Information Commissioner calls for end to the use of spreadsheets in FoI responses
Information Commissioner John Edwards has issued an advisory notice to all public authorities calling for an immediate end to the use of original source excel spreadsheets when responding publicly to Freedom of Information (FoI) requests.
He says alternative approaches should be used to mitigate risk to personal information.
The notice follows a number of recent high-profile personal data breaches at police forces in which personal information was included in spreadsheets that were shared as part of a FoI response.
The Police Service Northern Ireland inadvertently published the personal details of all its officers and staff on the internet when responding to a FoI request for the number of officers at each rank and number of staff at each grade.
Norfolk and Suffolk constabularies also mistakenly published the personal details of crime suspects, victims and witnesses online when responding to a FoI request.
Mr Edwards said: “The recent personal data breaches are a reminder that data protection is, first and foremost, about people.
“We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action.
“It is imperative that robust measures are in place to protect personal information.
“The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”
The Information Commissioner’s advisory notice recommends that public organisations should immediately stop uploading original source spreadsheets to online platforms used to respond to FoI requests.
They should avoid using spreadsheets with hundreds or thousands of rows and instead invest in data management systems that support data integrity, he said.
He also wants to continual training provided to staff who are involved with disclosing information.
The Information Commissioner’s Office is holding its annual Data Protection Practitioners’ Conference next week which will addresses the issues surrounding data protection, including cyber security, dealing with FoI requests and the impact of inappropriate disclosures (see https://www.policeprofessional.com/news/ico-conference-puts-spotlight-on-challenges-of-data-protection/).