Here’s What You Should Know About The UK ICO’s Guidance On Disclosing Documents To The Public

For multiple reasons, organizations publish documents regularly. These range from responses to Freedom of Information (FOI) requests to sending information to customers or posting helpful resources online.

While information disclosures such as sending documents to a customer, responding to a DSAR, or publishing documents to the wider public as part of a Freedom of Information Act (FOIA) requirement, are necessary to ensure regulatory compliance and meet customers’ expectations related to trust, it is important to guarantee that all personal information part of such disclosures is appropriately protected.

The focus is directly on visible content. However, this seemingly straightforward task is not without its own risks. Hidden metadata, common histories, embedded spreadsheets, and invisible text can all lead to exposures of personal information, silently, without anyone noticing. However, the resulting consequences will not be so silent.

In its latest guidance, the Information Commissioner’s Office (ICO) has underscored a reality that most organizations either neglect or seriously underestimate. Accidental personal data breaches are still one of the most common reasons for enforcement actions. These are entirely preventable cases of data loss for an organization as they almost always occur due to issues in an organization’s internal oversight mechanisms, such as a missed tracked change, a pivot table that still contains cached source data, or a PDF that wasn’t properly sanitised.

The fact that a single file can contain multiple layers of metadata, hidden objects, and linked resources that most reviewers never see makes the problem that much more serious. Disclosing such files without a systematic check would be akin to mailing a sealed envelope without notifying the recipient of the sensitive passwords or other information written on the outside.

With this guidance, the ICO provides clear and practical steps that organizations can leverage to find and eliminate hidden personal information. Read on to learn more.

Why Do Accidental Breaches Occur

In almost all cases, people are much more likely to make mistakes when one or more factors are present. These factors can be concerning the organization, a specific job, or employees themselves. These include:

• poor communication about internal policies and procedures;
• lack of regular training;
• inadequate resources;
• challenging workloads;
• time pressure;
• employee fatigue and stress.

Circumstances of the Breach

As important as it is to undertake remedial measures to offset the possible damage by a breach, it is equally important to understand the circumstances behind it. When doing so, the things to consider are:

• The nature of the breach, who it affects, and what actions can be taken to contain it;
• Assessment of the possible risks;
• Why did a breach or a possible breach occur in the first place?

A Checklist to Consider

The guidance aims to give as much help as possible to organizations on how to avoid accidental breaches. However, when working with people, there will always be some risks. In any case, if there is a breach, organizations should:

• Record the details of the breach, including facts, its effects, and remedial actions being undertaken;
• Report it to the relevant authorities without undue delay, where possible within 72 hours of becoming aware of it;
• Report the person or people affected by the breach about it without undue delay if the risk is high.

Moreover, actions must be taken to:

• Act promptly to contain the breach;
• Assess the risk;
• Take appropriate action per relevant internal policies and procedures;
• Investigate and take further action to avoid future repetitions.

When Might Organizations Disclose Documents to the Public

Organizations may disclose documents to the public generally when publishing information online. Additionally, public disclosure may be the result of specific responsibilities under FOIA and the Environmental Information Regulations 2004 (EIR) to respond to requests for information and proactively publish certain information. Lastly, disclosures may also be made to specific members of the public rather than the wider public, such as disclosures to update a customer or a response to a SAR under data protection regulations.

However, before disclosing documents that contain personal information, organizations must generally:

• Ensure compliance with data protection principles and individual rights;
• Only disclose information if done lawfully, fairly, and transparently;
• Consider any relevant individual rights.

Principles to Help Avoid Accidental Breaches

a. Data Minimization

Data minimization ensures only the minimal amount of data is ever collected and thus exposed. Under it, all personal information being used must be:

• Adequate for your purpose;
• Relevant for that purpose;
• Limited to what is necessary to achieve that purpose.

b. Data Limitation

All collected personal information must be kept only for as long as needed. It should be deleted or anonymized when no longer needed.

c. Data Security

The security principle consists of both integrity and confidentiality principles. It requires organizations to have appropriate measures in place to protect against unauthorized or unlawful use, accidental loss, destruction, or damage.

d. Accountability

Organizations must be able to readily demonstrate that their use of the collected personal information is in line with all the GDPR’s data protection principles.

An Accidental Breach When Personal Information is Hidden

In case an accidental breach occurs when the personal information is hidden in the documents released, the organization must:

• Have data protection policies and procedures in place to respond to such breaches;
• Comply with the relevant obligations per information access and data protection legislation;
• Keep all personal information secure using appropriate methods.

Organizations should:

• Give staff appropriate data protection training about disclosing documents securely and how to report breaches;
• Check all documents appropriately before disclosing them;
• Know how to remove personal information that cannot be disclosed and how to redact it effectively;
• Undertake measures to eliminate ineffective techniques.

Organizations could:

• Raise awareness internally about the risks of accidentally disclosing documents containing personal information;
• Use software to search for text that may be of the same color as the background;
• Use software tools designed to help find various types of personal information;
• Convert complex files into simpler formats to reveal all displayable information in the document;
• Check the file size to ensure it is not larger than the expected volume of the file;
• Use a retention schedule to identify when to remove or delete personal information permanently.

How Does Converting Documents Help in Identifying Hidden Personal Information

Organizations must consider converting their data files into simpler formats (e.g., CSV or TXT) to ensure easier identification of hidden information. These formats display all information contained in the document. Conversion to other widely used formats, such as PDFs, is not recommended, since they may not always display all information in the document.

Once the conversion is done, organizations must consider any obligations under various laws they may be subject to when it comes to releasing documents. Some factors to consider are:

• Where reasonably practical, providing the requested information in a format preferred by the requester;
• Data to be disclosed in a re-usable format when it is held as part of a dataset;
• If a SAR request is made electronically, the requested information must also be provided electronically. However, the format can be chosen by the organization, unless the requester makes a specific format request;
• Ensure compliance with other accessibility obligations such as the Equality Act 2010, the Disability Discrimination Act 1995, and Public Sector Bodies (Websites and Mobile Applications) (No.2) Accessibility Regulations 2018.

How to Reduce the Chances of Ineffective Techniques Being Used

Some steps organizations can take to ensure ineffective techniques such as simply changing the color of the text or background, covering information with objects, moving information to the document’s fringes, or formatting information to make it invisible, are not used whilst trying to keep personal information secure include:

• Control and restrict access to information within a document. This can be done through using various methods, such as in-document passwords and secure redaction;
• Checking documents thoroughly for hidden personal information before disclosing them;
• Leverage automated software to scan entire documents for information that may be hidden, such as within images or in different text colors.

Metadata: A Risk?

Metadata is the embedded information in any document. In essence, it is data about the data. In most cases, it is automatically embedded after the document is created, edited, or saved. Examples of such metadata are author name, subject, title, information about email sender and recipient, and information about image files called EXIF or GPS coordinates.

While it may be helpful and appropriate to disclose some metadata publicly, there may be some information that is not appropriate. This can be released accidentally in case an organization does not realize the information is automatically embedded.

However, due diligence remains the most effective way to prevent such risk. Organizations can leverage the aforementioned section on converting files to simpler formats to minimize the chances of such risks.

An Accidental Breach When Personal Information Is Hidden In Spreadsheets

The different steps an organization must, should, and could take include the following:

Organizations must:

• Have comprehensive policies and procedures in place to help staff securely disclose information found in spreadsheets;
• Rely on sound data hygiene practices, such as effective passwords and secure redaction protocols, to not only remove all such information but also enable the release of documents in a manner more suitable for public release;
• Comply with relevant obligations under information access and data protection regulations they’re subject to.

Organizations should:

• Dedicate significant resources to appropriate data protection training for staff when it comes to securely disclosing information in spreadsheets and reporting possible breaches;
• Avoid ineffective techniques with extra vigilance being adopted when it comes to disclosing spreadsheets;
• Check information in spreadsheets appropriately before disclosing them;
• Know how to remove and redact personal information effectively when appropriate.

Organizations could:

• Raise awareness internally about the greater risk of accidentally disclosing hidden personal information in the spreadsheets;
• Adopt data management systems that are easier to handle;
• Convert spreadsheets to simpler formats that display all displayable information;
• Take extra care to ensure file size is not greater than the size you’d expect for a file with the information you’re about to release;
• Use a retention schedule to know when to remove or delete personal information permanently.

An Accidental Breach When Redacting Information

Redaction involves the permanent deletion of information from a document because it cannot be disclosed. Organizations rely on various ways to redact information depending on circumstances. They may be small or more extensive.

Redaction may pose a risk itself in cases involving accidental breaches. An example includes what an organization may consider a redacted document that it has redacted using a black marker, but the recipient can view the information simply by holding the document up to the light.

When it comes to avoiding such risks, organizations must adopt appropriate data protection policies and procedures to help the staff in redacting information effectively. Records should be maintained securely while maintaining the integrity of the records.

Other typical measures include regular training sessions in redaction practices for the organization, as well as sound documentation practices in line with the organizational requirements under various laws.

How Securiti Can Help

This guidance from the ICO is meant to be simplistic and easy to understand for businesses without getting them tangled up in complicated software and other protocols. Leveraging automated solutions and sensible data hygiene practices will be more than enough to stave off the risks of accidental breaches, as explained in the guidance.

Securiti is a market leader in providing enterprise data+AI solutions in privacy, security, and compliance. Its plethora of modules is designed to ensure an organization can keep all its bases covered. These include solutions related to DSR automation, data mapping, data access governance, and data lineage. Each of these modules ensures an organization can take the recommendations of this guidance into account when protecting its data assets or when releasing these documents to the public in a secure manner.

Request a demo today and learn about how Securiti can help you release documents to the public without incurring any accidental breaches.

Frequently Asked Questions (FAQs) about the ICO’s Guidance

Some of the most commonly asked questions related to the ICO’s guidance on disclosing documents to the public are as follows: