The UK’s Information Commissioner’s Office (ICO) has issued an advisory to public bodies urging them to “stop using spreadsheets” when responding to requests made under the Freedom of Information Act 2000 (FoI).
The advisory notice called for an “immediate end” to the use of Excel spreadsheets when responding to public requests for information, and outlined a series of recommendations for public authorities to follow.
The ICO listed a number of core recommendations for responses. Public bodies have been advised against replying to FoI requests with spreadsheets containing “hundreds or thousands of rows”.
A recommendation to improve investment in data management systems that “support data integrity” was included in the guidance.
In addition, police services were advised to “convert spreadsheets and sensitive metadata into open reusable formats, such as comma-separated value (CSV) files”.
The advisory also called for better staff training for those involved in disclosing information to prevent the exposure of sensitive data.
UK information commissioner John Edwards said it’s “imperative” that robust measures are maintained by public authorities when dealing with personal information.
“The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”
While the ICO did not explicitly cite recent incidents, the advisory notice follows a series of FoI-related data protection blunders at UK police services across the country.
RELATED RESOURCE
Learn how to address inflation, political tensions, and supply chain challenges that influence your IT security in this webinar from Cloudflare
Personal information belonging to thousands of police officers and staff in Northern Ireland was exposed in August after a document was mistakenly uploaded in response to a freedom of information request.
The data breach exposed the names of around 10,000 actively serving officers and civilian staff.
Within the space of a week, this incident was followed by breaches at two other forces elsewhere in the UK.
Norfolk and Suffolk police revealed a “technical issue” that resulted in personally identifiable information being exposed during a routine freedom of information response.
Details of hundreds of crime victims, suspects, and witnesses were exposed in the incidents. Much of the information leaked pertained to domestic abuse, assault, theft, and sexual offense cases.
Both police services have since apologized for the data protection blunders.
“The recent personal data breaches are a reminder that data protection is, first and foremost, about people,” Edwards said.
“We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
