UK data regulator orders end to spreadsheet FOI requests after serious data breaches

The UK Information Commissioner's Office (ICO) has called for an immediate end to the use of Excel spreadsheets to publish Freedom of Information (FOI) data in the wake of serious data breaches. The data protection regulator issued an advisory notice to all public authorities about the risks of personal information within spreadsheets being disclosed inadvertently in response to FOI requests. The ICO said that alternative approaches should be used to mitigate risk to personal information.

The advisory comes after the Police Service of Northern Ireland and the Norfolk and Suffolk police constabularies both recently suffered accidental data breaches that exposed highly sensitive information stored in spreadsheets following FOI requests.

Alternative approaches should be used to mitigate risk to personal information

As a "matter of urgency," the ICO advised all public authorities to:

• Implement a moratorium on the disclosure of original source spreadsheets to online platforms in response to FOI requests
• Convert spreadsheets and sensitive metadata into open reusable formats such as comma-separated value (csv) files
• Avoid using spreadsheets with hundreds or thousands of rows and invest in data management systems which support data integrity
• Continually train staff who use common data software and are involved in disclosing information
• Ensure that there is no unexpected data included if the original format needs to be maintained to preserve useful macros and equations
• Always disclose information in the most appropriate and secure format, this may involve copying information into a different file format

Authorities must have "robust measures" in place to protect personal information

"The recent personal data breaches are a reminder that data protection is, first and foremost, about people," said John Edwards, Information Commissioner. "We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action."

It is imperative that robust measures are in place to protect personal information, he added. "The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands."

In the same week, the ICO warned of the potential risks to life posed by data breaches exposing the personally identifiable information (PII) of domestic abuse victims. The data privacy regulator urged organizations handling the PII of domestic abuse victims to take responsibility for training their staff and putting appropriate systems in place to avoid such incidents.