When Royal Cornwall Hospital responded to a routine Freedom of Information request in 2023, they had no idea they were about to expose sensitive staff data to the public. The hospital recently apologized after discovering that a spreadsheet published on their website contained hidden sickness absence data for 8,100 current and former employees spanning three years. The breach wasn’t discovered until someone accessing the file brought it to the hospital’s attention, meaning the confidential information sat publicly available for an extended period.

This incident serves as a stark reminder that even well-intentioned compliance with information requests can go disastrously wrong when proper safeguards aren’t in place.

The Metadata Problem: What You Don’t See Can Hurt You

The Royal Cornwall case exemplifies a critical vulnerability that many organizations overlook: hidden data in electronic documents. Spreadsheets, Word documents, and PDFs routinely contain metadata, hidden columns, tracked changes, embedded comments, and deleted content that remains recoverable. In Cornwall’s case, staff absence information was lurking in the spreadsheet despite not being visible in the normal view.

When employees aren’t specifically trained to identify and scrub these hidden fields before responding to information requests, they may unwittingly disclose trade secrets, personnel matters, or protected personal information. A document that appears appropriate to share on the surface might contain embedded discussions of confidential business strategy, salary negotiations, or sensitive health information that could harm the organization or violate privacy rights.

The same risks exist with email correspondence. An employee responding to a document request might forward an email thread without carefully reviewing the entire string. What appears appropriate at the top might be fine, but buried further down could be discussions of unrelated confidential matters or protected information. Once disclosed, that information cannot be retrieved.

Not All Requests Deserve Blanket Compliance

Even when faced with what appears to be a legally mandated request, organizations have both the right and the responsibility to evaluate whether the scope is appropriate.

Consider the attorney representing a former employee in a car accident case who demands “the entire personnel file and all medical records.” Does that lawyer truly need every performance review, every disciplinary action, and every medical claim the employee ever submitted? Probably not.

While federal and state laws may authorize, permit, or even require certain disclosures in specific circumstances, these laws typically don’t mandate blanket disclosure of everything requested. Organizations can and should push back when requests seem overbroad or when the stated purpose doesn’t align with the scope of information demanded. Understanding the basis and genuine need behind each request isn’t obstructionist—it’s prudent stewardship of sensitive information.

Building a Defensible Position Through Policy and Training

Royal Cornwall Hospital’s response to their breach demonstrates both the immediate damage control required and the long-term changes necessary. They reported the incident to the Information Commissioner’s Office, removed the spreadsheet, suspended their disclosure log for review, and implemented new processes to ensure spreadsheet files are “fully disabled” before any FOI disclosure. They also introduced additional data handling checks.

But these measures came after affecting thousands of people. The key to protecting your organization lies in being deliberate and systematic before a breach occurs. This starts with developing written policies and protocols that clearly outline how information requests should be handled, who has authority to respond, and what review processes must occur before disclosure.

Regular training is equally essential. Employees need to understand not just the technical aspects of scrubbing metadata and reviewing documents, but also the legal and ethical dimensions of information disclosure. They should know when to escalate requests to legal counsel or management, and they should feel empowered to question whether a request is reasonable. Data minimization principles and practices (including under the CCPA) apply not only to data collection and retention, but also disclosure.

When an inadvertent disclosure does occur, having documented policies and evidence of regular training significantly strengthens an organization’s defensible position. It demonstrates the presence of reasonable precautions, which can be crucial in limiting liability and maintaining trust.