ICO considers enforcement action over disclosure of 'hidden' personal data in FOI responses

Out-Law News | 01 Jul 2013 | 2:02 pm | 2 min. read

The Information Commissioner's Office (ICO) has warned public sector bodies that they face being fined for breaching data protection laws if they disclose "hidden" personal information in their responses to freedom of information (FOI) requests.

The watchdog said it had uncovered cases where public bodies had issued FOI responses that contained information in spreadsheets that, when clicked on, revealed the "underlying data". A number of public bodies could face enforcement action as a result of their disclosure of personal information in these circumstances, it said.

"The ICO is actively considering a number of enforcement cases on this issue," Steve Wood, head of policy delivery at the ICO, said in a blog.

The ICO said that WhatDoTheyKnow.com, a website which helps individuals access information held by public authorities, had notified it of the recurring problems it had identified with regards the accidental release of personal data by public authorities

"The issue relates to responses to freedom of information (FOI) requests provided in spreadsheets, which are inadvertently revealing personal information," Wood said. "Public authorities will often respond to requests by supplying the information requested in spreadsheet format. Sometimes that will be in the form of a ‘pivot table’, which can neatly summarise the information, without revealing the underlying personal information the summary is based on."

"Unfortunately, it has come to our attention that public authorities are not always properly removing the underlying data before disclosing. Pivot tables, both in Microsoft Excel and other spreadsheet programs, retain a copy of the source data used. This information is hidden from view, but is easily accessible," Wood said.

Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The ICO has the power to fine organisations up to £500,000 for serious breaches of the Act.

The watchdog has advised public bodies to avoid using pivot tables when making disclosures or sharing data involving personal information. It said the authorities should check the size of files before they disclose them as larger than expected files should indicate that further checks are merited.

In addition, the ICO said that organisations should ensure that they have the "right procedures and checklists in place" for staff to follow when they are involved in data disclosures and that they should consider training staff "to ensure [they] understand how to safely prepare spreadsheets for release".

"You should ensure that staff responsible for answering requests understand how to use common software formats, and how to strip out any sensitive metadata or source data (eg data hidden behind pivot tables in spreadsheets)," the ICO's updated guide to freedom of information said.

The ICO said that changes to FOI laws due to take effect in August should help prevent hidden personal data being disclosed.

"These amendments will require public authorities to disclose datasets in open reusable formats, which in practice means using a format such as CSV (comma separated variable) will be a requirement," Wood said. "This should remove many of risks of hidden data, as the spreadsheet formatting is taken away, making it clear what information has been included."