How schools can avoid costly FOI mistakes

06 February 2025

It was recently reported that a school inadvertently published a large amount of pupil data when responding to a Freedom of Information Act (FOI) request. In this article we explain what happened, the consequences and how schools can avoid these pitfalls.

It was reported that a spreadsheet was sent in response to a FOI request which contained 85,000 lines of pupil data. This included pupils’ names, date of birth and more sensitive information such as whether the pupils had special educational needs or an Educational Health Care Plan (EHCP).

“The latest in a long history of data breaches”

This incident is the latest in a long history of data breaches occurring as a result of hidden data being revealed in spreadsheets. More recently, the Information Commissioner’s Office (ICO) issued a reprimand to Southend on Sea City Council following its response to a FOI request.

The response was published in a public forum and included a spreadsheet which contained personal data hidden within the file. The spreadsheet was a list of the personal details of council employees and former employees.

The ICO conducted an investigation into the data breach and was concerned that the council staff were not fully aware of the risk of this occurring and did not know how to check a spreadsheet using the ‘Inspect Document’ function within Excel.

The ICO stated that it expected that a public organisation of this type, particularly one that deals with substantial amounts of personal data, would have identified this risk, and implemented steps to prevent an incident of this nature occurring.

Handling FOI requests

We know that schools and trusts have very little time allocated to deal with FOI compliance and are not necessarily always well equipped to deal with requests.

We also know from our work with hundreds of schools and trusts that the number of FOI requests you are receiving is increasing rapidly. Big spikes in requests also coincide with public announcements such as restructures or union action and put schools under even more pressure when resources are already being diverted to deal with the underlying issue.

Our top tips for schools

We want to help schools and trusts avoid these mistakes which can be costly in terms of time, resources and money spent fixing the problem. So, what can be done to help avoid these mistakes from occurring?

Check for hidden content – If you are providing an electronic document, such as an Excel spreadsheet. You can check for hidden data in spreadsheets and pivot tables by exporting the information to CSV files so that it is visible in a simple text format and will show any hidden data. You can also use the ‘Inspect Document’ tool to identify hidden data in Microsoft Office files.
Ensure redactions cannot be reversed - If you have redacted a document electronically, you need to ensure that the redactions have been applied permanently and the information cannot be recovered. Similarly, if you are doing redactions by hand (such as with a black marker pen), photocopy the document and then view it on your screen to ensure you cannot read what is underneath.
Make sure responses are checked - You should always double check your responses prior to disclosing it to the requester. When you have spent a long time reviewing a document it can be difficult to spot errors and responses should be checked prior to disclosing information.
Proactively publish information which is the focus of attention – If you see an increase in requests which relate to a particular matter, consider whether that information can be published online so that you can direct requesters to your website for the information and hopefully will reduce the number of future requests.

In addition, the ICO has previously produced guidance on how to safely disclose information and the National Archives has also published a redaction toolkit on editing exempt information from information held by public bodies.

Summary

We understand that dealing with a spike in FOIs can be daunting and there is time pressure to ensure they are completing, but ensuring these steps are followed through prior to disclosure will ensure you avoid inadvertently causing data breaches and potential regulatory action from the ICO.

Support and resources

From advising on your everyday data protection queries to supporting you with complex issues around breaches, SARs, Data Protection Impact Assessments (DPIAs), compliance audits, or completion and review of documents such as data sharing agreements, we’re here to help.

With our data protection CPD programmes, we’ll help you develop the skills and confidence needed to handle data protection effectively and with our support packs equip you with the resources to do it efficiently.

Find out more