One year after GDPR: Significant rise on incidents reported
Many individuals at the Trust have duties that require regular access and use of personal data. Unfortunately, whilst using this information it only takes one minor accident like an unintended email attachment, lost device, or misplaced printout to cause a major issue for the Trust.
The last quarter has seen a rise in personal data disclosed in error as the most common cause of information incident or data breach. This category covers information which has been disclosed to the incorrect party or where it has been sent or otherwise provided to an individual or organisation in error. This would include situations where the information itself hasn’t actually been accessed.
Examples include:
– Letters / correspondence / files sent to the incorrect individual;
– Verbal disclosures made in error (however wilful inappropriate disclosures / disclosures made for personal or financial gain will fall within the s170 aspect of reporting);
– Failure to redact personal data from documentation supplied to third parties;
– Inclusion of information relating to other data subjects in error;
– Emails or letter sent to the incorrect individual or with the incorrect information attached;
– Failure to blind carbon copy (‘bcc’) emails;
– Mail merge / batching errors on mass mailing campaigns leading to the incorrect individuals receiving personal data;
– Disclosure of data to a third
To help lower the risks of accidental data loss, Su De, the Data Protection Officer has provided the following guidelines and recommendations:
Understanding What Constitutes Personal Data
Generally, the term Personal Data is data that relates to a living person who can be identified from the information, including any expression or opinion about the person.
Unintended or accidental disclosure, modification, or loss could result in significant financial, legal, or reputational impacts to the Trust.
Examples: As a rule-of-thumb, the following types of data are regularly confidential in nature:
– National Insurance Number (NI)
– Names
– Date of Birth
– NHS Number
– Address
– Details of Services received by child
– Referrals
– Assessments
– Case Notes
– Private Contributor Records
– Medical Records (PHI)
– Employee Records
– Data Protected by Non-Disclosure Agreements
– Investigation Records
If you believe you have files that contain personal data, the Data Protection Officer recommends that you consider the ‘KEEP it Secure’ habits.
KEEP it secure!
The accidental exposure of personal data occurs while the information is being used. By actively observing a few habits, each of us can do our part to help protect the Trust from unintended data leaks.
Know Your Files
When you are dealing with a file it is important to know if it contains personal data (see above). Some tips to help with this include:
• Allow yourself time to open, view, and confirm the content of files before you copy or transmit them. Accidents occur most often when we are rushed.
Evaluate Your Retention Needs
When you’ve finished using/reviewing a file that contains personal data, it is important to consider if the file needs to be retained or saved in a specific location. Some tips to help with this:
• Is there a business need served by retaining the file?
• Are there contractual or legal requirements for retaining the information?
• Can the data easily be obtained from an authoritative source (i.e. database records) if it is needed again?
ERASE Confidential Data That Is No Longer Needed
If you have files that contain personal data and do not have to be retained, then it is best to delete them. When it comes to confidential data on Trust devices, always remember that less is more!
• When removing files, remember to delete the files AND empty your trash.
PROTECT Personal Data That Must Be Preserved
If sensitive data is to be retained then it should be protected. Some simple steps that you can take to help improve the security of confidential data include:
• Moving personal data to your Team Drive or Application which has access control set up.; Moving personal data to a secure storage has many benefits including ensuring that data is not stored on mobile devices which can easily be lost/stolen, speeding up restore operations, and maintaining secure remote access to this data if needed.
• Remember, you cannot un-send your email. Internal email addresses have the feature of recalling an email. But once the email leaves the Trust server space standard email messages are not sufficiently secure for exchanging confidential data with external recipients. In addition, it is far too easy to make mistakes attaching files.
• Do Not Store Personal Data on Removable Media. Standard thumb-drives, hard-drives, and other portable storage are not secure and are very easy to lose.
• Lock Your Screen and Clear Your Desk – If you step away from a computer that contains confidential information, then you should lock your computer screen.
Also, make sure that any printouts that may contain confidential information are not left in open sight of individuals who are not authorised to view this material.
Developing and observing these four habits goes a long way toward preventing accidental data exposure.
If a data breach occurs in your area, you should immediately contact the Data Protection Officer. See reporting a data breach for more information.