The UK Information Commissioner’s Office (ICO) has issued a call for the immediate cessation of using Excel spreadsheets to publish Freedom of Information (FOI) data due to serious data breaches. In an advisory notice to all public authorities, the ICO highlighted the risks of inadvertently disclosing personal information within spreadsheets in response to FOI requests. The regulator urged the use of alternative approaches to mitigate the risk to personal information.
This call comes after the Police Service of Northern Ireland and the Norfolk and Suffolk police constabularies recently experienced accidental data breaches. These breaches occurred when spreadsheets containing highly sensitive information were exposed following FOI requests.
As a “matter of urgency,” the ICO advised all public authorities to take the following measures:
1. Implement a moratorium on the disclosure of original source spreadsheets to online platforms in response to FOI requests.
2. Convert spreadsheets and sensitive metadata into open reusable formats, such as comma-separated value (CSV) files.
3. Avoid using spreadsheets with large amounts of data and invest in data management systems that support data integrity.
4. Provide continuous training to staff who use common data software and are involved in disclosing information.
5. Ensure that no unexpected data is included if the original format needs to be maintained to preserve useful macros and equations.
6. Always disclose information in the most appropriate and secure format, which may involve copying information into a different file format.
According to John Edwards, Information Commissioner, “The recent personal data breaches are a reminder that data protection is, first and foremost, about people.” He emphasized the importance of having robust measures in place to protect personal information. The advisory sets out the minimum requirements that public authorities should follow to safeguard personal data when responding to information access requests. Edwards aims to reassure the individuals and families affected that their information is secure.
In a related development, the ICO also issued a warning about the potential risks to domestic abuse victims resulting from data breaches that expose their personally identifiable information (PII). The regulator urged organizations handling such information to prioritize staff training and implement appropriate systems to prevent such incidents. The protection of domestic abuse victims’ PII is crucial, as its exposure could endanger their lives.
Both warnings from the ICO underscore the importance of data protection and the need for organizations to take proactive measures to prevent data breaches. The reliance on Excel spreadsheets for publishing FOI data has proven to be a vulnerability, as accidental disclosures can have serious consequences for individuals and families. By adopting alternative approaches and investing in data management systems, public authorities can mitigate the risk to personal information and ensure its secure handling.
The ICO’s advisory serves as a reminder to organizations of their responsibility to protect personal data and to handle it with utmost care. As technology evolves, data protection measures must also evolve to stay ahead of potential threats. Continuous staff training and the implementation of robust systems are crucial steps in safeguarding personal information. By prioritizing data protection, organizations can provide reassurance to the individuals they serve and maintain the public’s trust in their ability to handle sensitive information securely.
In conclusion, the ICO’s call for an end to using Excel spreadsheets for publishing FOI data highlights the need for alternative approaches to protect personal information. The recent data breaches serve as a reminder of the potential risks, both for individuals and organizations, of accidental disclosures. By implementing the recommended measures and investing in secure data management systems, public authorities can ensure the protection of personal data and maintain the public’s confidence in their data handling practices.