spreadsheet privacy risks blog

How to Mitigate Spreadsheet Privacy Risks

A spate of high-profile data leaks in the UK has highlighted the security and privacy risks of using spreadsheets. The incidents were so serious that privacy regulator the Information Commissioner’s Office (ICO) was forced to step in. Yet they also provide learning opportunities for firms. Best practices recommended by the ICO and codified in standards like ISO 27001 can go a long way to mitigating these risks.

What Happened?

Last December, a Cambridge-based NHS trust confirmed that two data breaches had occurred when it responded to Freedom of Information (FoI) requests by disclosing patient data in Excel spreadsheets.

Similarly, a large spreadsheet exposed the personal details of officers and staff serving in the Police Service of Northern Ireland (PSNI). The online-accessible spreadsheet included sensitive information such as officers’ names, rank and location, seriously compromising their safety.

How Pivot Tables Were to Blame

Pivot tables are described by Microsoft as one of Excel’s most powerful features, designed to enable users to see “comparisons, patterns, and trends” in data. However, they can also be a security risk, according to Maria Opre, a cybersecurity expert and senior analyst at EarthWeb.

First, they allow users to aggregate large datasets. While that may seem harmless, Opre tells ISMS.online that summarising and combining large bulks of information makes it easier to share and view sensitive details. The fact that pivot tables are often linked to other databases and information sources is another cause for concern.

“This raises risks if the right security steps aren’t taken because private details could get exposed,” she adds

Pivot tables can also increase the visibility of sensitive information and potentially result in data breaches. She explains: “Pivot tables might accidentally show more data than intended, especially with complex data sets. This can lead to accidental exposure of confidential info.”

Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, agrees that pivot tables are problematic, arguing that they’re complex by design and don’t always make data clear to users. Consequently, they may only be able to see a small subset of data when there’s actually more stored in the spreadsheet.

“Microsoft Office files are actually stored in zip compressed format, contain many files and often include undo information showing the history of all changes to the document during its lifecycle – this can also lead to serious data loss,” he tells ISMS.online.

Jake Moore, global cybersecurity advisor at ESET, tells ISMS.online that FoI requests “are often laborious in their requirements and therefore mistakes occur”.

The ICO’s Advice

Following the incidents highlighted above, the ICO published guidance on how public authorities (PAs) in the UK can avoid similar incidents in the future. It warns that spreadsheets “present practical challenges and risks of the inadvertent disclosure of personal information which may not be evident from a cursory look at the spreadsheet.”

With these challenges in mind, the ICO set eight key recommendations for public authorities to follow when using spreadsheets. The first involves implementing a moratorium for users looking to upload original source spreadsheets to online platforms when responding to FoI requests.

The ICO also recommends using open, reusable text formats like Comma-Separated Value (CSV) files. PAs should refrain from using spreadsheets with large numbers of rows – particularly if they are in the hundreds or thousands – and use data management systems to secure sensitive information, it adds.

For employees using data software and disclosing sensitive information, public authorities must provide sufficient training – perhaps informed by relevant guidance issued by ICO.

However, public authorities must continue complying with FOIA responsibilities, with ICO warning that its advice isn’t “an extra reason to not publish information as a PA”. The ICO also recommends ensuring spreadsheets don’t expose data unexpectedly if there’s a need to maintain the original version for preserving macros and equations.

Finally, the ICO urges public bodies to share sensitive data using the “most appropriate and secure format”, which may involve transferring information from one file format to another. The UK government also provides advice on the creation and disclosure of spreadsheets.

Following Industry Best Practices

Cybersecurity experts recommend a range of best practices, in addition to following the ICO’s guidance.

OpenText’s Aldridge advises using a data security platform – alongside policies, staff training and a cyber resilience strategy – to mitigate data leaks. He says these steps will allow PAs to “operate safely” in a fast-evolving cybersecurity threat landscape.

Ilia Sotnikov, security strategist and VP of user experience at Netwrix, says organisations can reduce human error when disclosing sensitive information, by enforcing a stringent review process.

“The person preparing the requested content should not be able to send it to the requester without approval,” he tells ISMS.online. “Just like an airplane pilot cannot decide to take off, a workflow of checks and cross-checks should be in place to ensure this data is ‘safe to fly’.”

ESET’s Moore adds that PAs can avoid disclosing information accidentally by encrypting sensitive data and ensuring only authorised employees can view it.

“These measures collectively help in safeguarding sensitive information,” he argues.

By following industry standards such as ISO 27001, Moore says organisations can lower the chance of data breaches caused by human error. He explains that ISO 27001 sets out a range of data protection procedures and policies as part of a comprehensive information security framework, but warns that it is “not foolproof against all types of errors or breaches”.

EarthWeb’s Opre also supports industry frameworks such as ISO 27001, as they enable organisations to manage sensitive information robustly and avoid data breaches caused by poor data privacy practices. She also recommends regularly reviewing data processes to identify any hidden flaws and ensure everyone within the organisation follows security rules.

Spreadsheets are a quick and easy way to share important information, but as recent data breaches in the UK have demonstrated, they have some critical data privacy drawbacks. What’s clear is that by following ICO guidance, industry best practices and standards like ISO 27001, organisations can use spreadsheets and other data sharing methods in a safe and secure manner.

Explore ISMS.online's platform with a self-guided tour - Start Now