FoI Blunders Mean Personal Data is Exposed Every Fortnight

The UK public sector has accidentally released personal information on the public at least once a fortnight for the past six years because of mistakes made by freedom of information officers, according to e-democracy site mySociety.

The organization’s FoI website WhatDoTheyKnow.com automates freedom of information requests for individuals and publishes the responses. However it reported this week that since 2009 it has noticed 154 accidental data leaks from councils, NHS bodies, police forces, local councils and more.

Given that many individuals and businesses will send FoI requests directly to these organizations, mySociety believes the level of accidental data disclosure could be much higher.

Although public authorities must by law remove or anonymize personal information before releasing FoI data, those tasked with responding to requests often lack the technical skills to do so, mySociety claimed.

“Our latest warning is triggered by an incident earlier this month, in which Northamptonshire County Council accidentally published data on over 1400 children, including their names, addresses, religion and SEN status,” it claimed in a report.

“Thanks to the exceptionally fast work of both the requester and the WhatDoTheyKnow volunteers, it was removed within just a few hours of publication, and the incident has been reported to the Information Commissioner’s Office. Concerned residents should contact the ICO or the council itself.”

The site reiterated best practice advice for FoI officers, including that they always check file sizes to mitigate the risk of sending out too much data.

It also urged them to consider preparing info in plain text so it can be easily reviewed before release. Another tip is not to release Excel pivot tables from spreadsheets containing personal info, as the original data is often left in the Excel file.

Tony Pepper, CEO of encryption firm Egress, argued that organizations need to give employees clear security policy guidelines and the right tools to work securely without impacting productivity.

“As demonstrated by many of these breaches, it’s inevitable that people will make mistakes. In fact, 93% of data breaches are actually down to human error rather than malicious hacking, so accidental breaches by far outweigh anything else,” he added.

“Matching policy with smart information security technology is the best way to protect against human error – otherwise we will continue to see breaches of this kind.”

What’s Hot on Infosecurity Magazine?