Top tips for data which leaves the office
In the world of data breaches, we frequently see something going wrong
when data leaves the safety of an organisation’s office premises. There
have been mis-addressed emails sent off into the ether from the comfort
of the sender’s desk, envelopes stuffed with the wrong person’s letter,
laptops and files taken home and subsequently stolen. These mistakes
have resulted in regulatory investigations and monetary penalties of up
to £325,000.
This article sets out some top tips which organisations and individual
staff members can take to minimise the risks of data and devices falling
into the wrong hands. The focus is on data protection compliance (for
the protection of personal data); however, a lot of these tips may also be
prudent for the protection of other confidential and sensitive information.
A. Sending information to someone else
What the organisation can do:
- Identify the circumstances in which data should or shouldn’t be
sent to someone else in accordance with data protection (and other
legal) requirements. Identify related compliance steps to be taken
(e.g. informing relevant individuals where required).
- Establish appropriate methods of transfer for different
types of information taking into the risks and impact of unintended
disclosure. Provide facilities for secure transfer of data where required
(e.g. encrypted media or emails).
- Maintain appropriate controls and checks over any third parties
used to transfer information.
- Determine steps to be taken if something goes wrong.
- Communicate to staff the appropriate procedures and risks.
What each member of staff can do:
- Read and follow the organisation’s policies and procedures.
- Consider the risks of misuse once the communication is sent
- will the information be outside the boundaries of an organisation’s
security controls (e.g. personal email accounts); is the recipient aware
of the extent to which data should or should not be further disseminated
or published?
- Double-check names, numbers and addresses prior to sending:
fax numbers, email addresses, names and postal addresses on envelopes.
Check that the right information has been put in the right envelope.
- Warn the recipient to expect the communication and/or ask
them to acknowledge receipt (and follow up if they don’t).
- Report if something goes wrong - don’t try to hide it.
B. Taking information out of the office
What the organisation can do:
- Identify when it is appropriate or inappropriate to take data and
devices out of the office - consider business needs versus the risks
and impact of data breaches.
- Provide secure means of taking data out of the office
(e.g. encrypted devices, lockable cases).
- Carry out risk assessments of external premises. Consider
additional facilities and procedures for home working (e.g. lockable
cabinets, extent of information stored on-site versus accessed remotely).
- Determine steps to be taken if something goes wrong.
- Communicate to staff the appropriate procedures and risks.
What each member of staff can do:
- Read and follow the organisation’s policies and procedures.
- Only take documents and devices containing personal data out of
the office if there is a legitimate business or organisational need,
and don’t take more information than you need.
- Don’t take sensitive documents or devices to places where there
is a high risk they may go missing (e.g. the pub!).
- Take sensible precautions to protect data and devices at home,
as you would in the office, e.g. keeping information out of sight,
locking away devices, securely destroying papers you don’t need.
- Report if something goes wrong - don’t try to hide it.
Olivia Whitcroft, principal of OBEP, 28 September 2012
This article provides general information on the subject
matter and is not intended to be relied upon as legal advice. If you
would like to discuss this topic, please contact Olivia Whitcroft using
the contact details set out here: Contact
Details
Related Publication