

A copy of the monetary penalty notice.