Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

SUM () of all fears Tim Henwood
30 May 2014

safety rules

"I do not believe it makes sense to say that [Excel spreadsheets]* are inherently evil. In certain circumstances, they can play a positive role-as they have in the past. But clearly they have a power to do great harm." Des Browne, UK Defence Minister.

If you want to engineer a really good privacy breach, grab all your customers' data and put it in a poorly secured Excel spreadsheet. Combine this with a lax approach to data loss prevention in your email client, and some kind soul in your office will eventually, accidentally, do you the favour of emailing it out to somebody who shouldn't have it.

Here at the Office of the Privacy Commissioner we'd really rather you didn't do that.

If you hold large amounts of personal information and you're using spreadsheets to corral it all, you're opening yourself up to user error and possibly breaching your obligations under the Privacy Act. We're not advocating that you revoke your subscription to Office 365 and revert to paper files and locked drawers, but we're saying use spreadsheets wisely.

In the data breaches reported to OPC involving spreadsheets sent by email, the numbers of individuals affected per breach has ranged from dozens to thousands. While some of the systems involved had data loss protection or security procedures in place, there were holes and user error always finds a way.

If you have to maintain a database, you should be thinking about a purpose built database management system. That way, when you query it, you're just generating the results you need, not hunting and pecking your way through a bloated spreadsheet.

This approach can also help lay the groundwork for a more customer-driven solution to accessing records. It's not always going to be an appropriate solution, but letting the customer access their own information through a web service will minimise the chance of them being accidentally emailed their information along with 900 other customers' details.

If you must use spreadsheets, don't email them around. Export the data you need from the spreadsheet and just send what you need. Convert the sheet to PDF or put the data directly into a table in the email if it's a small enough set. If the receiver doesn't need all the underlying formulae, it potentially doesn't need to go out in worksheet form.

Finally, if you absolutely need to email a spreadsheet to someone, protect it. For instance, Excel has a built in function to password protect files. Yes, it's barebones, but it's better than nothing. Consider a pop-up notification when files are being sent to external recipients, or maybe have employees rigorously curate the email addresses that populate the auto-complete function in Outlook. The more data loss prevention tools you use, the lower the probability of a breach.

Whatever you choose, make sure it fits how you do business - Outlook pop-ups are no use if everyone in the office is handling email through iOS Mail.

When it comes to solutions, what you really want is to create a culture where people think about what they're sending, where they'll regularly check the addressee details and the attachment contents.

Part of the solution is changing the way you talk and think about data. A spreadsheet isn't just a collection of data entries, it's people's contact details, medical information, or financial records.

You need to change things up enough that people don't just send things out on auto-pilot. This can take time, so it needs IT support to hold it all together. You don't want employees triggering a catastrophic event by accidentally pressing the big red button - so design your system so that they're not left in the room with it.

*Browne was actually referring to nuclear weapons.

Image credit: American man Syd Connelly and his winning safety slogan (1953 Library of Virginia, Creative Commons licence).

1 comments

,

Back

Comments

  • Good stuff Tim, very practical. Cheers Emma

    Posted by Emma Pond, 30/05/2014 10:22am (4 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries