Avoiding disclosure of hidden personal data

The Information Commissioner’s Office (ICO) has published guidance relating to the safe disclosure of personal information and how to avoid accidental disclosure, largely through unawareness of hidden functionality in various IT equipment or software. This could be public disclosure (under the Freedom of Information Act or publication on the University’s website) or it could be disclosure via email to a more targeted group of individuals (whether internal or external). Accidental disclosure of personal information in both circumstances could constitute a breach of the Data Protection Act.

While the full guidance is available via the above link, the ICO has produced a quick checklist for reference prior to publishing or sending information to ensure there is no hidden personal information available. It is worth considering these issues whenever handling or disclosing personal information. Microsoft's Document Inspector tool is also a useful way of checking a document for hidden personal data, or other potentially sensitive information, prior to disclosure.

File type

Considerations

Spreadsheet

e.g. xls(x), ods

 

  • Are you sure you know where all the data is?
  • Are there hidden columns?
  • Are there hidden rows?
  • Are there hidden work sheets?
  • Do pivot tables contain linked data?
  • Do charts contain linked data?
  • Are there formula included which link to external files?
  • Is there any meta-data that should be removed?
  • Is the file size larger than you might expect for the volume of data being disclosed?

Word processor

e.g. doc(x), odt

  • Are there any comments within the document that should be removed?
  • Does the document contain a version history?
  • Do pivot tables contain linked data?
  • Do charts contain linked data?
  • Is there any meta-data that should be removed?
  • Does the document title or filename contain any personal data (eg Letter to John Smith)?
  • Has a header or footer been automatically added to a print-out?

Presentation

e.g. ppt(x), odp

  • Are there any presenter notes which should be removed?
  • Do pivot tables contain linked data?
  • Do charts contain linked data?
  • Is there any meta-data that should be removed?

PDF

  • Are there any comments which should be
  • removed?
  • Are all redactions effectively applied?
  • Is there any meta-data that should be removed?

Email

e.g. mbox, msg

  • Is there data within any attachments that also needs to be redacted?
  • Is there any meta-data that should be removed?

Image and video

e.g. jpg, avi

  • Is there attached EXIF data?
  • Is there personal data that needs to be obscured (e.g. faces of third-party individuals?)

For any further advice, please email: data-protection@bristol.ac.uk