|
Top tips for data which leaves the office
In the world of data breaches, we frequently see something going wrong when data leaves the safety of an organisation’s office premises. There have been mis-addressed emails sent off into the ether from the comfort of the sender’s desk, envelopes stuffed with the wrong person’s letter, laptops and files taken home and subsequently stolen. These mistakes have resulted in regulatory investigations and monetary penalties of up to £325,000.
This article sets out some top tips which organisations and individual staff members can take to minimise the risks of data and devices falling into the wrong hands. The focus is on data protection compliance (for the protection of personal data); however, a lot of these tips may also be prudent for the protection of other confidential and sensitive information.
A. Sending information to someone else
What the organisation can do:
- Identify the circumstances in which data should or shouldn’t be sent to someone else in accordance with data protection (and other legal) requirements. Identify related compliance steps to be taken (e.g. informing relevant individuals where required).
- Establish appropriate methods of transfer for different types of information taking into the risks and impact of unintended disclosure. Provide facilities for secure transfer of data where required (e.g. encrypted media or emails).
- Maintain appropriate controls and checks over any third parties used to transfer information.
- Determine steps to be taken if something goes wrong.
- Communicate to staff the appropriate procedures and risks.
What each member of staff can do:
- Read and follow the organisation’s policies and procedures.
- Consider the risks of misuse once the communication is sent - will the information be outside the boundaries of an organisation’s security controls (e.g. personal email accounts); is the recipient aware of the extent to which data should or should not be further disseminated or published?
- Double-check names, numbers and addresses prior to sending: fax numbers, email addresses, names and postal addresses on envelopes. Check that the right information has been put in the right envelope.
- Warn the recipient to expect the communication and/or ask them to acknowledge receipt (and follow up if they don’t).
- Report if something goes wrong - don’t try to hide it.
B. Taking information out of the office
What the organisation can do:
- Identify when it is appropriate or inappropriate to take data and devices out of the office - consider business needs versus the risks and impact of data breaches.
- Provide secure means of taking data out of the office (e.g. encrypted devices, lockable cases).
- Carry out risk assessments of external premises. Consider additional facilities and procedures for home working (e.g. lockable cabinets, extent of information stored on-site versus accessed remotely).
- Determine steps to be taken if something goes wrong.
- Communicate to staff the appropriate procedures and risks.
What each member of staff can do:
- Read and follow the organisation’s policies and procedures.
- Only take documents and devices containing personal data out of the office if there is a legitimate business or organisational need, and don’t take more information than you need.
- Don’t take sensitive documents or devices to places where there is a high risk they may go missing (e.g. the pub!).
- Take sensible precautions to protect data and devices at home, as you would in the office, e.g. keeping information out of sight, locking away devices, securely destroying papers you don’t need.
- Report if something goes wrong - don’t try to hide it.
Olivia Whitcroft, principal of OBEP, 28 September 2012
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details
Related Publication
- TOP TIPS FOR DATA LEAVING THE OFFICE (PDF document) published in October 2012 by the Merton Chamber of Commerce.
