One too many accidental data breaches from use of spreadsheets in Freedom of Information (FoI) responeses mean it’s time for the public sector to use alternative approaches.
After several recent personal data breaches where personal information was inadvertently included in spreadsheets shared as part of a FoI response, the Information Commissioner's Office (ICO) has been forced to issue an advisory notice to that effect. Recent incidents include two in August alone: a data breach at Norfolk and Suffolk Constabularies and the widely-reported problems at the Police Service of Northern Ireland. That means investing instead in data management systems that support data integrity.
The ICO recognises that the use of online platforms to submit and receive responses to FOI requests can be efficient and help promote transparency and are within the scope of the legislation. It also recognises that spreadsheets are widely used in public authorities, including inside its own four walls.
“However,” it warns, “they can also present practical challenges and risks of the inadvertent disclosure of personal information which may not be evident from a cursory look at the spreadsheet.”
Public sector bodies are therefore being advised to:
- immediately stop uploading original source spreadsheets to online platforms used to respond to FOI requests
- continually provide training to staff who are involved with disclosing information
- stop using spreadsheets with hundreds or thousands of rows.
To help, the ICO will be creating a new ‘upstream’ tool in the form of a short checklist for public authorities to use for the safe and appropriate disclosure of information. It will also be reviewing and updating its guidance on how to disclose information safely, and engaging with online platforms which facilitate FOI and transparency in a safe way.
“We have seen both the immediate and ongoing impact that the release of sensitive personal information has had on the individuals and families involved,” said Information Commissioner, John Edwards.
“That is why I have taken this action [as] it is imperative that robust measures are in place to protect personal information.”
Edwards cautions that the advice his office has issued sets out only “the bare minimum” that public authorities should be doing to protect personal data when responding to information access requests. He also wants action to reassure the people they serve, and their staff, that their information is in safe hands.
Information Commissioner’s Office - Advisory note to public authorities
