Warning for workers after charity employee is prosecuted for data protection offences
Simon Whittaker
Head of Cyber Security at Vertical Structure | ChCSP | Cyber Security | Information Assurance | Cyber Test & Training | Board Advisor | Industry Speaker | #Cyber #Cyberessentials #Pentesting #Cybersecurity
There's a press release over at the ICO site which discusses a recent enforcement action regarding personal data infringement from earlier this year that is well worth reading.
The start of GDPR enforcement next year should already be serving as a wake-up call for organisations of all types but it should also be noted that the UK already has a reasonably robust set of legislation around data protection.
The new legislation will build on this but the below example is definitely worth bearing in mind:
"The defendant sent 11 emails from his work email account on 22 February 2017, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. Further investigation showed that he had sent a similar database to his personal account on 14 June 2016.”
This raises a number of significant points which every organisation should be asking themselves including:
- Have you or your colleagues ever done anything similar?
- Do you share information in an insecure manner (personal email/usb stick etc) so remote working is possible?
- Do you store any information belonging to your organisation on your computer at home?
- What data is stored on your cloud services like Dropbox?
- Does your organisation have policies about the use of personal devices or transmitting information?
In this instance, the fines were not huge but it is possible that this could be significantly larger under the new legislation:
The defendant was given a conditional discharge for two years and was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
The new Data Protection legislation will definitely give more teeth to the Commissioner but this should be a warning shot for many organisations, especially those in the charity sector.
What should our organisation do?
Assess
- What data are you holding and why?
- How and where do you store the data?
- How long is the data retained and how do you destroy it?
- Do you move the data anywhere else?
Document
- Create a data flow diagram to help you understand where your data is created, processed and deleted
- Create a data processing policy telling your users what you do with your data and publish it.
- Ensure you have the right contracts in place with your processors(there is some draft guidance here from the ICO but this is likely to change.
- Understand how a Subject Access Request, corrections and "Right to be forgotten" requests should be handled
Educate
- Train your staff on what GDPR means and how they can comply with it
- Train your staff on how to handle Subject Access Requests and other requests for data.