Data Protection Training - Are you doing it for your staff (and Volunteers)?

The Information Commissioners Office has reprimanded the Alzheimer's Society for a number of breaches of the Data Protection Act, including failing to provide regular training to staff and volunteers on Data Protection Compliance.

The enforcement notice states that the charity has failed to comply with two data protection principles and has issued a set of ten action points which need to be complied with within a period of six months.

The key issue is that the charity has not been training its staff or volunteers on a regular basis with regard to the requirements of the Act. This has led to breaches of the Act, probably due to lack of knowledge. So what do you need to do to avoid the wrath of the ICO?

All organisations should be regularly training their staff (and volunteers) in the requirements of the Data Protection Act at least every two years. 

So what should your training cover? As a minimum you would want to inform all staff:

• Who the Data Protection Officer
• What personal information is
• How information should be collected, stored and destroyed
• The time-scales for destruction (i.e. a retention policy)
• An awareness of the checks they should be undertaking before providing information to someone (Subject Access Requests)
• How to ensure that sharing information via email is carried out securely
• The constraints on using their own devices for work purposes.

An organisation should also have policies and procedures to support these elements. Remember, these are THE BASICS! 

Any training undertaken should be recorded as to what the training covered, who attended and the date. You will need to keep these records in case of an issue with the ICO at a later date. Showing that you have trained the staff (and volunteers) on a regular basis shows a commitment to compliance with the Act.

If you have any questions or want to run a training session for your staff, we run in house courses tailored to your needs, so please contact me.

Don’t leave your important information on the bus…

A school in York has been left red-faced after a member of the school staff left an unencrypted removable memory stick on public transport.

The Information Commissioners Office has launched an investigation after being made aware of the incident.  St Peter’s School in Clifton, which is one of York’s top public schools, admitted that there were a number of documents on the memory stick that related to school governance, and which could potentially include information about a ‘small number of individuals’ although thankfully there were no bank or financial details on the device. There was no suggestion that the information had been accessed or used by anyone since being lost in October.

The school's head, Leo Winkley, has also been forced to write to the parents of children at the school to inform them about the blunder, and is working with the ICO to make sure that all the correct procedures are followed - although it would have saved the school a great deal of trouble if they had simply encrypted their memory stick so that it was unusable without a password.

 

The loss has caused consternation in York as the device was said by a source to contain highly sensitive information about pupils and former pupils - and worryingly, the public transport operator has not been able to locate the missing memory stick - so nobody knows where it is, or whether it has been found by a member of the public and accessed.

A source told the York Press that they there had also been confusion with the ICO claiming to not know about the allegation, but after some investigation, subsequently confirmed that they were making enquiries into what had happened.

This case just underlines the necessity for all removable memory devices to be encrypted or password protected; with the best will in the world, memory sticks and other removable storage devices can go missing, but if the information is protected by a password, if it should be found by someone, the data will be protected from anyone unscrupulous using it.

Do you have a security policy in place and train your staff in how to protect sensitive information? If you’re unsure of how to protect your data, contact me and I will be delighted to provide you with guidance and advice.

Did you attend a training course? Whoopee, lets share your details!

I have been on a couple of business training courses over the last week. Both of them were signed up to online and neither told me what they would do with my information, so that's the first mistake!

When I got to the training courses, both provided an attendee list which showed name, business name and a brief outline of what the business does.

A few days later I received an email from the training company asking if they can share my contact details with the other attendees. If I do not wish to share my information I have 24 hours to send an email opting out. Mistakes 2 and 3.

The email requesting that I share my contact details does not tell me which contact details they are planning to share. They may have my postal address but definitely have my email address and mobile number as a minimum so are they planning on sharing all my contact details or just some of them and if so which ones?

Also by requesting that you respond by opting out, they run the risk of sharing someone's contact details who may not have had time to review their emails and respond within the timescale laid down but who doesn't want to share their information. They should have asked people to opt in.

So how could this have been done more effectively?
1 - When they collected the information, they should have said how they are going to hold that information and for how long.
2 - Will I be on a mailing list?
3 - Stating that it will be on an Attendee list.
4 - What information they plan to share with other delegates and seeking permission to do so.
All of this could have been completed at the time of sign-up.

It would have been more straightforward to tell all the attendees to find each other on LinkedIn and connect that way. Needing no facilitation by the training company. 

So with a bit of planning and some knowledge of Data Protection requirements, life could have been a lot easier for the training company. 

The top three business security risks - and what to do about them

Businesses have been aware for many years of the very real threat to their business from security breaches, distributed denial-of-service (DDoS) attacks and more, but despite warnings from concerned security professionals about keeping better control over their sensitive data, many small businesses still aren’t taking security as seriously as they should.

If you have a feeling that this may well be you, what can you do to up your game when it comes to protecting sensitive data from security threats? First, you need to look at the most common causes - here’s our top three.

1: Resentful or disgruntled employees

A disgruntled member of staff can do a lot of damage to your internal security, especially one that has access to your networks, data centres and IT admin accounts. However hard you try, you’re not going to be able to eliminate staff dissatisfaction, so you need to mitigate the risks by identifying privileged accounts and credentials and deleting any that are connected to ex-employees who may have an axe to grind. Privileged accounts should be routinely monitored and there should also be a protocol in place to track, log and record activity on these accounts so that anything suspicious or malicious can be quickly spotted and dealt with.

2. Human error & lack of training

An employee who leaves their laptop unlocked and on a train is just as dangerous as an ex-employee who maliciously breaches your security.  If your employees aren’t properly trained in data security, they also pose a risk. Make sure that your employees are up to date on cyber security. Hold regular, mandatory training sessions so that they know the risks of weak passwords, unencrypted or non-password protected portable memory, and even basics such as not opening suspicious email attachments. It’s vital to drive the point home about passwords; they are the first line of data defence and so staff members need to know about basic rules;  choosing a password with upper and lowercase letters, numbers and symbols, keeping separate passwords for different sites and devices and changing them regularly. Encrypting data is another way of avoiding data breaches through human error; even if an employee hasn’t locked their phone, you can get the IT department to wipe any selected data just by revoking decryption keys specifically used for company data. You can then go a step further and use authentication methods like a One Time Password (OTP), smart card, fingerprint reader or even retina scanning if you need an extra layer of security.

3: Unpatched - or Unpatchable - Devices

If you have hardware such as servers, routers or printers that use software or firmware for which there’s no patch for vulnerability, or their hardware isn’t  designed to enable them automatic updating if a vulnerability is detected, it leaves you open to attack. Out of date servers are especially vulnerable; Microsoft no longer supports Windows Server 2003 and with an estimated 10 million or more Windows 2003 servers still being used, outdated servers are prime targets.

Put a patch management program in place to make sure that all of your hardware and software is constantly updated. Vulnerability management technology is available to check your network for anything that’s out of date, and a policy of taking anything that hasn’t been updated for a long time offline will also minimise the risk.

Do you know where your business is vulnerable? If you need advice on procedures and policies that keep your sensitive data safe, or want to know more about staff training, contact me and I will be delighted to provide you with guidance and advice.