From public authorities handling Freedom of Information requests to organisations responding to Subject Access Requests, many need to regularly disclose documents containing large amounts of information to the public.
Personal information can be hidden or not immediately visible in documents. If they are not checked properly, it may be disclosed by accident – sometimes with serious consequences.
The ICO’s guidance includes practical steps and how-to videos to help organisations understand how to check documents, including spreadsheets, for hidden personal information and reduce the risk of a data breach.
Emily Keaney, Deputy Commissioner at the ICO, said: “We have seen a number of serious data breaches, including at the Police Service of Northern Ireland and the Ministry of Defence, which have involved documents being disclosed without proper checks for hidden personal information – this crucial step cannot be missed.
“All organisations must have robust measures in place to protect the personal information they hold and prevent it from being inadvertently disclosed. We are committed to providing clear guidance to help organisations get this right, reducing the margin for mistakes and making it second nature to check documents for hidden personal information.”
The new guidance is the regulator’s most current and comprehensive resource on avoiding accidental data breaches when disclosing documents to the public, replacing an advisory note issued in the immediate aftermath of high-profile data breaches in 2023.
It includes simple checklists and how-to videos, covering topics such as:
- Deciding an appropriate format for disclosure to the public
- Finding various types of hidden personal information including hidden rows, columns and worksheets, metadata and active filters
- Converting documents to simpler formats to reveal hidden data
- Avoiding using ineffective techniques to keep information secure
- Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)
- Reviewing the circumstances of a breach to prevent a recurrence
- Removing and redacting personal information effectively
The ICO is engaging directly with key stakeholders, including Government, to increase visibility of the guidance amongst those who need it.
While the guidance is designed to support organisations with disclosing documents to the public, the practical advice will also help all organisations avoid accidental data breaches in any situation where they are disclosing or sharing documents.
The regulator also has a wealth of guidance on data sharing, including a Code of Practice, to help organisations sharing personal information.
Find out more about the real impact a data breach can have on people’s lives with the ICO’s Ripple Effect campaign.