Keep up to date with the latest news and ideas from Numeritas and the world of financial and business modelling.


NHS Trust fined £185k for data ‘hidden’ in a pivot table – could this happen to you?

TAGS: Excel, Pivot Table, Publish, Risk

DATE: Thu 19 May 2016
BY: Stephen Aldridge

NHS Trust fined £185k for data ‘hidden’ in a pivot table – could this happen to you?

Blackpool Teaching Hospitals NHS Foundation Trust has been fined £185,000 by the Information Commissioner under the Data Protection Act 1998.

The Trust is required to publish equality and diversity metrics annually on its external website and inadvertently published confidential data in a spreadsheet, which remained on their website for 11 months before being taken down.

So how did it happen?

And how can you stop it happening to you?

Exposing the underlying data in a pivot table

The spreadsheet contained a pivot table that summarised the data about people who had worked at the Trust in the past. At first glance, the summarised data visible in such a table doesn’t provide any detail, but it is incredibly easy to find all the detail behind the summary data, even if the pivot table has been exported to another workbook. In this case, the workbook included sensitive data about pay scale, ethnicity, religious belief and sexual orientation. See this video on our youtube channel to see how easy it is to get at the ‘hidden’ data.

Double clicking on a pivot table creates a worksheet with all the detail relating to that category of the pivot table. This is because the ‘Pivot Cache’ is stored in the worksheet and this contains all the data from the original data source. This happens even if the pivot table is saved in a new workbook, separate from the data used to create it.

Who is at fault?

There has been a lot of debate on forums about where the fault lies with the Blackpool NHS Trust – the consensus is that this is not a problem with Excel itself but a management and training problem. The Commissioner found that the Trust did not provide the team with any (or adequate) training on the functionality of Excel spreadsheets or possible alternatives and that the web services team had no guidance to check the spreadsheets for hidden data before uploading them.

What is your risk?

This case illustrates just one of the many ways that hidden and possibly sensitive data can be retrieved by someone with the right skills. In this case not much skill is required – the data was accidentally discovered by double clicking on the pivot table.

If you publish a spreadsheet on a website, you may be taking a great risk of publishing confidential data unintentionally. The safest way to publish spreadsheet data is to publish as a pdf, but if it is important for users to be able to interact with the spreadsheet, you really need an expert to check the workbook for data that you don’t want to distribute.

Find out about the hidden data you could be leaving in your spreadsheets - click to watch our webinar:

Watch a video about best practice modelling

Call us on 08458694960 if you are worried about these risks – we’ll be happy to talk it through with you.

Stephen Aldridge BSc, MBA, ACMA

Stephen is a Chartered Management Accountant and has over ten years of financial modelling experience both at KPMG and Deloitte. His early career included engineering, sales and corporate management roles. In 2004, Stephen joined Numeritas as a co-owner and a Managing Director.

Have your say

We love to hear what you think. please note that comments are moderated so there might be a slight delay. Your email address will not be published.


No comments to display, be the first! Leave a comment in the box above.