The damage that can be caused by a data protection leak was graphically illustrated during this past week when hardcopy medical records of Mental Health patients were found left in a street in Sheffield on Monday 10 September. Not only was Sheffield City Council left open to a fine of up to £500,000, it also saw the effects of the bad publicity that follows such a breach. Several days of coverage in The Star, Sheffield’s daily newspaper, along with comment on BBC Radio Sheffield, did much to unpick any residual feel – good factor that the City Council was basking in following its civic reception for the returning Jessica Ennis the previous month, bringing things back to earth with a unceremonious bump. When council tax payers see a fairly basic and fundamental breach of the Data Protection Act like this, particularly when it involves hardcopy records, it does much to undermine the public’s confidence in the ability of the organisation. Recent years have seen well publicised breaches involving the loss of laptops and flash drives by central and local government, but the loss of hardcopy records in such a manner would, you would have hoped, now passed into history.
Yet later in the week, the Information Commissioner’s Office published their most recent decision, which confirmed a £250,000 fine for Scottish Borders Council after hardcopy employee pension records were found in a over – filled recycling bin in a supermarket carpark. The local authority had used a contractor to process the data, but under the Data Protection Act you remain responsible for the data even if you hire a contractor, however experienced they may be. Furthermore the Council had no contractor with the third party, had no guarantees that they would be handle the records to any specific standard and did not have adequate procedures in place to monitor how the data was being handled.
The records were again in hardcopy. It is a more prevalent issue with electronic records. Brighton and Sussex University Hospital NHS Trust was fined £325,000 in June after patient records were found on hard drives that were being sold on Ebay. The Trust had also used a contractor to dispose of the records, but had not ensured that the hard drives were wiped before passing them on.
Again, while the fine is of a significant size, it is the attendant bad publicity that can cause the most significant damage. The loss of confidence from clients, contacts or customers that follows such publicity can be the death knell for any business.
What can be done to prevent a business having a similar breach? There are some straightforward inexpensive steps that can be taken:
- Have a clear Data Protection Policy. This cannot be just a document that sits in a lever arch file and slowly turns yellow.
- Ensure there is adequate Data Protection training. Every employee needs to understand what is says about the handling of personal data, so that when they see it, in hardcopy or electronic form, it is treated with the appropriate safeguards.
- Make sure your security policy includes the use of Email. If Personal Data is sent via email to an external email address, it should be encrypted.
- Personal Data should be recognised when in hardcopy and if kept in hardcopy should be cleared away at the end of the day and stored in a locked, secure location.
- Make sure your Data Protection Policy has a security element that looks at access to your system by employees own equipment such as laptops, home PCs, tablets and smartphones.
- Ensure Personal Data and confidential company data is kept securely in hardcopy or electronically, with access restricted to those who need it to minimise the risk from staff in your company. Remember 72% of employees take information with them that they think will be useful in their next role
- Use passwords for access and encryption that have a mixture of upper and lower case characters and numbers. Change them on a regular basis, ideally every 2 months at the most.
- Don’t link accounts and have the same password for multiple accounts and documents
- Enable two – factor identification
- Regularly back – up your data and test that the back up is effective