September 2023 - this advisory note was published
Recent 1 high profile and serious data breaches 2 in the UK have shown the impact of personal information within original source spreadsheets being disclosed inadvertently in response to FOIA requests. This issue is not new. Human errors can have huge consequences. Public authorities (PAs) should have robust measures in place to ensure that personal information is kept safe, and the risk of human error is reduced, including when in response to freedom of information requests.
The ICO recognises that the use of online platforms to submit and receive responses to FOI requests can be efficient and help promote transparency and are within the scope of the legislation. We also recognise that spreadsheets are widely used in public authorities, ourselves included.
However, they can also present practical challenges and risks of the inadvertent disclosure of personal information which may not be evident from a cursory look at the spreadsheet.
The ICO is advising, as a matter of urgency, that all PAs should:
- Implement a moratorium on the disclosure of original source spreadsheets to online platforms in response to FOI requests.
- Convert spreadsheets and sensitive metadata into open reusable formats such as Comma-Separated Value (csv) files.
- Avoid using spreadsheets with hundreds or thousands of rows. Invest in data management systems which support data integrity.
- Continually train staff who use common data software and are involved in disclosing information.
- Familiarise themselves with, and incorporate into policies and procedures, guidance from the ICO to mitigate risks of pivot tables which may summarise a large set of data but can create an automatic summary of the underlying data. See 'How to disclose information safely'.
- Continue to comply with their statutory responsibilities under FOIA. This advice is not an extra reason to not publish information as a PA.
- Ensure that there is no unexpected data included if the original format needs to be maintained to preserve useful macros and equations.
- Always disclose information in the most appropriate and secure format, this may involve copying information into a different file format. Follow relevant advice on how to disclose information safely: Creating and sharing spreadsheets.
Also consider the following:
- If a request for original source spreadsheets is made via an online platform and it is not possible to provide the same information in a more secure format, public authorities should ask requestors if they are able to provide an alternative address for correspondence.
- However, if a requestor wants to use the original address the public authority should still respond to the request in line with their obligations under FOIA, while making sure they undertake steps to make sure there is no data breach.
- PAs should ensure that personal information is recorded and retained in the most appropriate and proportionate format. It must comply with the security and data minimisation principles within the UK GDPR Principle (c): Data minimisation.
The ICO will be:
- Creating a new ‘upstream’ tool in the form of a short checklist for public authorities to use for the safe & appropriate disclosure of information.
- Reviewing & updating ICO guidance: How to disclose information safely.
- Engaging with online platforms which facilitate FOI and transparency in a safe way.