ICO guidance: businesses must tackle human error risks linked to personal data breaches

Laura Gillespie, data security expert at Pinsent Masons, was commenting after the ICO issued guidance aimed at helping organisations securely disclose documents to the public, which comes following a number of “serious data breaches” linked to human error. The guidance provides practical steps and tools to identify and remove hidden personal information from documents before they are shared – particularly in response to subject access requests (DSARs) and Freedom of Information Act (FOIA) or Environmental Information Regulations (EIR) requests.

The ICO’s move comes in the wake of high profile breaches where sensitive personal data was inadvertently disclosed due to insufficient checks. The new guidance replaces earlier advisory notes and includes checklists, how-to videos, and recommendations for using tools like Microsoft Documents Inspector to detect hidden metadata, filters and concealed rows or columns.

The ICO urges all organisations to have robust measures in place to protect the personal information they hold and prevent it from being inadvertently disclosed.

The guidance aligns with aligns with findings from Pinsent Masons’ 2025 Annual Cyber Report (36 pages/4.4 MB PDF), which revealed that 10% of cyber incidents handled by the firm in 2024 were caused by misdirected communications, such as emails sent to the wrong recipient.

“This underscores the ongoing risk that human error poses to businesses in managing personal data,” said Gillespie.

Accidental disclosure also increased in 2024 according to the report, echoing the ICO’s own statistics from the third quarter of last year, which identified these incidents as the most commonly reported breaches. While ransomware remained a significant concern – amounting for 48% of Pinsent Masons’ cases – it prevalence dropped from 58% in 2023, with business email compromise rising sharply to 26%.

Gillespie said: “In light of recent breaches attributed to human error, the ICO guidance serves as a timely reminder for those handling DSARs as well as FOIA and EIR requests and emphasises practical measures to reduce the risk of accidental breaches. In addition, given the persistent threat of ransomware, it is crucial that cyber readiness programmes incorporate appropriate staff training, subject to regular review.”