Saturday, 11 October 2014

7 Lessons to be learned from the Swale Council Email disclosure

In the news this week Swale Council admit that they sent the email addresses of 2500 residents to other residents in an email. See the link for the newspaper report.

http://www.kentonline.co.uk/sittingbourne/news/council-may-face-action-over-24879/

This is an easy error to make if there is insufficient guidance or training around emails.

So here are our 7 top tips to stop you making the same costly mistake:

  • Who has access to your database?
One of the principles of the Data Protection Act is that the information should only be made available to those who need to see it.
  • Who has the final approval for emails being sent out to the mailing list?
Who is checking the emails before the send button is being pushed? We all know how easy it is to make a mistake in an email and only realise just after you have sent it. My usual mistake is forgetting to attach a file.
  • What's your email policy?
Does your email policy allow emails to be sent to large groups of people from your main system? If so there should be a practice in place which limits the number of addresses that any single email can be sent to. This will reduce the potential for error. This is different from emails being sent via a mailing package such as mail chimp because this would automatically ensure the security settings meet DP requirements. 
  • How often are staff reminded of the email protocols?
It's great to have a process in place but completely useless if the staff who might need to use it are unaware of it. In a large staff team, it is good practice to have regular training around data protection and this should include information around email protocols. Records of the training should be maintained, including the date and the names of the staff who attended.
  • Can you create controls in the email system which limit the number of addresses?
In larger organisations the IT system can sometimes be sophisticated enough to limit the number of addressees an email can be sent to. This is to stop emails being sent to large groups of people and considered spam.
  • What happens following the breach?
How you handle a breach will be considered as part of any ICO investigation. Depending on the type of breach, dictates the action to be taken. You should try to notify those whose information is affected of the details of the incident and provide advice where necessary on what will happen next and any action the individual may need to take. Ideally have a written plan as to what you will do in the event of a breach as this will save time when it happens and you won't need to think what you should be doing.
  • Do I need to report the breach to the ICO?
This depends on the extent and severity of the breach. How many people the information related to and what the information was. If it is the email addresses of 5 people then no you would not need to report it. If it is the health records of 5 people, then you would need to report it. At the time of a breach you need to seek advice to ensure that further breaches do not occur and ensure that the breach is dealt with professionally and effectively. 

Data breaches happen all the time, it is what you do as a result of one which will be of interest to the ICO.

If you would like to discuss any aspect of the above, please contact me at lesley@audit-and-risk.co.uk or give me a call on 07828 124588. I look forward to hearing from you.

No comments:

Post a Comment