News and views on correspondence case management, FOI, Information rights and more

Do you have control of your data? 6 tips for avoiding a data breach when handling FOIs

Last month, Central Bedfordshire Council referred itself to the ICO. This followed the council’s publication of the personal details of dozens of special educational needs and disabilities (SEND) pupils as part of an FOI response.

Whilst there could be many reasons why this breach occurred, it highlights the need for all organisations to continually review their procedures, ensure that their staff know them and make sure they have the right tools and controls to manage and process FOIs securely.

Here are our 6 tips for avoiding a data breach when handling FOIs

Ensure documents are redacted properly

Using a tool that redacts to the National Archives’ standards means you can be assured that redacted information cannot be recovered and important data fragments, such as the document author, will be removed. It may also be more appropriate to use a summary. If large amounts of withheld information make the document unreadable or meaningless, then you should consider whether to share the document in the first place. The FOI Act allows a summary of a document to be prepared in some circumstances, for instance where the level of redaction makes the document unreadable or difficult to follow.

Have a release checklist and READ everything before you release it

Make sure you have a checklist for document release and ensure it contains the core things you need to search for in each instance. If part of what you are redacting is personal data, then include names, addresses and @ symbols, but also make sure you look for all of the locations mentioned related to the data subject. Most of all, read everything that you are releasing, before you release it.

Do you have good control/oversight of your data?

Are you able to manage all of your cases in one central place, or do you use a combination of emails, spreadsheets, and document management to process your FOI cases? Having greater control of your data means being able to know where all of your information is held and having it all located in one central location. If your data is held across several different locations and systems, the chance of it going missing or being displayed in the wrong place becomes greater.

Setting permissions and controls

There are often several people involved in the dissemination, production, review and response for an FOI request, At each of these points, there is the opportunity for errors to happen. By keeping each role in their own line of work and not allowing them to cross over to others, the possibility of error is significantly reduced. Ensure you have appropriate permissions set up for each role so that each person can only see the things they need to see and perform the actions they need to perform. Make sure that all of your documents are set, by default, to not be releasable or attachable, so conscious processes/actions need to take place prior to release and only certain people have privileges to release that information.

Review stages

By using best practice processes, you can ensure that relevant quality assurances are requested for your FOI response and that the appropriate person/level/team are able to sign off the response. Simply put, the greater, and more detailed the sign-off and review stage, the less likely the chance of a data breach.

Learn from mistakes - but not just your own

Conduct lessons learned reviews and have a process for them - they are a great way to ensure that you fully understand the breach and put appropriate preventative measures in place for the future. The trick is that you don’t just have to learn from your own mistakes - you can learn from those made by others too! Ask yourself how your organisation would handle various situations. If you don’t have an answer, you have a golden opportunity to address it before it becomes a problem.

Inevitably, even with the best processes and procedures in place, data breaches can and will happen. By adopting the suggestions above, you’ll reduce their impact and their frequency.

Have we missed any other tips for preventing data breaches? Let us know in the comment section below.

If you'd like to find out more about how we help public sector organisations gain greater control and oversight of their data whilst creating valuable efficiency gains, talk to us today.

Loading Conversation

Talk to us

eCase is used by the Ministry of Defence, HM Treasury, HMRC, DWP, DCMS and more.
Find out how eCase can help you and why it is the correspondence case management service the public sector relies on.

  • Used across central government, local government and police forces
  • Secure UK-based hosting, accredited to OFFICIAL level
  • Crown Commercial Service supplier, available through G-Cloud

Data Protection
The information that you give us and any contact will only be used by Fivium within the scope of fulfilling your request. We won’t share your information with any third party.