ICO warning on spreadsheets


Whilst the warning from the ICO calling on public authorities to stop using original source and/or large spreadsheets in FOI responses is a sensible move, it is not the solution to the problem. Authorities should be focused on their security strategies as a whole and looking at why basic security processes are still being ignored.

Suggesting spreadsheets not be shared or used for data security doesn’t solve the underlying issue and organisations should be looking to put policies and processes in place in terms of the access and storage of these documents rather than preventing or hindering productivity by blocking the sharing of documents altogether.

Authorities must take a responsible attitude to the collection, storage, and processing of data and test against GDPR compliance. Encryption is a key component within the compliance ‘kit’, not only reduces the chance of a breach, but mitigates the potential financial penalties.

In a recent survey from Apricorn, for companies that have increased their implementation of encryption over the last year, one of the main reasons stated was the ability to securely share files (20%). Organisations should research, identify and mandate corporate-standard encrypted devices and educate employees on their use to avoid the risk of a breach and being fined for non-compliance. They also need to recognise the importance of having visibility over data and the need for implementation of a policy that requires all information to be encrypted automatically, as standard. This will ensure that nothing manages to slip through the net.

Organisations should continue to analyse all personal data that is collected, stored and processed, and understand where it is located and who has access to it. If the data is deemed irrelevant, it should be deleted on an ongoing basis and the remainder tested in support of the FoI act and GDPR.