The Information Commissioner’s Office has issued guidance to help organisations disclose documents securely after serious data breaches, including at the Ministry of Defence.
The regulator said the new guidance is its “most comprehensive resource on avoiding accidental data breaches when disclosing documents to the public, replacing an advisory note issued in the immediate aftermath of high-profile data breaches in 2023”.
The ICO also said it is engaging directly with key stakeholders, including the UK and devolved governments, to increase visibility of the guidance amongst those who need it.
Emily Keaney, deputy commissioner at the ICO, said: “We have seen a number of serious data breaches, including at the Police Service of Northern Ireland and the Ministry of Defence, which have involved documents being disclosed without proper checks for hidden personal information – this crucial step cannot be missed.
“All organisations must have robust measures in place to protect the personal information they hold and prevent it from being inadvertently disclosed. We are committed to providing clear guidance to help organisations get this right, reducing the margin for mistakes and making it second nature to check documents for hidden personal information.”
In 2023, the ICO took action against the MoD for its poor handling of sensitive information in relation to the evacuation from Afghanistan. It fined the MoD £350,000 for a 2021 email related to the Afghan Relocations and Assistance Policy programme, in which hundreds of Afghans eligible for evacuation were identified to each other by the sender using the “cc” rather than the “bcc” field.
More recently, it was revealed that an MoD employee accidentally shared the data of more than 18,000 Afghans seeking relocation to the UK through the ARAP scheme.
In a blog published earlier this month, information commissioner John Edwards said the root cause of the error was "the emailing of a spreadsheet containing hidden data that was not evident to the individual sending it".
"We understand that person thought they were sending a limited data set to an external party for a legitimate operational reason under the pressures of a military operation," he said. "A much greater data set was inadvertently shared, a section of which eventually ended up online.”
Edwards said inadvertently sharing data in this way “is not a new or novel issue” but is one that organisations “must guard against because the consequences, as in this case, can be severe.
“For many years, the ICO has identified and communicated the risks associated with storing and transmitting data in spreadsheets through guidance, commentary, advice, and in enforcement decisions,” he said. “Just last year we fined the Police Service of Northern Ireland £750,000 for sending a spreadsheet to a public facing website in response to a Freedom of Information Act request.”
The ICO chose not to issue a fine in this case. Edwards explained that the ICO had "applied considerable resource" over the last two years to understand what happened, how it happened and what the MoD was doing to ensure it would not happen again.
He said the ICO "determined that there was little we could add in this case that would justify the further allocation of resource away from other priorities.
"In making that call, we have not lost sight of the fact the MoD undoubtedly got things wrong, and the consequences have been serious," he added. "Organisations must do better to ensure mistakes like this don’t happen and understand the serious implications to people’s lives if they get it wrong.
"We recognise that there are issues of public confidence and accountability, and that we possess specific skills which other accountability bodies might wish to call on in order to gain the reassurance of a formal investigation. We remain willing to have those conversations with relevant stakeholders."
How will the new guidance help government organisations?
From handling Freedom of Information requests to responding to Subject Access Requests, public bodies regularly need to disclose documents containing large amounts of information to the public.
Personal information can be hidden or not immediately visible in documents, and if they are not checked properly, it may be disclosed by accident – sometimes with serious consequences.
The new guidance contains practical steps and how-to videos to help organisations understand how to check documents, including spreadsheets, for hidden personal information and reduce the risk of a data breach.
It includes simple checklists and how-to videos, covering topics such as:
- Deciding an appropriate format for disclosure to the public
- Finding various types of hidden personal information including hidden rows, columns and worksheets, metadata and active filters
- Converting documents to simpler formats to reveal hidden data
- Avoiding using ineffective techniques to keep information secure
- Using software tools designed to help identify hidden personal information
- Reviewing the circumstances of a breach to prevent a recurrence
- Removing and redacting personal information effectively
While the guidance is designed to support organisations with disclosing documents to the public, the ICO said the practical advice "will also help all organisations avoid accidental data breaches in any situation where they are disclosing or sharing documents".