Advice comes following recent high profile data breaches- Alternative approaches should be used to mitigate risk to personal information
- ICO creating checklist for safe and appropriate disclosure of information
The Information Commissioner, John Edwards, has issued an advisory notice to public authorities calling for an immediate end to the use of original source excel spreadsheets when responding publicly to Freedom of Information Act (FOI) requests.
The notice follows a number of recent high profile personal data breaches, where personal information was inadvertently included in spreadsheets that were shared as part of a FOI response.
The advisory notice includes recommendations that public organisations should:
- immediately stop uploading original source spreadsheets to online platforms used to respond to FOI requests;
- continually provide training to staff who are involved with disclosing information
- avoid using spreadsheets with hundreds or thousands of rows and instead invest in data management systems which support data integrity.
“The recent personal data breaches are a reminder that data protection is, first and foremost, about people. We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action.
“It is imperative that robust measures are in place to protect personal information. The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”
- John Edwards, Information Commissioner
The full advisory note is available on the ICO website along with additional guidance on how to disclose information safely.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The Freedom of Information Act 2000 covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.
- Recent breaches of personal information via a Freedom of Information request include:
a. Police Service Northern Ireland inadvertently published the personal details of all its officers and staff on the internet when responding to a request for the number of officers at each rank and number of staff at each grade.
b. Norfolk and Suffolk police inadvertently published the personal details of crime suspects, victims and witnesses online when responding to a Freedom of Information request. - The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.