Spreadsheets might not be the first to mind when you think about cybersecurity, but with many of us using them for critical information and key processes, proper consideration should be put into how they’re shared and accessed to ensure data protection compliance.

Putting personal information into a spreadsheet and sharing with colleagues, uploading to systems, or sharing with external partners can present a data security risk.

If you send a spreadsheet by email, you have no control over who it may get forwarded on to, and how the data might be used. Spreadsheets can show more information than you intend, and users may hide fields which can be unhidden.

A common error reported to the Information Compliance Team is sending a spreadsheet containing personal data to the wrong person or email address (including sending to students and externals).

Things to consider before putting personal data into a spreadsheet

What is hidden can be unhidden
Remember that hidden information in a spreadsheet can be ‘unhidden’. Once you send information, it’s out of your control and it may get passed on again.

Be wary of pivot tables
A pivot table can be used to summarise a large set of data which then creates an automatic summary of the underlying data. As with hidden data fields, despite the fact that the underlying data is not immediately visible on the screen it can still be accessed.

What about charts
Charts can also contain an embedded copy of the source data. A copy of the underlying data may be copied across into the spreadsheet or into an embedded document.

Spreadsheets for information purposes
Would you send a spreadsheet for information purposes? They’re generally designed to be updated or manipulated to help with other activities. This means that you need to grant at least some degree of permission over the contents – and with permission comes the ability to copy and save!

Updating spreadsheets between colleagues
When personal data is shared between colleagues on spreadsheets, it’s almost impossible to know who has the most up-to-date version, thus leading to potential inaccuracies within the personal data.

What else can I do to protect personal data?

• Think about what information you need to share with colleagues and why you need to do so. Colleagues should ensure at all times that data are not shared inappropriately even within UoN
• Can you share information another way? Consider OneDrive or SharePoint where you can send a link and limit access to the information. Multiple users can work on the spreadsheet and version history is controlled and you can return to previous versions. This way you don’t need to send emails containing spreadsheets and data is accurate and up to date when working collaboratively
• If a spreadsheet is the best or most appropriate option, ensure you’re sharing only what’s required.
• Check how you are sending the information, even when pasting into another document it is easy to embed data which you don’t need or want to share
• Have to send by email – password protect, even if sharing internally – especially where there’s a lot of personal data on the spreadsheet or send a link to OneDrive or SharePoint
• Where you’re sharing data outside UoN, always password protect or consider sharing via SharePoint. Never send unprotected spreadsheets!

Reporting an incident

Even taking the above into consideration, we’re all human, and errors can occur despite our best efforts. Making a mistake can be worrying and stressful to any of us, but please don’t be put off from reporting an incident – the Data Protection Officer, Tracy Landon, and her team will help and support you in mitigating the effects of the error.

Even if you’re unsure, get in contact at DPO@nottingham.ac.uk.

Further Information

You can find more information about data protection on our SharePoint Site. If you have any queries, please email DPO@nottingham.ac.uk.

Tracy Landon, Data Protection Officer