InfoLaw Update - Inadvertent Breaches of the Data Protection Act on the Rise
The Information Commissioner’s Office has raised concerns in relation to the use of Microsoft Excel data sets and pivot tables and the fact that storing data in this way has led to multiple occasions of inadvertent disclosure of personal data in breach of the Data Protection Act 1998.
A pivot table is the name given to a table of information normally set out in Microsoft Excel. It contains what is referred to as a dataset which can include any information at all but, more often than not, it will contain personal data that should not be disclosed under the Data Protection Act 1998.
One might think that a cleverly constructed table in Microsoft Excel, a spreadsheet programme, with all the potential personal data deleted from it will solve the problem and allow the respondent to a Freedom of Information Act request to respond in an organised manner and stay within the remit of the Data Protection Act.
However, it has recently come to light that, if the personal information is simply deleted from the original document, Microsoft Excel and other spreadsheet programmes will automatically retain a copy of this data saved as ‘source data.’ Therefore the respondent to a Freedom of Information request could diligently delete all of the data that they perceive to be personal or sensitive personal data but still unknowingly disclose it to the requestor.
This is due to the fact that all the requestor will have to do to retrieve the personal data is to double click on the pivot table and the deleted source data will be revealed. As a result, the respondent will have inadvertently breached the Data Protection Act. Information set out on an Excel spreadsheet is a common way for requestors to ask for the information they have requested under the Freedom of Information Act to be sent back to them. Extra care needs to be taken when asked for this.
This could of course occur in the private sector as well as the public sector with companies sharing potentially sensitive information between each other when using pivot tables. As a result, the Information Commissioner’s Office has endorsed advice that pivot tables should be avoided and that public bodies and private companies should consider using CSV files which are much more secure than pivot tables set out in a spread sheet.
Another recommendation, from the Information Commissioner’s Office, is to ensure that all staff are adequately trained on data protection policies and procedures. These should now include a reference to pivot tables in spread sheets and a stipulation that CSV files are used instead wherever possible. When this cannot be done, extra care needs to be taken to ensure that personal data is not inadvertently disclosed.
About the author
Natalie is a Paralegal in the Residential Conveyancing team.
Published: Tuesday 20th August 2013
Categorised: Information Law