The UK Information Commissioner’s Office is feeling frustrated. Speaking recently about data protection at an event on healthcare efficiency, the ICO’s head of strategic liaison declared himself “confounded” by the “disconnect between staff awareness and the number of breaches that occur.” You can almost hear the sighs back at the office.
The conundrum, apparently, is that the people who wouldn't dream of revealing confidential patient information in conversation are the same people who are losing memory sticks, throwing confidential paper documents into outside bins, or placing them in the wrong room from where they are then removed and destroyed.
The latter example, which took place at Dartford and Gravesham trust, involved 10,000 health records that were left in a destruction room because the archiving room was full. The ICO is currently taking action against the trust.
It appears that the ICO’s despondency stems from the fact that while messages about the importance of data protection seem to be getting across; they don’t always appear to be making a difference. As a result, the ICO is becoming less tolerant of data breaches and more inclined to name and shame offenders, and to impose harsh financial penalties.
Anyone working in information management in the UK needs to start taking data protection very seriously indeed. Just having a worthy policy in place, or some attractive explanatory posters adorning the walls and stairwells, is clearly not enough or these breaches would not be happening.
In early December the ICO issued its highest ever fine (£130,000) to Powys County Council. Designed to punish the council for its failure to adequately protect the personal details of vulnerable young people, the incident in question – confidential and sensitive documents being sent to a shared printer and accidentally collected by another member of staff – highlights the fact that in many cases, data breaches are the result of carelessness rather than malicious intent. What makes it so worrying is that this is hardly an unusual event; a quick look around any office is likely to reveal at least one printer tray groaning under the weight of as-yet-unclaimed documents.
You may not be able to compensate completely for a lack of common sense, but a commitment to appropriate staff training, a clear allocation of responsibility and the creation of robust processes are paramount. This should not be a tick-box exercise – regular reminders and refreshers are essential to ensure data protection stays at the forefront of employees’ minds.
Implementing these solutions is, of course, rarely as easy as it seems. For starters, our research shows that responsibility for looking after paper documents is frequently spread across different departments or business areas, and often ends up with people who lack the authority or expertise to impose company-wide policies or processes. So the first golden rule for preventing or minimizing the risk of a data breach is to give one person or department overall responsibility for information and ensure they have the seniority, skills and the board-level backing they need to make it work.
Second, you need to get to grips with the volume and complexity of the information you hold. This means taking stock of all the information created, received, despatched or just moving around the organization; and tracking who is dealing with it and where it is any moment in time.
Third, you need to have a proper plan in place for how information is handled and stored – and everyone needs to know the plan and abide by it. Policies developed and introduced in collaboration with staff are invariably the most successful, whereas ones imposed from up high can result in staff developing ingenious ‘work-arounds’ that could expose your business to even greater risks.
Lastly, it is wise to regularly review your data strategy. Ensure it covers document access, scanning, storage, cataloguing, retrieval, shredding and digital disposal, and can accommodate changing business needs and volume requirements.
The ICO’s more robust approach to data protection has brought all these issues into focus. Rarely a week goes by without news of another organization or individual being punished for throwing sensitive documents into a park bin or leaving them outside for the rubbish collectors. With so much publicity surrounding each new data breach, pleading ignorance simply won’t work. If you fall foul of the Information Commissioner, you face a hefty fine and negative publicity. You could lose money and customer trust, and your reputation will suffer, possibly irretrievably so. You need to ask yourself if your business can afford it.
Christian Toon, head of Information Security, is the functional lead responsible for developing and implementing information security policy, standards, goals and strategy for Iron Mountain Europe. Toon serves as the process owner for all ongoing activities that serve to provide appropriate access to and protect the confidentiality and integrity of customer, employee, and business information. He has experience in UK Government Security and Business Continuity built upon the last five years in working with Iron Mountain’s Public Sector. He also has experience with program, project and risk management. Prior to Iron Mountain, Toon was a successful senior operations manager at a FMCG facility for a major high street retailer for over five years.