By Simon Rice, Group Manager for Technology.
Details of 2,000+ residents published online, a £70,000 penalty and an “extremely sorry” local council. That was the result of Islington Council being a little more transparent than it had intended, providing a freedom of information requestor with spreadsheets they didn’t realise included sensitive personal data.
It was, unfortunately, not an isolated incident. Whether it’s a response under the Freedom of Information Act or a reply to a subject access request, there are many different ways to inadvertently include personal data.
That’s prompted the guidance we’ve recently published: How to disclose information safely – removing personal data from information requests and datasets.
It gives practical advice on what to look out for when providing information in different formats. So take a look below at our ‘now you don’t see it, now you do’ examples of ways you could be getting it wrong, and then read the guidance to make sure you get it right.
With spreadsheets, personal information can be hidden in plain sight. A hidden column is easily revealed, providing more information that you had intended. Check for hidden content, or use simple text formats like CSV files.
These are prime ‘now you don’t see it, now you do’ material, and where the council in the example above went wrong (read the guidance to see how the dataset was created). They might be great at providing a summary of stats, but a simple double click on the table can bring the original data into view. Again, exporting to CSV gives a clear picture of what you are providing.
Embedded charts are a different form of a similar problem. Copying a chart from Microsoft Office’s Excel to its Word programme can take the underlying data with it. A simple double click, and the source data is exposed for all to see.
Redacting text might be a common task, but it’s easily done wrong. Simply highlighting the text in black may see the letters disappear from view, but a ‘copy and paste’ later, and the text shows up as easily readable in a text editor like Notepad. Best to use specific redaction software.
Files rarely contain just the information entered by the author or displayed on screen. Meta-data – data about data – is often embedded within the file, and can include info like previous authors comments, or in the case of some photographs like this one, when and where the image was taken. This type of data doesn’t always need to be removed but if it does then bespoke redaction software can help.
|Simon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|
Last updated 13/11/2015 13:00