Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection on the move Wednesday 14 December 12:30pm

Published byShonda Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection on the move Wednesday 14 December 12:30pm"— Presentation transcript:

1 Data Protection on the move Wednesday 14 December 12:30pm
Slide 1 – Data Protection on the move Good afternoon. My name is James Hayward and I’ll be talking to you today about the importance of protection people’s personal data wherever you are. During the webinar I’ll define what I mean by data protection on the move, highlight some of the dangers that come with working outside of the office and offer some advice around how to safeguard personal data. My colleague Elaine will share some real case studies which have been investigated by the ICO. And, as Robert has mentioned, I will make myself available to answer your questions throughout the presentation. A little bit about me - I’ve been working at the ICO for two years as a case officer and now as a team manager. I have been responsible for investigating many breaches of the data protection act on behalf of our Enforcement department, including cases which later resulted in enforcement action. Data Protection on the move Wednesday 14 December 12:30pm 1

2 Slide 2 – Data Protection on the Move
What is data protection on the move? To answer this question it is worthwhile to think about the way you work and the way employees at your organisation work. The traditional model of working 9-5 in the office five days a week is being replaced with flexible working hours, homeworking, working on route to work, answering s on the iPad from the sofa and so on. The new model of working provides opportunities for employers and makes life easier for employees, but there are risks attached. Too often the ICO sees cases where office based data protection procedures are working well, but the same level of security is not in evidence when data leaves the office. In the past five years the ICO has issued fines totaling close to one million pounds in relation to this area. I will now tell you a little about the ICO and its powers and how they apply to data protection on the move.

3 The ICO Who are we? Slide 3 – Who are we?
The ICO is the UK’s independent authority set up to uphold information rights in the public interest. We promote openness by public bodies and data privacy for individuals. The ICO regulates the Data Protection Act and Freedom of Information Act, and other associated pieces of legislation. The Data Protection Act, or DPA as I shall refer to it from now on, has eight principles of good information handling. These give people specific rights in relation to their personal data and put certain obligations on those organisations that are responsible for processing it. For the purposes of this webinar, the most relevant principle from the DPA is the seventh. The seventh principle explains that appropriate technical and organisational measures are required to protect against the disclosure, loss or damage to personal data. I will return to this principle during the webinar.

4

5 Slide 4 – POW The next slide explains about how the ICO investigates data breaches and its powers. When a data breach incident is reported to the ICO an investigation begins. At the conclusion of our investigation there are several options available to us.

6 Data Protection on the Move
Enforcement Powers Slide 5 – Enforcement Powers The first is to close the case informally by providing advice and guidance to organisations. The majority of our cases close in this way. We may make recommendations for improvement, and we may ask you to write back to us after a period of time, to let us know how you’ve got on with implementing our recommendations. Secondly, where we consider an organisation to be in breach of the DPA, we may ask it to sign an undertaking, to commit to making improvements in its data protection practices. Thirdly, an enforcement notice is similar to an undertaking, but this is more formal as breaching an enforcement notice is a criminal offence. The fourth option is that we have the power to serve civil monetary penalties of up to half a million pounds for the most serious breaches of the DPA. The maximum amount of a penalty will rise significantly once the new General Data Protection Regulation comes into force in May 2018. The final option available to us to concerns auditing. Our investigators work closely with our Good Practice team. Often, particularly if an organisation is experiencing a large number of data security incidents, or the reasons for these are particularly varied, we’ll ask the Good Practice team to provide you with some help. This allows us to provide tailored advice to your specific organisation and set of circumstances via an audit. This service is free! So if you’re offered the opportunity to have an audit, advisory visit or some other input from our Good Practice team, it’s well worth considering. Examples of where the ICO has served penalties, enforcement notices and undertakings on organisations can be found on the ICO website. Advice Undertaking Enforcement Notice Civil Monetary Penalty Audit

7 Slide 6 – Dangers Having explained the ICO and our powers I will now return to the main topic and share some of the dangers associated with data protection on the move. The seventh principle says appropriate technical and organisational measures are needed to protect personal data. If your organisation fails to do so, enforcement action from the ICO may follow. The big worry is that data is lost or disclosed as a result of working on the move. There are many examples of how this might happen, for example paper documents may be left on a train, a memory card full of documents lost somewhere between the office and home or records might be mistakenly uploaded online from a personal laptop. Think about the impact that a data breach might have. For an individual affected, the data breach could be distressing, especially if the data was particularly sensitive. If the data was financial, the individual might be subject to fraud. For your organisation, this could mean reputational damage and a big fine from the ICO. I am now going to pass over to Elaine who is going to introduce some real case studies investigated by the ICO.

8 05/08/2015 Slide 7 – Case Studies A council CMP of £70,000 from the ICO Basic facts of the case: A social worker printed off a large number of records relating to a child protection case as he wanted to work on the case over the weekend in order to prepare for an upcoming court hearing. The file contained information relating to the whole family plus a number of staff from the Council, health services and schools that had provided reports and evidence. The file contained detailed assessments of the children and included papers alleging various neglect and abuse and contained police reports on suspected perpetrators. The social worker left them on the train. The records were recovered from the train company’s lost property office and it appears that there was minimal risk that anyone will have used this information. What the ICO found: There were several failings found on behalf of the council: Physical security measures were poor – the records were in a plastic bag and locked cases were not provided Although the Data Controller had some policies in place there was no specific policy in place relating to the safe and secure transportation of personal data. ICO concluded that there had not been a breach of the Data Controller’s policies as they were not sufficiently specific to cover this incident This was a generally accepted practice and social workers did not have a process for needing to seek authorisation and the Data Controller did not have any substantive way of monitoring and checking such data The Data Controller did have laptops with hard disk encryption which were able to securely connect to the Councils network from home. The social worker could have been given a laptop for use at home and could have accessed the information electronically. The Data Controller had an on line Data Protection eLearning training course which was mandatory for all staff. However, the social worker concerned in this incident was on probation and so he had not completed the mandatory eLearning course. He did have access to the department’s online social care manual which also covers dp. What the council could have done Here’s what the trust could have done: They could have had appropriate physical security to prevent the personal data being compromised. Given the nature of the personal data we would have expected this to be in a lockable container/brief case. A plastic bag is not adequate! A locked case could still be lost but at least it would have reduced the likelihood of someone looking at the file They could then have backed up appropriate physical security with robust policies and procedures Provided better training to staff, not forgetting new staff, to explain some of the risks associated with mobile working/home working What does this mean for your organisation? Consider whether you have appropriate security to prevent personal data being accidently or deliberately compromised such as physical security measures in relation to transportation and home working Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach Even if policies are in place consider technological measures that may assist If relevant for your organisation ensure you have a specific transportation/home working related policy Train all you staff effectively on this policy When any documents are transported there is always an inherent risk that they may be lost, stolen or damaged, no matter what security measures are put in place. There is always a chance of human error. But in this case the Data Controller should have foreseen that there was a risk that such an incident could occur and put safeguards in place. A Nursing Home CMP £15,000 The home of a care manager was broken in to and an unprotected company lap-top was stolen together with personal effects and a car. The laptop contained sensitive personal data about mainly vulnerable individuals in relation to 50 individuals - lists of clients including names, dates of birth and their Care Manager, do not attempt to resuscitate status and also staff discussions including staff names, disciplinary information etc. Laptop not password protected or encrypted even though it was capable of being password protected. The data has not been recovered but there is no evidence of inappropriate processing but should such information have come into the public domain it was of a kind likely to cause substantial distress. The DC issued unencrypted laptops to 3 Nurse Managers knowing that there would be sensitive personal data stored on them but made no provision for the security of the laptops or prohibit their movement from the premises Some policies but they were limited and basic in scope and not subject to regular review. Did not cover the issue of security at all. No mobile working or homeworking policy in existence at the time of breach There were no procedures in place regarding the storage of a lap-top at home at the time of the incident DC was unaware of the extent of the data lost as there was no record as to what was on the stolen laptop and it had not been backed up No specific DP training offered although issues of confidentiality were covered in Induction Containment and recovery appears limited – no incident report or overall analysis written down What the organisation could have done Provide policies or procedures to support members of staff and provide guidance as to home or mobile working or security in relation to mobile devices including physical security to be used – eg lock laptops away etc, not left in boot of car. Encryption Data Protection training to be provided to staff You need to think about the data you’re processing and how you’re processing it. What do you need to put in place to protect that data? If you have mobile workers or home workers make sure you have a relevant policy or procedure to set out your expectations about how data needs to be handled and how it is to be kept securely. By raising staff awareness of data protection requirements, the staff can help organisations find weaknesses in DPA compliance. If this DC had trained their staff, one of them may have questioned whether the data on the laptop was safe, which may have prevented the data loss. Thank you Elaine. I’m now going to talk about how you can improve data protection on the move.

9 Human error? Slide 8 – Human Error
There is sometimes a misconception from organisations that data breaches are largely the result of human error. Our investigations often show that, although human error was a factor leading to the breach, there were also organisational and technical failings on behalf of the organisation. If the failings are sufficiently serious, we can issue enforcement action on the basis that the seventh principle of the DPA has been breached.

10 Organisational Measures
Technical measures Awareness HUMAN ERROR The trick is to ensure that organisational and technical measures and raising general awareness reduce the likelihood of individual error. Hopefully, the implementation of these measures will make your procedures more robust and diminish the possibility of errors occurring. I am now going to offer some practical tips you can take to improve your data protection on the move. The list is not exhaustive and you will know what best suits your organisation and what you need to do to protect the personal data for which you are responsible. These examples illustrate the types of measures we expect to see when investigating a data breach.

11 Data Protection on the Move
Tip 1 Tip 2 Tip 3 Training Policies Electronic Devices Slide 10 – Tips 1-3 The first tip is training. If your employees work outside of the office and regularly handle personal data provide additional training. What personal data are staff members allowed to take out of the office? How should it be transported? How should it be stored? What electronic devices can be used? How should they be used? Should personal data be logged when it is taken offsite and when it returns? Questions such as these can be covered in the training. The second tip concerns policies. Your expectations about how staff should handle personal data offsite should be explained in a policy. Ensure that staff members read the policy and that it is easily available. The third tip is around electronic devices. Think carefully about what devices you will permit staff members to use. If possible, provide the equipment staff members use. This will make it easier for you to ensure the security of the devices. Always use encryption. If a device is lost, encryption adds an additional layer of security.

12 Data Protection on the Move
Tip 4 Tip 5 Tip 6 Minimisation Storage Planning Slide 11 – Tips 4-6 The fourth tip is around minimisation. If it is necessary for employees to take personal data offsite ensure that they only take what is absolutely needed to complete the work. It is not good if data that never needed to leave the office is lost or disclosed. Include this principle in your policies and your training. The next is around storage. If you are allowing staff members to work offsite, ensure that they have adequate storage for personal data. The boot of the car is not secure! We once received a breach report where we were informed that a stolen laptop had been placed in the boot of a car with the additional security of being covered by a dog blanket. Needless to say, we did not view this arrangement favourably. A final tip is around planning. Perhaps you are considering new homeworking arrangements or are introducing new devices to your department. Before you do so consider the risks to personal data and make plans to reduce the risks. This could take the form of Privacy Impact Assessment or a Privacy By Design process. The ICO website contains lots of advice for organisations and I have embedded some relevant links to this powerpoint. The powerpoint will be available on our website later today.

13 Slide 12 – Data on the move as a trend
This next slide is about data breach trends. The graph you can see is taken from our website and shows the trends for the types of data breaches reported to the ICO in quarter 2 of this year. If you type ICO trends into Google you can get a link to the full page. The graph indicates that data breaches as a result of problems with data protection on the move are not occurring at high volumes. You can see that the main cause of security problems are data being posted or faxed to the incorrect recipient. There were also a large number of breaches associated with lost paperwork and misdirected s. It makes sense that these particular issues are causing the most data breaches. The sector reporting the most data breaches is the health sector. The nature of their work means that the health sector handles a lot of personal data and we see a lot of cases where letters are sent to the wrong person or where paper work is lost or misplaced. Where does data protection on the move fit in with these statistics? These types of cases might not be as numerous, but they can be some of the most serious cases reported to us. When data protection on the move goes wrong there is an increased risk that data will be disclosed to the general public. For example, when paperwork is left on the train any one could pick it up. Or someone working from home on a personal laptop might upload something to the internet by mistake. This type of breach might not be possible when working on an office machine with access controls and limited software. In the past five years, the ICO has issued 10 fines totaling £800,000 in relation to data protection on the move errors. So, whilst these errors are not the most numerous, they can be the most serious.

14 Slide 13 - Conclusion In summary, I hope that we have explained more about data protection on the move and how to improve practices in your organisation. If you take away only one message from this webinar it should be that data protection continues when you step out of the office. Your responsibilities as an employee or an employer are exactly the same. Ensure that personal information is afforded the same level of security wherever you work. Thank you for listening and I’ll hand back to Robert.

15 Subscribe to our e-newsletter at www.ico.org.uk
Keep in touch Subscribe to our e-newsletter at or find us on… @iconews

Download ppt "Data Protection on the move Wednesday 14 December 12:30pm"

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Understanding the management of risks to health and safety on the premises of a retail business Unit 352.

Understanding the management of risks to health and safety on the premises of a retail business Unit 352.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Practical Information Management

Practical Information Management
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.

Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.

Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.

Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
Information Security January 2016. What is Information Security?  Information Security is about the physical security of our equipment and networks as.

Information Security January What is Information Security?  Information Security is about the physical security of our equipment and networks as.
Data protection for commissioners Vicky Cetinkaya, Senior Policy Officer, Strategic Liaison Katie Hanrahan, Lead Auditor, Good Practice 2 July 2015.

Data protection for commissioners Vicky Cetinkaya, Senior Policy Officer, Strategic Liaison Katie Hanrahan, Lead Auditor, Good Practice 2 July 2015.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Similar presentations

Ads by Google