Data Protection made easy

     
 

Home

About us

Training

Advice

Contact us

In the News

Data protection/ cookie info.

 

In the News

bullet HMRC loses personal data of 25 million people in post.  Details included names, dates of birth, National Insurance numbers and in some cases bank details.   This happened after a request from the National Audit Office to HM Revenue and Customs for data on child benefit recipients.  Apparently a relatively junior member of staff downloaded the data onto two CDs and sent them by the internal mail operated by a courier firm.  The discs were lost and there are fears that the information could get into the wrong hands leading to ID theft on an unprecedented scale.
bullet The first question is how could a junior member of staff  (or anyone, however senior,) download the data with such ease?  It’s not enough simply to have procedures to protect data – human beings are fallible and mistakes happen – data storage systems need to be designed to prevent downloads like this unless a whole series of checks and authorisations have been made on the system first. 
bullet The NAO claim they didn’t even request or need all this data anyway.  As far as data protection goes, less is always more and only information that is absolutely necessary should ever be collected or used.  It also helps to store different items of information separately and only join them up when this is essential. It is possible for data to be validated without the information itself being revealed to the person making a check.
bullet Another question is why no one seems to have queried the download.  This is maybe because personal data is still not (or was not until this incident!) widely perceived to be valuable.  Many people don’t destroy their financial information (statements, credit card receipts etc) securely.  And how often have you heard someone give away personal details in a mobile phone call on the train?  Personal data should be protected like cash – or even more carefully - as the consequences of it getting into the wrong hands can be more devastating than losing cash.
bullet Data protection training is also essential.  This should include everyone – from the most senior people in the organisation to temporary staff and consultants – everyone who will be handling or making decisions about personal information.  A recent survey by security firm Websense showed that organisations frequently give temporary staff wide access to personal and confidential data.  This makes it very easy for someone with malicious intent to steal data.  So access to data also needs to be carefully controlled and fully audited.
bullet Data protection training emphasises that it’s everyone’s responsibility to look after data – not just the data protection officer’s job!  Good training will give everyone an internal alarm that rings when something is not right.
bullet Prevention is always better than cure – the public reaction to this incident has been pretty angry.  If an organisation can’t look after personal information, people will start asking if it can do anything properly.  And now the Information Commissioner has advised that all personal data in transit  - on laptops, discs etc, should be encrypted as password protection isn’t adequate.  If an organisation loses data in transit and it wasn’t encrypted, in future he will use his enforcement powers against that organisation.  And the Information Commissioner’s powers are set to be increased with the ability to make spot checks on organisations.
bullet But as always, it is better to be safe than sorry. 

 

bullet Bank of Scotland loses customer data in post.  Details of 62 thousand mortgage customers were put on a disc in the ordinary post but it never turned up at the other end.  The details included names, addresses and dates of birth.  This kind of information can be very useful to identity thieves.  A date of birth is often used as a security check.
bullet The bank said that normally the disc would have been encrypted and sent by secure post or courier and that human error was to blame.  Bank of Scotland is part of the HBOS group which has been in the news already this year for various problems with handling customer data - such as putting unshredded documents in rubbish bins. 
bullet Effective data protection training should give all staff the awareness to avoid this kind of mishap.  Something else to watch out for is sending large amounts of personal data in unprotected files via email.  Security experts warn that putting information in an email without protection is like writing it on the back of a postcard.  So it is always advisable to do a risk assessment for the type and amount of data being sent and make sure it is adequately protected - perhaps by finding an alternative delivery method.

 

bullet School report found in street (Howard School for Boys, Rainham, Essex) -and  it wasn't mincing its words about certain pupils - 'dingbat', 'wally', 'away with the fairies' were just some of the comments.

And the person who found it didn't just hand it back - they went to the press.  cue interviews with angry parents (one of whom had been described as 'quite rough' in the confidential report ).

As far as data protection goes, the 'special purposes' exemption allows disclosures for journalistic purposes if the matter is in the public interest (not necessarily the same as 'interesting to the public') although it was probably both in this case.

For the school - there are two data protection lessons. 

First - it's an easy thing to print 'Confidential' or 'Do not leave lying around ' on the cover of a document, it takes a bit more to have procedures that follow through on that.

Second - under the 'subject access' provision of the Data Protection Act, pupils have a right to make requests to see information about them held by their school (and parents have a right to see their educational record).  It's unlikely that any exemption would apply, so they could have ended up reading their entry. 

(For further information , see the Technical Guidance Note produced by the office of the Information commissioner: 'Access to pupils' information held by schools in England' at www.ico.gov.uk under Document library)

No doubt we all know at least one dingbat or wally but would we really want them to know how we feel?  Particularly at work where they might claim discrimination as a result of making an access request and seeing their boss's opinion of them!  So any notes about staff should always be objective with opinions separated from facts. 

 

bullet Read the Top 10 blunders and how to avoid them here.

 

bullet A third of people* admit they throw away documents containing important personal information without shredding them first. This includes bank statements and receipts.

*survey by Information commissioner's Office January 2007

bullet The  BBC 3 TV programme The Real Hustle has shown how burglars can raid your dustbin and use a utility bill or similar document plus a faked photo ID to persuade a locksmith that they are the home's owner, get your front door opened and then rifle your belongings.
  Copyright 2007, Sue Milnes