While working on a story relating to children’s care homes, Beth Ashton stumbled across some data that shouldn’t have been public. What she did next illustrates the ethical and legal issues facing journalists and public bodies dealing with sensitive subjects.
A few months ago, in the process of looking at children’s care home inspection reports for a story, I stumbled across a Freedom of Information request which I believed contained sensitive information.
Children’s homes are inspected by Ofsted – but each home is identified only by a Unique Reference Number (URN).
It is the only way to confirm that the report corresponds a specific home, and a URN is the only way to find a specific Children’s Home inspection on the Ofsted website.
While browsing FOI requests to the body on WhatDoTheyKnow, however, I found a document which contained both the reference numbers and the names of care homes which corresponded to them.
This posed a number of dilemmas.
Ofsted say on their website that the names and addresses of childrens homes are not published “in order to safeguard the welfare of children and protect their privacy.”
This was also the response I got when I first called Ofsted press office asking for the reference numbers for children’s care homes.
Knowing the names of the care homes in the Ofsted reports by their URNs meant I would be able to find geographical trends such as (in theory) the geographical locations with the best and worst Ofsted ratings.
It also meant that parents, relatives, guardians of looked after children would be able to see how their children’s home was performing – something that they cannot currently do without the URN. But equally, those which the authorities are trying to keep away from vulnerable children would have more information about the children’s homes they attended.
Finally, although I’m not going to link to it here, this data was available on websites where companies buy data.
What I did next
For me, the need to prevent such a leak happening again superseded my data project. I wanted to find out how this happened and whether it would happen again.
The strangest thing about the response on WDTK was that it wasn’t even relevant to the original request, which asked for something entirely different (see screen grabs below).
I contacted WhatDoTheyKnow who immediately took down the information, saying:
“All requests and responses sent via WhatDoTheyKnow are automatically published online without any human intervention – this is the key feature that makes this site both valuable and popular. If we are made aware of an issue of sensitivity – or if we come across it ourselves – we will immediately take down the report in question while we make decisions about how to proceed.
“In the case of the issue you alerted us to – identification numbers for homes for looked-after children – this is exactly what happened.”
It then came down to whether or not Ofsted should have released the information.
I approached Ofsted a second time, this time with the screenshots and the full story of how this information came to be online.
It turned out that, at the time of the information’s release to and publication on WhatDoTheyKnow.com, it was not against Ofsted’s regulations to publish care home identification numbers – although it now is.
In the end, this was a story about Ofted’s own rules not working retrospectively, or taking into account the permanence of the internet. Ofsted themselves did not seem concerned about the information being available online.
The investigation, then, didn’t turn out to be the major data leak I thought it might be. It did, however, make me wonder about other published material that has been retrospectively revoked in the general sense but not online.
I am convinced that if this can happen in one instance data that has been redacted later in its life will still be hidden in the corners of the Internet.
Race you to it.