A recent decision of the UK Information Commissioner has highlighted the risks for businesses who share information using Excel spreadsheets.
In the UK decision, the data protection Principle breached by the Council has a counterpart under Australian Privacy Principle (APP) 11, which requires entities to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access or disclosure.
Entities who fail to comply with APP 11 can face regulatory penalties of up to AU$2.1 million per breach. Further, an entity’s failure to comply with APP 11 can result in reputational damage, breaches of contract and expose the entity to claims by individual individuals who wish to seek compensation for a breach of their privacy.
Background to the UK case
Following the Grenfell Tower disaster in June 2017, the Royal Borough of Kensington and Chelsea (the Council) received at least 1,025 Freedom of Information (FOI) requests. Three of these FOIs related to statistical information on empty properties in the Borough. Specifically, these FOIs were made in conjunction with appeals from the public to transform the properties into temporary homes for those individuals displaced by the disaster.
The FOI requests
In response to three of these FOIs, the Council’s tax manager prepared a list of the empty properties and, compiling the information in an Excel spreadsheet, sent the information to the Council’s FOI team. The FOI team ‘checked’ the spreadsheet for hidden data by clicking on relevant cells before providing it to the FOI applicants, however they failed to identify the underlying personal data in the pivot table. As discovered by the recipients, a simple double-click on any of the spreadsheet cells revealed the address of every empty property and the identity of the owner. In total, the data identified 943 individual property owners.
One of the FOI applicants was a journalist and, consequently, the journalist’s newspaper proceeded to disclose the number of empty properties and the names of multiple high profile property owners. In addition, the data was shared with a data analyst, who published the data online for approximately an hour.
The Commissioner’s decision
In the UK, entities caught by the Data Protection Act 1988 (DPA) are required, under the ‘Data Protection Principles’, to take:
“appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
This is very similar to the Australian obligation under APP11. In making a decision as to whether the Council breached this principle, the Commissioner took into account numerous mitigating factors, including: (a) the co-operation and prompt remediation by the Council (b) a lack of evidence that the properties were actually damaged as a result of the breach (c) the partially public nature of the information (d) the exacerbation of the breach by the journalist and newspaper.
Despite these factors, the UK Information Commissioner (Commissioner) was of the opinion that the actions by the Council were a matter of serious oversight. The Council had failed to ensure that the FOI process was governed by written procedures and had failed to adequately train its FOI staff on the use of Excel. The Commissioner also took into consideration the potential harm that individuals faced, including the vulnerability of empty houses to criminal activity such as burglary or squatting.
Finding that the information could also be considered to be of a sensitive nature (due to the payment of certain council taxes) and to discourage other from making similar mistakes, the Commissioner imposed a monetary penalty of £120,000 (being approximately AU$219,231).
Key takeaways for Australian businesses
If your organisation shares information of any nature that includes personal information with other entities, including by sharing Excel spreadsheets, you should ensure that they have appropriate procedures and policies in place that employees are required to follow whenever they manage personal information. These procedures and policies should cover all aspects of the information life cycle, including whenever the entity collects, holds, uses and destroys personal information.
The failure by the Council to train staff was an error that could easily have been avoided.
In the report issued by the Office of the Australian Information Commissioner on breaches notified in the quarter ending 31 March 2018, approximately half the breaches were caused by human error, emphasising again the importance of staff training.