ICO issues advisory notice for public authorities to protect personal data

The ICO has warned public authorities that they should not be sharing original source spreadsheets in response to Freedom of Information requests owing to the risk of inadvertent disclosure of personal data which might not be obvious from a “cursory look at the spreadsheet”.

The ICO has advised public bodies, as a matter of urgency, to:

  • Stop disclosing original source spreadsheets to online platforms in response to Freedom of Information requests.
  • Stop using spreadsheets with hundreds of thousands of rows, but instead to invest in data management systems.
  • Convert the information in the spreadsheet (including metadata) to open reusable software like CSV.
  • Train staff in relation to the data protection implications of sharing information.
  • Update policies and procedures to deal with pivot tables (which summarise large data sets but which still risk disclosing underlying data).
  • Ensure that there is no unexpected data included if the original format needs to be maintained to preserve useful macros and equations.
  • Keep complying with Freedom of Information Act obligations.
  • Always disclose information in the most appropriate and secure format, following the government advice on creating and sharing spreadsheets safely.

Whilst this is directed at the public sector, some of this advisory notice may still be useful to those operating outside of the public sphere, particularly in data heavy sectors where spreadsheets are shared.

The advice can be found here.


Don't just take our word for it