Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Information sensitivity

Is the concern for data protection making half of all employees less productive?

In 2010, the Visual Data Breach Risk Assessment Study revealed that two out of three working professionals are displaying sensitive information on their mobile devices, such as social security numbers, credit card numbers and other non-regulated but sensitive company information, when outside the office. This points to the insight that in certain circumstances people value productivity over data protection when working. However, in circumstances when an individual values data protection, is the company potentially losing productivity due to visual privacy concerns?

The 2013 Visual Privacy Productivity Study, conducted by The Ponemon Institute, revealed that companies can lose more than data as remote working increases, with 50% of employees answering that they are less productive when their visual privacy is at risk in public places.

The Visual Privacy Productivity Study showed that employees are forced to either trade-off working and risking private data being overlooked by nosy neighbours, or stop working altogether. Based on these findings, lost productivity due to employee visual privacy concerns is potentially costing a US business organisation with more than 7,500 people over $1 million dollars per year.

While many companies realise that snooping and visual privacy presents a potential data security issue, there has been little research regarding how the lack of visual privacy impacts a business’ bottom line,” says Larry Ponemon, Chairman and Founder of The Ponemon Institute. “As workers become more mobile and continue to work in settings where there is the potential for visual privacy concerns, companies need to find solutions to address productivity as it relates to computer visual privacy in addition to dealing with the fundamental security issues of mobile devices

The study of 274 US individuals from 5 organisations in a variety of sectors. More than half stated that their visual privacy had been violated whilst travelling or in other public places such as cafes, airports and hotels, and two out of three admitted to exposing sensitive data on mobile devices whilst outside the workplace. When asked how their organisation handles the protection of sensitive information in a public location, 47% did not think any importance was put on this and that no adequate policies were in place.

Other interesting findings include:

  • Employees are 50% less productive when their visual privacy is at risk and lost productivity costs an organisation approximately £350 per employee per year
  • Visual privacy impacts on transparency as users that value privacy are less likely to enter information on an unprotected screen.
  • Women value privacy more (61%) than men (50%), and women’s productivity is more positively impacted than men’s when the screen is protected with a privacy filter.
  • Older employees value privacy more, with 61% of over 35s compared to 51% of under 35s placing importance on privacy.

Productivity loss is a major discovery in this survey and will hopefully encourage companies across all sectors to consider employee working practices and behaviours,” said Rob Green, Marketing Executive at 3M’s Speciality Display & Projection Division

According to the survey the devices used for work-related activities were:-

  • Smartphone 65%
  • Laptop computer 65%
  • Desktop computer 45%
  • Tablet computer 29%
  • Netbook computer 14%
  • Other 2%

The 2010 Visual Data Breach Risk Assessment survey revealed that visual privacy on computer screens was an under-addressed area in corporate policy. Seventy percent of working professionals said their organization had no explicit policy on working in public places and 79% said that their company had no policy on the use of computer privacy filters.

The 2012 Visual Privacy Productivity Study reinforced these findings with

  • 47% of those surveyed saying they were unsure or did not think their company placed an importance on protecting sensitive information displayed on a screen in public places
  • 58% were unsure or did not think other employees were careful about protecting sensitive information on computer or mobile device screens in public places. Corporate policy and education on that policy continues to be areas for improvement as it relates to visual privacy.

The full study is very informative about how the sponsor’s (3M) privacy filters can improve productivity and reduce risk and can be read here.

.

The Information Commissioner’s 5 Tips on how to better protect personal information

The UK’s Information Commissioners office has created a list of 5 useful tips for protecting personally identifiable information (PII).

The list comes on the back of an offer by the ICO to help charities and other third sector organisations to help them protect data and avoid potential fines of up to £500,000.

Louise Byers, Head of Good Practice at the ICO, said:

“We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people. With these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities may be struggling to look after people’s data.

“We have published today’s top five areas for improvement to show the voluntary and charity sector that good data protection practices can be cheap and easy to introduce, providing they have the right help and support.

“A one day advisory visit from the ICO provides charities with a data protection ‘check up’ and practical advice on how they can look after people’s information. We are now calling on these organisations to use the summer period to check that their data protection practices are adequate and get in touch before it is too late.”

Sam Younger, Chief Executive of the Charity Commission said:

“Trustees are responsible for ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity’s reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit.”

The ICO’s top five areas for improvement are:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

I would like to add that whilst these tips are useful most businesses, especially charities, should review their requirements under the Payment Card Industry Data Security Standard (PCI DSS) as credit cards are the life blood to most organisations.

.

Torbay Care Trust (NHS) fined £175,000 for breaching the Data Protection Act

Torbay Care Trust in Torquay has been fined £175,000 after it published the sensitive details of over 1,000 employees on the Trust’s website.

Staff at the Trust published the information in a spreadsheet on their website in April 2011 and only realised when a member of the public reported it 19 weeks later.

The data covered the equality and diversity responses of 1,373 staff and included individuals’ names:-

  • Dates of birth
  • National Insurance numbers
  • Religion
  • Sexuality

The Information Commissioners Office’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

Stephen Eckersley, Head of Enforcement, said:

“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

With the proposed European Data Protection Act the scope of what is classified as Personally Identifiable Information (PII) will be better defined but will include more than most business think is actually covered.

It is time businesses undertook thorough risk assessments of their exposure to the PII data leakages because the proposed new fines are potentially up to 2% of global turnover.

Read my summary of the proposed European Data Protection Act here.

.

No NHS fines for breaching the Data Protection Act then two come along in quick succession

At the end of April the Information Commissioner’s Office fined The Aneurin Bevan Health Board for breaching the Data Protection Act and today they fined Central London Community Healthcare (CLCH) NHS Trust £90,000.

The CLCH breach first occurred in March 2011, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

Read the summary of the April fine “Information Commissioner finally fines the NHS for a breach of the Data Protection Act

.

Council fined £140,000 for five serious data breaches

The five serious data breaches – all involving children’s social service reports being sent to the wrong recipients – happened at Midlothian Council and occurred between January and June 2011.

  • One breach concerned papers concerned with the status of a foster carer being sent to 7 healthcare professionals who had no need to see them
  • Another case was of the minutes of a child protection conference being sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother

The first breach occurred in January 2011 but did not come to light until March

Ken Macdonald, Assistant Commissioner for Scotland said:

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.   

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date.

.

Information Commissioner fines two councils for emailing personal information

The Information Commissioner’s Office (ICO) has served monetary penalties to two councils for breaching the Data Protection Act.

North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.

1. Worcestershire County Council was fined £80,000 for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

2. North Somerset Council was fined £60,000 for breaching the Data Protection Act when a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents, which took place during November and December 2010, occurred when a council employee selected the wrong email address when creating a personal distribution list. The council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions. The issue was then raised at senior level. Two of the council’s Assistant Directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies following a series of data protection breaches.

.

7,200 peoples’ personal information discovered in a skip

Coat of arms of Southwark London Borough Council
Image via Wikipedia

Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip earlier this year, the Information Commissioner’s Office (ICO) said today.

The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.

The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.

The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, Acting Head of Enforcement said:

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: