What does this cover?

In October the ICO published a guide entitled 'How to disclose information safely: Removing personal data from information requests and datasets.'

The publication provides guidance to organisations responding to subject access request and public organisations responding to Freedom of Information and Environmental Information Regulations, to ensure data subjects cannot be identified from the disclosed information. Examples are provided on previous disclosures that have failed to satisfactorily protect such data, as well as an overview of the statutory requirements for removing personal data. It deals with hidden data in spreadsheets and other documents (for example pivot tables and embedded comments) and contains a useful checklist organised by file type.

The guide is of importance to:

  • Organisations releasing data following a subject access request, which might contain personal data of third parties;  
  • Public authorities answering to freedom of information and environmental information requests;  
  • Public authorities actively publishing data as part of a publication scheme or otherwise making data available.  

To view the ICO guidelines, please click here.

What action could be taken to manage risks that may arise from this development?

Companies should consult the guidelines to ensure that any information disclosed as part of a subject access request is free from personal information of third parties.