New ICO guidance on disclosing documents to the public following ‘serious data breaches’

The ICO’s guidance includes practical steps and how-to videos to help organisations understand how to check documents, including spreadsheets, for hidden personal information and reduce the risk of a data breach, particularly in Freedom of Information (FoI) requests.

“Personal information can be hidden or not immediately visible in documents. If they are not checked properly, it may be disclosed by accident – sometimes with serious consequences,” said the ICO.

Last year the ICO fined the PSNI £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.

The regulator’s investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a FoI request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.

Emily Keaney, Deputy Commissioner at the ICO, said: “We have seen a number of serious data breaches, including at the PSNI and the Ministry of Defence, which have involved documents being disclosed without proper checks for hidden personal information – this crucial step cannot be missed.

“All organisations must have robust measures in place to protect the personal information they hold and prevent it from being inadvertently disclosed. We are committed to providing clear guidance to help organisations get this right, reducing the margin for mistakes and making it second nature to check documents for hidden personal information.”

The new guidance is the regulator’s most current and comprehensive resource on avoiding accidental data breaches when disclosing documents to the public, replacing an advisory note issued in the immediate aftermath of high-profile data breaches in 2023.

It includes simple checklists and how-to videos, covering topics such as:

• Deciding an appropriate format for disclosure to the public;
• Finding various types of hidden personal information including hidden rows, columns and worksheets, metadata and active filters;
• Converting documents to simpler formats to reveal hidden data;
• Avoiding using ineffective techniques to keep information secure;
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector);
• Reviewing the circumstances of a breach to prevent a recurrence; and
• Removing and redacting personal information effectively.

The ICO is engaging directly with key stakeholders, including the Government, to increase visibility of the guidance among those who need it.

While the guidance is designed to support organisations with disclosing documents to the public, the practical advice will also help all organisations avoid accidental data breaches in any situation where they are disclosing or sharing documents.