DATE: Thu 19 May 2016
BY: Stephen Aldridge
Blackpool Teaching Hospitals NHS Foundation Trust has been fined £185,000 by the Information Commissioner under the Data Protection Act 1998.
The Trust is required to publish equality and diversity metrics annually on its external website and inadvertently published confidential data in a spreadsheet, which remained on their website for 11 months before being taken down.
And how can you stop it happening to you?
The spreadsheet contained a pivot table that summarised the data about people who had worked at the Trust in the past. At first glance, the summarised data visible in such a table doesn’t provide any detail, but it is incredibly easy to find all the detail behind the summary data, even if the pivot table has been exported to another workbook. In this case, the workbook included sensitive data about pay scale, ethnicity, religious belief and sexual orientation. See this video on our youtube channel to see how easy it is to get at the ‘hidden’ data.
Double clicking on a pivot table creates a worksheet with all the detail relating to that category of the pivot table. This is because the ‘Pivot Cache’ is stored in the worksheet and this contains all the data from the original data source. This happens even if the pivot table is saved in a new workbook, separate from the data used to create it.
There has been a lot of debate on forums about where the fault lies with the Blackpool NHS Trust – the consensus is that this is not a problem with Excel itself but a management and training problem. The Commissioner found that the Trust did not provide the team with any (or adequate) training on the functionality of Excel spreadsheets or possible alternatives and that the web services team had no guidance to check the spreadsheets for hidden data before uploading them.
This case illustrates just one of the many ways that hidden and possibly sensitive data can be retrieved by someone with the right skills. In this case not much skill is required – the data was accidentally discovered by double clicking on the pivot table.
If you publish a spreadsheet on a website, you may be taking a great risk of publishing confidential data unintentionally. The safest way to publish spreadsheet data is to publish as a pdf, but if it is important for users to be able to interact with the spreadsheet, you really need an expert to check the workbook for data that you don’t want to distribute.
Find out about the hidden data you could be leaving in your spreadsheets - click to watch our webinar:
Call us on 08458694960 if you are worried about these risks – we’ll be happy to talk it through with you.
Stephen is a Chartered Management Accountant and has over ten years of financial modelling experience both at KPMG and Deloitte. His early career included engineering, sales and corporate management roles. In 2004, Stephen joined Numeritas as a co-owner and a Managing Director.
We love to hear what you think. please note that comments are moderated so there might be a slight delay. Your email address will not be published.