D is a government department responsible for the ‘family returns process,’ the process by which individuals with children who have no right to remain in the United Kingdom are returned to their country of origin.
D stores quarterly statistics about the process in a spreadsheet containing two tabs: the first tab containing anonymised statistics; the second containing a substantial amount of personal information, including: the name of the lead family member; his or her age and nationality; whether they had claimed asylum; the office which dealt with their case, from which the general area in which they lived could be inferred; and the stage which they had reached in the family returns process.
In October 2013, D uploaded the quarterly statistics for the period April to 30 June 2013 onto the internet, however it accidentally uploaded the information contained in both first and second tabs rather than just the first. The information contained details of 1,598 applicants.
While it was online, the page was accessed by IP addresses within the United Kingdom on 27 occasions by 22 different IP addresses and by 1 in Somalia. At least one unknown individual had downloaded/saved the spreadsheet. A copy of the spreadsheet was also upload onto a US file-sharing website.
The ICO was notified, a statement was made to Parliament about the data breach, and the individuals affected were notified.
Cs, a number of individuals who were affected by the data breach, brought claims in misuse of private information and breach of the Data Protection Act 1998. Two of the individuals: TLU and TLV were not named in the spreadsheet.