Privacy Regulator Orders End to Spreadsheet FOI Responses

Written by

The UK’s information commissioner has called for an immediate end to the use of excel spreadsheets to publish Freedom of Information (FOI) data.

The data protection regulator issued an advisory notice yesterday to all public authorities in the wake of a hugely damaging leak at the Police Service of Northern Ireland (PSNI) last month.

Among other things, the advisory demanded that all authorities:

  • Immediately stop the disclosure of “original source spreadsheets” to online platforms, when responding to FOI requests
  • Convert spreadsheets and sensitive metadata into open reusable formats like CSV files
  • Avoid using spreadsheets with hundreds or thousands of rows, and invest in data management systems which support data integrity
  • Continually train staff who use data software and are involved in disclosing information
  • Incorporate guidance from the ICO into policy to mitigate the risks of pivot tables, which can help to summarize large data sets but may also create an automatic summary of the underlying data
  • Ensure there is no unexpected data included if the original format needs to be maintained to preserve useful macros and equations
  • Always disclose information in the most appropriate and secure format, which might require first copying information into a different file format

Read more on FOI challenges: Croydon Council Hit With Enforcement Notice For FOI Fail

Details of around 10,000 serving PSNI officers were leaked in early August after being erroneously included in a spreadsheet published to the FOI website, What Do They Know?

It was later confirmed that paramilitary groups had been able to get hold of the information, which included surnames and initials of officers, their rank or grade, and the location and department they work in – exposing those working in sensitive areas like surveillance and intelligence.

“The recent personal data breaches are a reminder that data protection is, first and foremost, about people. We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action,” said information commissioner, John Edwards, in a statement.

“It is imperative that robust measures are in place to protect personal information. The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”

What’s hot on Infosecurity Magazine?