In a recent blog post I reported that several police forces in the UK had made headline news because of failures to comply with requirements of the UK GDPR when preparing responses to requests for information made under the Freedom of Information Act 2000.
I explained that their inadvertent disclosures of personal data e.g., the names of serving police officers, had the potential to damage the reputation of police forces and present a privacy risk to affected individuals. In the case of serving police officers in Northern Ireland, it also presents an ongoing risk to their safety since it will likely prove impossible to ascertain how many copies of the disclosed data remain in circulation, and if it is in the possession of dissidents.
What went wrong?
The disclosures had two common features. Firstly, in each instance, personal information about serving police officers (including those working in intelligence services) was inadvertently disclosed when original source spreadsheets were included in responses to FOI requests. Secondly, all the inadvertent disclosures occurred because of human error, and in some instances, error by more than one person.
In one instance the request was submitted via www.WhatDoTheyKnow.com, an online platform that facilitates the submission of FoI requests. The response to the request was also published on the platform and therefore publicly accessible (i.e., not limited to the original requestor). The response, including the excel sheet containing personal data, was accessible for approximately two and a half hours and accessed several times before being removed at the request of PSNI because it posed a risk to the safety and security of police service personnel in Northern Ireland.
Response of the ICO
The inadvertent disclosures triggered a review by the ICO. It has now responded by issuing an advisory notice. The advisory notice is not limited to police forces; it is directed to all organisations with FOI responsibilities. It comprises five elements:
Firstly, it acknowledges that the use of online platforms to submit and receive responses to FOI requests “can be efficient and help promote transparency and are within the scope of the legislation” and does not seek to restrict the submission of FOI requests through such platforms.
Secondly, it reminds organisations that they must comply with the data minimisation, and integrity and confidentiality (security) principles in the UK GDPR when preparing responses to FOI requests. For example, a request for information on the number of staff employed in a particular role might require an FOI officer to ask the Human Resources department for information on all employees. In such instances it would not be necessary to retain the names of staff in any dataset compiled to determine the number of staff in particular roles, so such information should be immediately deleted, thereby eliminating the risk of inadvertent disclosure.
Thirdly, it advises that responding to FOI requests should never be the responsibility of just one person; a second colleague should check a draft of the response prior to disclosure to ensure that it does not include an inadvertent personal data disclosure. In this regard, the ICO has helpfully provided a disclosure checklist.
Fourthly, it reminds organisations that they should provide regular staff training on the UK GDPR and FOI laws and software commonly utilised in the preparation of responses to enable them to release data safely.
Finally, it issued specific guidance regarding the use of excel spreadsheets to respond to FOI requests. In this regard, it begins by recognising that “spreadsheets are widely used” before advising organisations that they should “Implement a moratorium on the disclosure of original source spreadsheets to online platforms in response to FOI requests.” However, the moratorium does not amount to a complete ban on the release of original source spreadsheets. Rather, if a request for original source spreadsheets is made via an online platform and it is not possible to provide the response data in a more secure format, organisations should ask requestors to provide an alternative address for correspondence (thereby ensuring that the request is disclosed to the individual requestor and not to the wider public via the online platform). The advisory notice further states that if a requestor wants to use the original address the organisation should still respond to the request but ensure that they take steps to make sure there is no data breach. As for what practical steps should be taken, organisations should:
- always disclose information in the most appropriate and secure format, noting that this may involve copying information into a different file format. The ICO helpfully directs organisations to guidance on Creating and sharing spreadsheets.
- where possible, convert spreadsheets and sensitive metadata into open reusable formats such as Comma-Separated Value (csv) files.
- avoid using spreadsheets with hundreds or thousands of rows. Invest in data management systems which support data integrity.
- take steps to mitigate risks of pivot tables which may summarise a large set of data but can create an automatic summary of the underlying data, by following guidance on ‘How to disclose information safely‘.
- ensure that there is no unexpected data included if the original format needs to be maintained to preserve useful macros and equations.
The ICO’s advisory notice strikes the correct balance, reminding organisations that they must “continue to comply with their statutory responsibilities under FOIA” whilst simultaneously recognising that human error can lead to inadvertent disclosures. It therefore focuses on practical steps that organisations can immediately take to avoid such errors and reminds them of the need for regular staff training. The combination of immediate practical steps and regular training should encourage FOI staff to refresh their knowledge and skills and enable them to confidently monitor and evaluate the appropriateness of their practices thereby minimising the risk of inadvertent disclosures of personal data when responding to FOI requests.
Dr Karen Mc Cullagh, Lecturer in Law, UEA Law School, University of East Anglia.