How do we avoid an accidental breach when personal information is hidden in spreadsheets?

In detail

• How do we avoid an accidental breach when personal information is hidden in spreadsheets?
• What ineffective techniques might people use to keep personal information in spreadsheets secure?
• What are the risks of using ineffective techniques to keep personal information secure?
• How do we reduce the risk of people using ineffective techniques to keep personal information secure?
• What are hidden rows, columns and worksheets?
• Why is there a risk when using hidden rows, columns and worksheets?
• How do we reduce the risk of hidden rows, columns and worksheets?
• What is a filter?
• Why are filters a risk?
• How do we reduce the risk of filters?
• What are software features designed to summarise large amounts of information?
• Why is there a risk when using features designed to summarise large amounts of information?
• How do we reduce the risk of using features designed to summarise large amounts of information?
• What are links to external sources?
• Why are links to external sources a risk?
• How do we reduce the risk of links to external sources?
• What is embedded information?
• Why is embedded information a risk?
• How do we reduce the risk of embedded information?

How do we avoid an accidental breach when personal information is hidden in spreadsheets?

You must:

• have appropriate data protection policies and procedures to help staff disclose information in spreadsheets securely and respond to accidental breaches effectively;
• keep personal information secure in spreadsheets using appropriate methods (eg passwords and secure redaction techniques) (see How do we avoid an accidental breach when redacting information?); and
• comply with relevant obligations under information access and data protection legislation, if you need to remove personal information from a spreadsheet or consider an appropriate format in which to disclose it.

You should:

• give staff appropriate data protection training about disclosing information in spreadsheets securely and how to report breaches, including induction and regular refresher training;
• avoid using ineffective techniques to keep information in spreadsheets secure. For example, don’t:
  • hide rows, columns and worksheets;
  • move personal information into remote columns or rows; or
  • use passwords that only prevent others editing or using a worksheet or workbook, instead of a strong file-level password that prevents access.
• check information in spreadsheets appropriately before disclosing them, considering the circumstances, including the risk of harm if the information was accidentally disclosed; and
• know how to remove and redact personal information effectively, when appropriate (see How do we avoid an accidental breach when redacting information?), including:
  • information (and any cache or temporary store of information) in features designed to summarise large amounts of information (eg pivot tables and pivot charts in Microsoft Excel);
  • information (including any cache) in links to external sources (eg links to external workbooks in Microsoft Excel); and
  • embedded information (eg data models in Microsoft Excel).

Other practical measures you could take include:

• raise awareness within your organisation that there is, in general, a greater risk of accidentally disclosing hidden personal information in spreadsheets;
• use software tools, where available, designed to help you find (and remove where possible and appropriate) various types of hidden personal information, including:
  • hidden rows, columns and worksheets;
  • active filters;
  • features designed to summarise large amounts of information;
  • embedded information; and
  • links to external workbooks.
• consider using data management systems, where possible, to make it easier to handle personal information securely and avoid very large spreadsheets;
• convert spreadsheets, where appropriate, to simpler formats (eg csv files) to reveal all the displayable information (see How does converting documents to simpler formats help us identify hidden personal information?);
• check the file size is not larger than you would expect for the volume of information you intend to disclose; and
• use a retention schedule to help you identify when to remove or delete personal information permanently.

What ineffective techniques might people use to keep personal information in spreadsheets secure?

People may try to hide personal information in spreadsheets to keep it secure using ineffective techniques, such as:

• hiding rows, columns and worksheets
• moving personal information into remote columns or rows; and
• using passwords that only prevent editing or using a spreadsheet, instead of a strong file-level password to prevent access. 

What are the risks of using ineffective techniques to keep personal information secure?

Ineffective techniques may prevent information from being immediately obvious or appearing on a printed version of the document. However, the information is still contained in the electronic document. This creates a risk that people may disclose information without realising it. Recipients of a document can reveal the information easily (eg unhiding the rows or columns).

When information is hidden using ineffective techniques, it may also be more difficult to identify using software tools. For example, Document Inspector in Microsoft software cannot detect information that is hidden by moving it to remote rows or columns in a spreadsheet (see How do software tools designed to check documents help us avoid accidental breaches?). 

There are passwords for different purposes (eg to restrict editing and use). Only strong file-level passwords prevent someone from opening a file. Sometimes, people wrongly believe that information in a spreadsheet cannot be opened because they have used a password for another purpose. This may result in information being disclosed in a spreadsheet that is not properly protected.

How do we reduce the risk of people using ineffective techniques to keep personal information secure?

If you need to restrict access to information within a document, you must control access using appropriate methods (eg passwords and secure redaction techniques) (see How do we avoid an accidental breach when redacting information?). Hiding personal information using ineffective techniques (eg hiding rows and columns) is not an appropriate way to keep it secure. 

You should check documents appropriately for hidden personal information before disclosing them. You should know how to find (and remove where appropriate) personal information hidden by ineffective techniques. For example, you could scroll through the rows, columns and worksheets.

Software tools designed to help you check documents for personal information may be able to detect some, but not all, hidden personal information. For example, Document Inspector in Microsoft Excel cannot identify when personal information is hidden in remote rows and columns. However, to help you check for hidden information, you could convert the spreadsheet to a simpler format (see How does converting documents to simpler formats help us identify hidden personal information?).

If you only want to control printing, you could consider whether you are able to set a print area. You can do this if you are using Microsoft Excel, for example.

What are hidden rows, columns and worksheets?

Spreadsheets may contain multiple rows, columns or worksheets. It may be possible to hide and unhide rows, columns or even entire worksheets, so that they remain in the document without being visible. For example, this is a commonly used feature in Microsoft Excel.

Personal information in rows, columns or worksheets may also be hidden simply because it is not immediately visible on the screen. Spreadsheets can contain many rows and columns, accessed by scrolling down or to the right or left of the visible content. There may also be multiple worksheets, which are not immediately visible. For example, in Microsoft Excel, additional worksheets are sometimes indicated by three small dots at the bottom of screen.

Why is there a risk when using hidden rows, columns and worksheets?

Hidden rows, columns and worksheets create a risk that people may disclose personal information without realising it is there. A recipient may be able to reveal the information easily by unhiding the rows, columns or worksheets in the workbook, moving along the rows or clicking on additional worksheets.

How do we reduce the risk of hidden rows, columns and worksheets?

You should check documents appropriately for hidden personal information before disclosing them. You should know how to identify hidden rows, columns and worksheets in spreadsheets and how to remove them, where appropriate.

To help you find and remove hidden information, you could use a software tool (see How do software tools designed to check documents help us avoid accidental breaches?) or convert the file to a simpler format (eg csv) (see How does converting documents to simpler formats help us identify hidden personal information?).

What is a filter?

Spreadsheet software may have filter features allowing you to find, show or hide information. For example, you can add a basic auto filter in Microsoft Excel that inserts a drop-down filter into your spreadsheet. By selecting it, you can tick the information you want to display. Your software might also include more advanced options, including ways to filter tables and charts (eg a slicer or timeline in Microsoft Excel).

Why are filters a risk?

When you filter information, you can hide information (eg an entire row) from a spreadsheet depending on the filtering criteria selected. You may disclose information accidentally if you do not notice an active filter. The recipient can reveal the information easily by adjusting, clearing or removing filters.

Some more advanced features allowing you to filter information may also save a cache of information in your document. A ‘cache’ is a temporary store of information. However, you may not realise this information is saved in your document and accidentally disclose personal information inappropriately.

How do we reduce the risk of filters?

You should check for hidden personal information before you disclose a document. You should know how to identify filters and how to turn them off or remove them, where appropriate.

To help you find and remove hidden personal information, you could use software tools (see How do software tools designed to check documents help us avoid accidental breaches?) or convert your document to a simpler file format (see How does converting documents to simpler formats help us identify hidden personal information?).

What are software features designed to summarise large amounts of information?

The spreadsheet software you are using may enable you to summarise large amounts of information quickly using certain features. For example, in Microsoft Excel, you can summarise information using Pivot tables and Pivot charts. Pivot charts are linked to Pivot tables and create visual information or graphs based on a Pivot table summary of selected information. 

What are the risks of features designed to summarise large amounts of information?

When you use spreadsheet software to summarise large amounts of information, it might remain linked to the source information. If you do not realise the information is there, you may disclose it accidentally. For example, a Pivot table and Pivot chart in Microsoft Excel remains linked to its underlying information source, even if you have copied it into a new workbook, deleted a worksheet containing the information or attempted to redact a table summary by removing columns or rows. A recipient may be able to access it easily with a few clicks.

Software features designed to summarise large amounts of information may also save a cache (or temporary store of information) in your spreadsheet. For example, Microsoft Excel saves a cache of information when you use Pivot tables and Pivot charts, slicers or cube formula.

How do we reduce the risks of features designed to summarise large amounts of information?

You should check for hidden personal information before you disclose any document. You should know how to identify features designed to summarise large amounts of information in spreadsheets, and how to remove them where necessary.

To help you find these types of features, you could use software tools (see How do software tools designed to check documents help us avoid accidental breaches?) or convert files to a simpler format (see How does converting files to simpler formats help us identify hidden personal information?). 

What are links to external sources?

Spreadsheet software can link to external sources of information so you can use that information in your spreadsheet. For example, there are various functions in Microsoft Excel that allow you to link to information in other workbooks (eg the Vlookup function). Such features may store a cache of the information you have linked to within your workbook. This enables an external link to continue working to some extent, even if you delete the external source and send the information to an external device outside your organisation.

Why are links to external sources a risk?

Links to external sources in spreadsheets create a risk of a breach if you do not realise what personal information is stored in your document. This might happen if there is personal information in the name of the external source you have linked to, or if a cache of information is stored in the spreadsheet. Alternatively, you may incorrectly believe that deleting the external source removes the cache.

How do we reduce the risks of links to external sources?

You should check documents appropriately for hidden personal information before you disclose them. You should know how to identify links to external sources and how to remove them (and any cache), where appropriate.

To help you find external links, you could use software tools (see How do software tools designed to check documents help us avoid accidental breaches?) or convert to a simpler file format (see How does converting documents to simpler formats help us identify hidden personal information?). 

What is embedded information?

Spreadsheet software may allow you to embed information into your spreadsheet that is imported from external sources. For example, in Microsoft Excel, you can also import and integrate two or more external sources of information to create a data model (eg workbook, text file, website, Microsoft Access, SQL server or another relational database (containing multiple related tables)). You can also use a data model with other features that summarise large amounts of information (eg Pivot tables and Pivot charts in Microsoft Excel).

Why is embedded information a risk?

You might disclose information from an embedded external source accidentally if you do not realise it is there. A recipient may be able to reveal the source information easily. The embedded information becomes part of the file you insert it into (rather than being linked to another information source that is updated if the information changes). If you disclose a file containing embedded information, such as a data model, the recipient can view it without having access to the original information source.

How do we reduce the risk of embedded information?

You should check documents appropriately for hidden personal information before you disclose them. You should know how to identify if there is embedded information in your spreadsheet and how to remove it, where appropriate.

To help you identify a data model, you could use software tools (see How do software tools designed to check documents help us avoid accidental breaches?) or convert to a simpler file format (see How does converting documents to simpler formats help us identify hidden personal information?).