Beauty and The Beast
Beauty and The Beast …
David Parish – Information Security Consultant
“The beauty of Microsoft Excel?”
The advancements of technology provide the opportunity for global data transfer at the touch of the button.
I am struggling to keep up with some of the commentary in relation to GDPR and the do’s, don’ts, fines etc, let alone keeping a keen eye on my information security knowledge.
One issue seems to have cropped up on several reported incidents (to the ICO) and some of the near miss incidents I review are data breaches, but not reportable due to the data.
It is invariably in that beautiful software application called Microsoft Excel.
Anyone from small to large probably has Excel spreadsheets, some more sophisticated than others. Business analyst, HR departments and finance often use this software to manipulate, manage and create dashboards management reports etc.
There is also currently no problem with this as long as you keep to the data processing principles, data minimisation and password protection.
(I am not being rude about the ICO), I previously blogged about a council sending vulnerable people’s health issues on an Excel spreadsheet to 20 plus lab firms. I think the ICO is still investigating that matter.
The ICO have just ruled and imposed £120,000 fine on the Royal Borough of Kensington and Chelsea. In responding to freedom of information requests to the council after the Grenfell Tower disaster in June 2017.
The Royal Borough were asked how many empty properties were there in the Borough owned privately, that could be used for potential temporary accommodation.
The council extracted the data into Excel and enacted Pivot charts and tables, the Excel spread sheet appears to have been minimised i.e. columns hidden not deleted.
This Excel spread sheet was the sent to the requestors, one an investigative journalist and the other a data analyst.
Both parties knew a little about Excel and double clicked on the Pivot table which revealed the identity of 943 private individuals, including numerous high profile individuals!
The data analyst posted this information online and the newspaper published it.
Why is this relevant to GDPR ? The ICO in its judgement identified that the Borough;
- Had not put in sufficient technical controls which make this a GDPR issue.
- The Borough did not have a documented process on how they extract, minimise and ensure correct controls were in place.
Finally, they raised the issue that the Borough had not sufficiently trained staff in the procedures and the software. Stating this failure was an error that could have easily been avoided.
So to conclude, the beauty of Excel is how you can easily, with a fair standard of training, manipulate data and manage large data sets.
The beast is that you need to make sure that the raw data is correctly sanitised and the dashboard that looks really good is created by that raw data only.
by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management