The Royal Borough of Kensington and Chelsea has been fined £120,000 by the Information Commissioner’s Office (ICO), the UK’s data watchdog, after it unlawfully identified 943 people who owned vacant properties in the Borough.
Following the Grenfell Tower fire on 14th June 2017, there was considerable discussion in the media about the social inequality within the Borough. This included a belief that a large number of expensive properties within the Borough were unoccupied and a call for unoccupied properties to be used to those made homeless by the fire.
On 30th June 2017 journalists from a newspaper submitted a number of requests, made under the Freedom of Information Act (FOIA), for details of the unoccupied properties in the Borough. In responding to these requests on 21st July 2017, the Council provided a spreadsheet that identified the number of unoccupied properties.
However it also inadvertently provided details of the names and addresses of the owners of these unoccupied properties which was included as hidden data in the spreadsheet.
On 1st August 2017, the newspaper published a story online identifying the number of empty properties in the Borough and also identified the names of three high profile owners. One of the journalists also disclosed the response to a data analyst who published the spreadsheet on an online blog for approximately one hour. The Council received a complaint from one of the owners identified.
Following their investigation of the matter, the ICO found that there had been a serious breach of the Data Protection Act (DPA) by the Council in relation to their failure to have appropriate technical and organisational measures in place to deal with the FOIA request and safeguard against unauthorised disclosure, including a lack of training on the use of spreadsheets (including checking for hidden data).
The ICO concluded that the data breach was likely to cause distress to at least some of those identified on the spreadsheet, particularly as the spreadsheet was published on an online blog and could therefore have been disseminated further. The ICO also identified the possible disclosure of this information to “hostile parties” exposing affected owners to the risk of criminal damage, burglary and / or squatting at their unoccupied properties.