A schedule of the Prime Minister’s trip to the North West, including arrangments for her visit to Daresbury science park near Warrington in Cheshire, were among sensitive documents left in the first class compartment of a train. We remind organisations how to protect against data security breaches in the workplace.
Here are our top ten tips to help protect your organisation and personnel:
1. Conduct risk assessments to identify where data (electronic and physical) is stored, who has access to it and if security measures have been implemented. We have developed a simple risk assessment for your workplace:
2. Develop physical safeguards within the workplace environment and ensure employees adhere to them. Examples would include keeping documents that contain confidential information under lock and key. Consider the offsite storage of sensitive documents and data. Adopt best practice policies that will help create awareness of the need for data security such as clean desk and shred-all policies.
4. Protect your electronic records with technical safeguards. Examples of technical safeguards include limiting access to information to those with a need-to-know, ensuring employees have strong passwords which are never shared with another employees, encrypting data, using screen savers, and programming computers to automatically log-off when an employee is away from their station for a prolonged amount of time.
5. Ensure security of laptops and portable devices. Large security breaches were caused by theft or loss of laptops and other portable devices. Measures to ensure laptop security include restricting their use to only those employees who absolutely must use them to perform their jobs, securing laptops to desks with cords and locks, encrypting data, and using laptops only as terminals, with the actual data stored on a secure, central computer.
6. Monitor Business Associates. Many of the largest breaches involved business associates. Develop a list of business associates, and ensure that contracts are up-to-date. Know if your business associates have privacy and security practices in place, if they are current with new rules and regulations, and if they rely on subcontractors.
7.Create protocols for destruction of data. Make sure that any information no longer needed is permanently destroyed. Paper records must be shredded or destroyed in such a way that they cannot be reconstituted. Electronic data also must be deleted by in accordance with best practice guidelines (e.g. EN15713). Simply hitting the delete button does not permanently destroy information!
8. Conduct Internal Audits. Periodically conduct an audit of records to ensure that logs are being maintained, and records that require documentation are being updated and retained. These may include audit logs, access reports, and security incident tracking reports, which allow the employer to view which employees have accessed particular areas within the computer system.
9. Secure your physical location. Make sure alternate exits are locked, patient records are protected from unauthorized access, and computers are secure from theft. Review procedures to safeguard your facility from unauthorized access, tampering, and theft.
10. Audit your data processors. It is a fundamental principle in UK data protection legislation that data controllers are responsible for their personal data. Ensure that your data processors adhere to 1-9 above and have the same standards and controls because if they fail you as the data controller will be liable and it is your reputation that is at stake.