The UK Information Commissioner’s Office releases updated guidance to prevent accidental data breaches in public disclosures
New measures aim to reduce risks when sharing documents containing hidden personal information
The UK Information Commissioner’s Office (ICO) has published new guidance to help organisations prevent accidental data breaches when disclosing documents to the public. The updated resource includes practical advice, checklists, and instructional videos aimed at reducing the risk of revealing hidden personal information, particularly in commonly used formats like spreadsheets and word processing files.
The guidance is intended for both public and private sector organisations that routinely share documents—whether through Freedom of Information (FOI) responses, Subject Access Requests (SARs), or general public disclosures. It replaces earlier materials issued in the wake of several high-profile breaches in 2023 and is now the most comprehensive advice available from the regulator on this topic.
According to the ICO, personal information can often remain hidden in documents through elements such as metadata, hidden rows and columns, or redaction errors. If not identified and removed properly, these details may be inadvertently disclosed, sometimes with significant consequences. Recent breaches involving the Police Service of Northern Ireland and the Ministry of Defence have underscored the importance of thorough document checks before publication.
Emily Keaney, Deputy Commissioner at the ICO, stressed the need for robust procedures:
“We have seen a number of serious data breaches… which have involved documents being disclosed without proper checks for hidden personal information – this crucial step cannot be missed.”
The guidance includes instructions on choosing appropriate document formats for disclosure, using built-in tools such as Microsoft’s Document Inspector, converting complex files to simpler formats, and reviewing the circumstances of past breaches to prevent recurrence. It also advises against relying on unreliable redaction techniques and emphasises proper staff training.
Why does it matter?
This update is especially relevant following the enactment of the Data (Use and Access) Act on 19 June 2025, which further tightened expectations around data handling and transparency. While the current guidance remains valid, it may be updated to reflect any legal changes.
Accidental data breaches can have serious consequences for individuals, including exposure of sensitive personal details and long-term harm to their privacy and safety. The new guidance helps reduce these risks, supporting safer information-sharing practices and increasing accountability across sectors. For civil society, it strengthens public trust in institutions that handle personal data and reinforces legal protections under data protection law. In a digital environment where large volumes of documents are regularly disclosed, taking steps to avoid unintended disclosures is essential for maintaining privacy rights and preventing misuse of information.
