Information needed Response
Title and link to statistical output Excess Mortality in English Regions
Name of producer organisation Public Health England
Name and contact details of person dealing with report Sebastian Fox
Name and contact details of Head of Profession for Statistics or Lead Official Clare Griffiths
Link to published statement about the breach (if relevant)
Date of breach report 16 April 2021

Information needed Response
Relevant principle(s) and practice(s) Principle T3, practice T3.2
Date of occurrence of breach 15 April 2021

Public Health England (PHE) produces nine reports on excess mortality once a month, one for each English region. These are pre-announced for release at 2pm on the third Thursday of every month. The reports are created by a Senior Data Scientist on a rota basis and stored on a server whose permissions are managed by ICT. Once the reports are created, each report is quality assured by an Analyst based in that report’s region. Following quality assurance, and correcting any changes, code is manually run to copy the files from the server they are stored on to a “staging” server by the same Senior Data Scientist. At the publication time the report gets copied to a live server by a Data Architect.

On this occasion, three of the nine reports didn’t get uploaded to the staging server. It is very likely this was because of a network connection error for two reasons:

  1. the organisation has been experiencing network connection issues this week
  2. the missing reports were alphabetically the final ones, which is the order that the code copies them to the staging server

Therefore, when the reports were copied to the live server on 15 April 2021 the three missing reports were not made live. The existing reports for these three regions, containing data for the previous month, remained available on the same web page as the new reports.

At 4pm on 15 April 2021 a Public Health Analyst within PHE alerted the team to the issue. The Data Scientist and the Data Architect remedied the issue within 20 minutes.

We believe the impact of the breach would be minimal as:

  1. the reports were made available just over two hours after their scheduled release time
  2. the contact details for the team that publish the report are available on the GOV.UK page, and the team received no contact about this issue

The correct reports were uploaded just over two hours after their scheduled publication time. In the long term, three corrective actions will be taken:

  1. the Standard Operating Procedure outlining the process has been updated so the Senior Data Scientist who copies the report to the staging server using code will manually check the server to ensure all the reports have been copied over
  2. the code will return an error if a file fails to be copied over to the staging server
  3. another member of the team will check all the reports at the scheduled time of publication to ensure they have all been made live