ICO warns against Excel spreadsheets to curb public sector data breaches

ICO advises against spreadsheets story, illustrated by a Microsoft Excel spreadsheet window mockup in a cartoon style, set against a pale blue background
(Image credit: Getty Images)

The UK’s Information Commissioner’s Office (ICO) has issued an advisory to public bodies urging them to “stop using spreadsheets” when responding to requests made under the Freedom of Information Act 2000 (FoI). 

The advisory notice called for an “immediate end” to the use of Excel spreadsheets when responding to public requests for information, and outlined a series of recommendations for public authorities to follow. 

The ICO listed a number of core recommendations for responses. Public bodies have been advised against replying to FoI requests with spreadsheets containing “hundreds or thousands of rows”.

A recommendation to improve investment in data management systems that “support data integrity” was included in the guidance.

In addition, police services were advised to “convert spreadsheets and sensitive metadata into open reusable formats, such as comma-separated value (CSV) files”.

The advisory also called for better staff training for those involved in disclosing information to prevent the exposure of sensitive data. 

UK information commissioner John Edwards said it’s “imperative” that robust measures are maintained by public authorities when dealing with personal information. 

“The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”

While the ICO did not explicitly cite recent incidents, the advisory notice follows a series of FoI-related data protection blunders at UK police services across the country. 


A webinar screen with title and host name on the topic of a strategic approach to security

(Image credit: Cloudflare)

Learn how to address inflation, political tensions, and supply chain challenges that influence your IT security in this webinar from Cloudflare 


Personal information belonging to thousands of police officers and staff in Northern Ireland was exposed in August after a document was mistakenly uploaded in response to a freedom of information request.  

The data breach exposed the names of around 10,000 actively serving officers and civilian staff. 

Within the space of a week, this incident was followed by breaches at two other forces elsewhere in the UK. 

Norfolk and Suffolk police revealed a “technical issue” that resulted in personally identifiable information being exposed during a routine freedom of information response. 

Details of hundreds of crime victims, suspects, and witnesses were exposed in the incidents. Much of the information leaked pertained to domestic abuse, assault, theft, and sexual offense cases.

Both police services have since apologized for the data protection blunders.  

“The recent personal data breaches are a reminder that data protection is, first and foremost, about people,” Edwards said. 

“We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.