Over the summer, you may have missed new regulatory guidance concerning how personal data is disclosed to the public.
The core of the guidance, issued by the Information Commissioner’s Office (ICO), was to make public authorities aware of risks in accidental data breaches when sharing documents containing large amounts of information, such as when responding to freedom of information (FOI) and subject access requests.
To help with this, the ICO has set out practical steps to help organisations understand how to check documents, including spreadsheets, for hidden personal information, thus reducing the risk of a data breach.
This replaces an advisory note issued in 2023, and follows high-profile data breaches at organisations including the Police Service in Northern Ireland and the Ministry of Defence, as well as a school that shared 86,000 lines of sensitive information to two parents.
These cases involved documents being disclosed without proper checks for hidden personal information.
What does this mean for schools?
School and academy trust data protection officers (DPOs) and data leads must take extra care when disclosing personal information to the public.
Education institutions are responsible for complying with obligations under the UK General Data Protection Regulation and, where they are ‘public authorities’, the Freedom of Information Act 2000 and Environmental Information Regulations (EIR) 2004.
To maintain public trust and avoid accidentally disclosing personal data, schools must ensure robust processes are in place when disclosing documents containing student, staff or other personal information.
Top tips for schools when handling FOI requests
We know from working with hundreds of schools and trusts that very little time tends to be allocated to deal with FOI compliance. Few are well equipped to deal with requests, which are increasing rapidly, particularly as organisations such as multi-academy trusts become larger and more complex.
Big spikes in requests also coincide with public announcements, such as restructures or union action, or health and safety issues. This puts schools under even more pressure when resources are already being diverted to deal with the underlying issue.
With 20 school days to reply to FOI requests, and 20 working days to respond to EIR, responses can be rushed, without adequate time being given to check information carefully before release.
So, what can be done to help avoid these mistakes from occurring?
1. Always check for hidden content
If you’re providing an electronic document, such as an Excel spreadsheet, check for hidden data in spreadsheets and pivot tables.
Export information to CSV files so it’s visible in a simple text format and will show any hidden data. Using the ‘Inspect Document’ tool can identify hidden data in Microsoft Office files.
2. Ensure redactions can’t be reversed
If you’ve redacted a document electronically, ensure the redactions have been applied permanently and the information can’t be recovered.
Similarly, if redacting by hand - such as with a black marker pen - photocopy the document and then view it on a screen to ensure you can’t read what is underneath. Consider procuring a specialist software tool designed to make redaction easier and more efficient.
3. Make sure responses are checked
Always double-check your response before disclosing it to the requester.
After spending a long time reviewing a document, it can be difficult to spot errors, so asking a colleague to check it over is best practice.
4. Proactively publish information
If you see an increase in requests relating to a particular matter, consider whether that information can be published proactively.
You can then direct requesters to the school website for the information and hopefully reduce the number of future requests.
Final thoughts
Dealing with a spike in FOIs can be daunting - especially when there is time pressure to ensure they are completed - but it’s imperative that schools follow the above steps before disclosure. This will ensure they avoid inadvertently causing data breaches, potential public censure from the ICO, damage to relationships with the school community, and the risk of litigation from those affected.
Claire Archibald is legal director in the education team at UK and Ireland law firm Browne Jacobson, specialising in data protection, information governance and freedom of information matters
