Skip to main content

Disclosing documents to the public securely: hidden personal information and how to avoid an accidental breach

Contents

You are responsible for complying with your obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) and, where relevant, other information rights legislation, including the Freedom of Information Act 2000 (FOIA). Whilst we make every effort to make sure this guidance is accurate at the time of publication (31 July 2025), we make no guarantees or representations that it will remain up-to-date or ensure compliance. Where appropriate, seek further guidance or advice before disclosing information in the specific circumstances. If you would like to suggest improvements to this guidance, please leave us feedback

Latest updates - 31 July 2025

31 July 2025 - this guidance was published

About this guidance

This guidance will help you to ensure that when you disclose documents to the public, you do so securely, minimising the risk of accidental breaches of personal information. By protecting personal information, you protect people from harm and secure the trust and confidence all organisations need to thrive and grow.

It contains practical steps to help you check documents for hidden personal information and to remove or redact it, where appropriate. It also contains guidance to help you consider an appropriate format for disclosure. It includes ‘how to’ videos and checklists to support the development of your own policies, procedures and training. 

The guidance will help you in any scenario where you need to check documents for hidden personal information before disclosing them to the public or a specific member of the public. For example, if you are:

  • publishing documents online;
  • sending a document to a customer; or
  • responding to an information request (eg organisations may disclose documents to a specific member of the public when responding to a subject access request (SAR) under data protection legislation, and public authorities may disclose documents to the wider public under the Freedom of Information Act 2000 (FOIA)   

This guidance is designed for organisations processing personal information under the UK GDPR to help address the risks of disclosing documents containing hidden personal information to the public. However, the practical advice it contains about checking documents will help you minimise the risk of accidental breaches in any situation where you are disclosing or sharing documents.

This guidance does not seek to cover all the issues to consider before disclosing or sharing personal information. You are responsible for complying with your obligations under the UK GDPR and DPA and, where relevant, other information rights legislation. This includes ensuring you:

  • comply with the data protection principles and only disclose personal information if you can do so lawfully, fairly and transparently;
  • comply with individual rights; and
  • consider, where relevant, other ICO guidance to help you disclose or share personal information appropriately (eg the Data Sharing Code of Practice covering data sharing between organisations).

This guidance includes examples of accidental breaches that might happen when disclosing documents and ways to reduce the risks. To make sure it is clear and practical, the guidance includes examples of commonly used Microsoft software and supporting videos. It also refers to third party websites containing additional guidance, such as Microsoft Support. Please note we are not responsible for the content of external websites, including whether, or how often, they are updated.

Whilst we make every effort to make sure our guidance is accurate at the time of publication (31 July 2025), we make no representations or guarantees that it will remain  up-to-date or ensure compliance. Where appropriate, seek further guidance or advice about the specific circumstances before disclosing information.