Guidance

Freedom of Information Guidance: Communication by Spreadsheet

Updated 14 December 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cabinet-office-and-freedom-of-information/freedom-of-information-guidance-communication-by-spreadsheet

This guidance has been written for Freedom of Information (FOI) practitioners across central government departments.

Summary

  • Across public authorities, there have been a number of significant recent data breaches as a result of the disclosure of information in the form of improperly redacted or formatted spreadsheets.
  • Any disclosure under FOIA needs to comply with the UK GDPR and Data Protection Act 2018 by ensuring that appropriate security measures are in place to safeguard against inappropriate disclosure of personal data. Failure to implement the steps in this guidance note could expose departments to risks of contravening that duty, and to UK GDPR claims and / or ICO investigations and regulatory action.
  • All FOI requests must be considered on their merits in all circumstances.
  • Where a requester has not expressed a preference for how they would like information communicated to them, departments should use PDF or CSV formats. Cabinet Office strongly recommends that departments do not disclose information via spreadsheets in this scenario.
  • Where a requester expresses a preference for a copy of the information in a particular form, the department must provide the information with that preference “so far as is reasonably practicable”.
  • Departments should always take into account their responsibility to protect personal data and other sensitive information when considering whether or not it is reasonably practicable to meet the requester’s preference for communication via a spreadsheet.
  • Where departments do not consider it reasonable to disclose information in the spreadsheet format, departments must write to the requester explaining why.

Purpose of guidance

1. Across public authorities, there have been a number of significant recent data breaches as a result of the disclosure of information in the form of improperly redacted or formatted spreadsheets. This guidance covers the rights of the requester embodied in the Freedom of Information Act 2000 (FOIA) to express a preference for information to be communicated by spreadsheet and the approach departments should take in response to such requests.

2. This is an area of particular concern where the information disclosed in response to FOIA requests is comprised of or built from personal data. Any disclosure under FOIA needs to comply with the UK GDPR and Data Protection Act 2018 by ensuring that appropriate security measures are in place to safeguard against inappropriate disclosure of personal data. Failure to implement the steps in this guidance note could expose departments to risks of contravening that duty, and to UK GDPR claims and / or ICO investigations and regulatory action.

3. In addition to the core duty under Section 1 of FOIA to confirm whether the public authority holds information in response to the request and, where relevant, to disclose a copy of that information, Section 11 of FOIA permits a requester to express a preference as to the means of communication of the information requested under Section 1. That preference should be made at the time of the request.[footnote 1]

4. Section 11 cannot act as a basis for withholding information that should be disclosed under Section 1 of FOIA. It allows the requester to express a preference for a copy of the information “in permanent form or in another form acceptable to the applicant”. “Another form” extends to preferring a particular electronic form, including Excel format.[footnote 2]

5. There is no absolute duty on a department to disclose the information in the form requested; only “so far as reasonably practicable to give effect to that preference”. Section 11(2) specifies that in deciding “as far as reasonably practicable”, the public authority can take into account the cost of complying with the requester’s preference.

6. Where the information in scope of a request is also part of a dataset, then Section 11(1A) of  FOIA creates an additional duty on the department to provide the information to the requester in a reusable electronic format.  Again though, this is only ‘as far as is reasonably practicable’. The meaning of a dataset is found at Section 11(1A)(5).

Approach to be taken

7. As with any FOI request, the first steps are to consider (1) whether the department holds the requested information, and (2) the extent (if any) to which the department will rely on the exemptions under Part II of FOIA and/or the procedural exemption provisions under sections 12 (cost of compliance) and 14 (vexatious requests) of FOIA. To the extent that a department holds requested information to which exemption provisions do not apply, the following approach should be taken to determine the format in which disclosure is to be made.

Requester specifies no preference for the format of disclosure

8. Where a requester has not stated a preference for the format of disclosure, it is for the department to decide how to communicate information in scope of an FOI request.  Departments are encouraged to use PDF or CSV formats. Cabinet Office strongly recommends that departments do not disclose information via spreadsheets in this scenario. 

Requester specifies a preference for communication by spreadsheet

9. When making a request, the requester is entitled to specify that spreadsheet is their preferred format in which to be provided with a copy of the information. Departments must consider all requests on their merits in all circumstances. This includes any preference stated under Section 11 of FOIA and whether it is reasonably practicable to disclose the information in the requested form or format.

10. The Cabinet Office strongly recommends that when considering what is reasonably practical, departments give careful consideration to their duties as a data controller and the possibility that disclosure via spreadsheet may result in the inadvertent release of personal data or other sensitive information. We consider that disclosure via spreadsheet carries considerable data protection and security risks. Departments will therefore need to consider whether the actions necessary to prepare a spreadsheet so as to mitigate against those risks would be reasonably practicable within the context of Section 11. Where possible, departments should consider releasing data in alternative formats such as CSV or PDF. CSV is used in the publication of Government transparency data and is machine readable and accessible.  Any PDFs issued should be machine readable as far as possible

11. If, following careful consideration, departments decide that disclosure of data via spreadsheet is reasonable, the policy expectation is that: (1) spreadsheets are tested by those with the technical capabilities to ascertain whether there is any ‘hidden’ material that should not be disclosed; (2) senior colleagues are made aware of this guidance note and the proposal to disclose the requested information in spreadsheet format, and (3) departments should ensure that any disclosure via spreadsheet is reviewed by two separate individuals before a response is sent which should substantially reduce the risk of any inadvertent disclosure of personal data.

12. The following additional factors should be considered when determining whether it is reasonably practicable to give effect to a preference expressed under Section 11 of FOIA.

If the information is already held in a spreadsheet

13. If the information is already held in a spreadsheet and procedural exemptions (Section 12 or Section 14) do not apply, the department should consider the information sought and whether any of the exemptions in Part 2 of FOIA apply to all or part of the information. In particular, departments need to have regard to the exemption at Section 40 which protects personal data and to their duty as data controllers to process data in accordance with the data protection principles and the UK GDPR.

14. Where all or some of the information is not covered by an exemption then departments will need to consider whether it is reasonably practicable to disclose the information in a spreadsheet. In making this decision, the department should take into account, amongst other things, the following factors in order to reach a conclusion:

  • the resources available, including resources to test the security of the information;
  • the volume of information to be communicated; and
  • the difficulties and risk of providing the information in a spreadsheet without providing information to which the requester is not entitled (i.e. personal information, other exempt information or information outside of scope of the request).

Note this list is not exhaustive.

If the information is held but not in a spreadsheet

15. If the information is held but not in the format of spreadsheet and procedural exemptions (Section 12 or Section 14) do not apply, the department should consider the information sought and whether any of the exemptions in Part 2 of FOIA apply to all or part of the information. In particular, departments need to have regard to the exemption at Section 40 which protects personal data and to their duty as data controllers to process data in accordance with the data protection principles and the UK GDPR.

16. Where all or some of the information is not covered by an exemption then departments will need to look at if it is reasonably practicable to disclose the information as a spreadsheet. In making this decision, in addition to the factors listed in paragraph 14, the department should take into account:

  • the estimated time that would be required to convert the information (if at all) from the file format in which it is held into a spreadsheet.

17. Note that the cost of converting any information held into a spreadsheet cannot be included in calculations of costs for Section 12 of FOIA (which provides a basis for refusing a request altogether). That cost can, however, be taken into account when determining whether it is reasonably practicable to give effect to a preference for disclosure in spreadsheet format under Section 11 of FOIA.

If the information is already accessible

18. It should be remembered that, where the information is already accessible either as a spreadsheet OR in a different format to that preferred by the requester, departments can apply the exemption at Section 21 (Information accessible by other means). Where Section 21 of FOIA applies, Section 11 is not relevant as a preference on format need only be considered in the context of disclosure through FOIA.

Refusal of request

19. Where departments refuse to disclose information in the requested format, they are legally required to write to the requester explaining why. Under the duty to provide reasonable advice and assistance, departments may proceed to ask the requester if they would accept the information in an alternative format to a spreadsheet, such as CSV or PDF, but only insofar as it would be reasonably practicable for the department to offer the information in those formats.

Internal reviews and complaints to the Information Commissioner

20. If a requester challenges a refusal to disclose in their requested format, either through an internal review request and/or a complaint to the ICO, departments should revisit their initial decision. In doing so, they should give weight to the requester’s reasons for disclosure in a preferred format and consider these alongside the factors in paragraphs 13 - 17 above when reaching a final decision on whether it is reasonably practicable to disclose the information in the preferred format.

Disclosure of personal data in error

21. If personal data is disclosed in error in response to a FOI request, this should be reported immediately and in accordance with your departmental data breach process.

Environmental information regulations

22. If departments consider that the information falls for consideration under the Environmental Information Regulations, then they will need to consider their duties under Regulation 6 - form and format. Further advice on the application of this Regulation can be sought from Defra.

Other sources of information

ICO guidance on  Means of communicating information (section 11) and How to Disclose Information Safely: Removing personal data from information requests and data sets, available at www.ico.org.uk

Central Digital and Data Office’s advice on ‘Creating and sharing spreadsheets’, available on GOV.UK

  1. W J Bunton v Information Commissioner (EA/2011/0058, 9 March 2012) 

  2. Innes v the Information Commissioner and Buckinghamshire County Council [2014] EWCA Civ 1086 

Back to top