Why every organisation needs a mature disclosure process

Not all breaches are caused by cyber attacks. In fact, many of the most damaging incidents I see have nothing to do with technical vulnerabilities, and everything to do with how organisations send information out.

That’s why not having a mature disclosure process is a big risk for education leaders.

A high-profile lesson

Recently, the Ministry of Defence was in the headlines for one of the most severe data breaches in UK history.

A spreadsheet released under the Freedom of Information Act accidentally contained hidden data, including the names of hundreds of Afghan interpreters who had supported British forces.

In Excel, you can hide rows, hide columns or use pivot tables without showing all the underlying data. But if you don’t remove that data properly before sharing, it’s still there. In this case, lives were put at risk.

That example is extreme, but the same pattern appears in less high-profile ways every day:

• A spreadsheet shared with the wrong person

• An attachment or an email thread containing more than intended

• An email sent to an unintended recipient

Once that information leaves your organisation, you’ve lost control of it.

Why disclosure needs governance

A proper disclosure process isn’t just about “being careful.” It’s about having structured checks in place before information is released.

That could mean:

• A double-check rule – stop, review the recipient, take five seconds before you hit send.

• A peer review process – for sensitive, large scale or potentially contentious disclosures, have two people review before anything goes out.

• Data minimisation – only disclose what you need to. The less you disclose, the less chance you accidentally share information you weren’t intending to.

These principles are the same whether you’re responding to a journalist, a student, a Freedom of Information request or a police inquiry. It’s important to know exactly what you’re sending, why you’re sending it and what will happen once it’s out there.

Freedom of Information: transparency with care

The vast majority of UK universities are public authorities, which means they’re subject to the Freedom of Information Act 2000 (FOIA). FOIA has been operational since 2005 and is a cornerstone of transparency, and rightly so. But when you respond to an FOI request, its crucial to bear in mind that you are effectively responding to the world at large.

Once the information is released, the requester can put it on the internet, give it to a journalist or share it on social media. If a requestor has used the website whatdotheyknow.com, the request and the responses are free to view so it’s always useful to note what is visible in your logs.

Police requests: know your rights and responsibilities

Another common disclosure scenario is when information is requested from the police. Naturally, many people are conditioned to want to be helpful to the emergency services. But legally, the rules are clear:

• Police requests should come in writing.

• They must comply with their own data protection obligations under the Law Enforcement Directive set out in Part 3 of the Data Protection Act 2018.

• Unless they have a court order, compliance with disclosure requests is voluntary. You are not legally compelled to hand over information just because they ask.

The key is to understand: What do they want? Why do they want it? If it’s not clear, it’s okay to challenge or ask for more information before disclosing.

Why most breaches aren’t technical failures

In my experience, most personal data breaches are not caused by technology failing, they’re caused by leadership and process failures.

When you see a press release saying a breach happened due to “human error,” it often means at some point there’s been a process failure. If a process was unclear, incomplete or lacked the right checks, the real fault lies in leadership.

If you train people well, set out clear steps, and build in checks, those so-called “human errors” become much harder to make.

Putting a mature disclosure process in place

The good news is that this doesn’t need to be expensive or overly complex. Start with:

1. Clear policy – spell out when information must be double-checked before sending.

2. Defined roles – know who is authorised to approve different types of disclosure.

3. Peer review – make it standard for sensitive cases.

4. Training – not just on data protection law, but on practical disclosure risks like hidden spreadsheet data.

5. Culture change – make it normal to pause, ask questions and challenge if something doesn’t look right.

It’s a simple fix in principle, but it’s not always easy. You’re asking people to change habits, and that takes persistence.

The bottom line

Whether you’re sending information to a student, a journalist or a police officer, the rule is the same: Know exactly what you’re disclosing, why you’re disclosing it and be confident it’s safe to share.

A mature disclosure process will protect trust in your institution, as well as reduce your risk, and in the education sector, trust is one of your most valuable assets.