Data protection is an important consideration for all company employees, regardless of their role, therefore all staff should be appropriately trained on how to comply with the Data Protection Act. In today’s information age a simple envelope containing an individual’s address could be used to help steal their identity for fraudulent purposes.
As a result of the growing criminal activity around identity theft, legislation has been developed to help protect individuals and organisations. Businesses can incur significant fines of up to £500,000 if they are found to have processed an individual’s or an organisation’s data in the incorrect manner. To help small and medium sized organisations with the appropriate handling and processing of personal data and sensitive information, the Information Commissioner’s Office (ICO) has put together a training checklist.
Where specific types of data are utilised, such as healthcare records or sensitive financial information, specialist training is required to cover all potential liabilities. However, the ICO checklist delivers some common sense, practical advice to ensure that businesses operate within the confines of this legislation.
According to the ICO the number of breaches of the Data Protection Act in 2014, across a variety of industry sectors, increased when compared to a similar period in 2013. For instance healthcare experienced 183 breaches of protocol in 2014, a 101% increase on the 2013 figure of 91. The combined cost of these data losses is estimated to be around £4.5m.
All businesses that process personal information must be registered with the ICO and take the following steps to ensure the security of their data:
1. Personal Information Security
When handling sensitive information a number of basic precautionary steps should be utilised by your staff. These include the following simple measures:
- Ensure that computer monitors are always locked when the user is away from their desk with a suitably complex password.
- Regular changes of passwords and no public or shared passwords.
- All sensitive information contained on printouts or written down should always be shredded or placed in the appropriate secure container for future shredding.
- Adopt a policy of virus prevention within all IT usage, including the appropriate caution when opening attachments from unknown sources or using websites that are not pre-approved by the company.
- Operating a clear desk policy where all hard copy information is securely stored when the desk is not occupied.
- A full visitor management system, recording the entrance and exits times of all third party individuals on the company premises.
- Keeping computer screens away from windows with public access to prevent accidental exposure of information to opportunistic or malign agencies.
- The encryption of any data that is stored on removable media such as USB pens or external hard drives.
2. Reasonable Expectations of Customers and Employees
Customers have a right to have their data and details processed in a correct and diligent manner. They should be informed in due course of certain internal changes in company procedures in regard to their sensitive information. This includes:
- Only collecting appropriate and sufficient information needed for the required business purpose.
- Explaining new or changed business procedures and results, offering the appropriate opt out clauses and obtaining consent where necessary.
- Updating personal information in a timely fashion including the deletion or destruction of out of date records.
- Full visibility of any workplace monitoring systems that may be in place for any reason.
3. Disclosing Customer Personal Information
Unauthorised third party individuals and agencies may try to penetrate a company’s data protection protocols. Company employees should be aware that:
- Appropriate checks are mandatory when discussing personal and sensitive information on both outgoing and incoming calls.
- There may be cases where contact from a company originates from a fraudulent source with the intention of gaining access to protected information.
- Where possible the amount of information given out over the phone and email should be limited and where possible vital key pieces of information should only be supplied in writing to a pre-existing customer address.
4. Notification in Accordance with the Data Protection Act
The ICO must be notified in line with certain changes in a company’s data handling procedures with regards to personal information. Your staff must understand:
- When the company has a notification entry with the ICO or they are relying on a special circumstance or set exemption.
- That they need to notify the ICO of any changes in the way the business handles and processes personal information.
5. Managing requests for Individual Information (Subject Access Requests)
Individuals have a right to view any information that a company holds on them. Do your staff understand that they have to recognise and know how to respond to the following?
- That individuals have a right to access any personal information held by your company.
- How to recognise a subject access request.
- The person in the company responsible for authorising and responding to subject access requests.
- That the company must respond to the request within 40 days, levying a maximum charge of £10 for the data.
- Appropriate checks to ensure the identity of the individual submitting the subject access request must be made.
- The procedure (redaction) should the data requested contain further sensitive information pertaining to any third party individual or organisation.
Full Training and Audits
This article is intended to be used as a quick guide to help with training. Companies seeking to fully train and audit their existing data protection protocols should contact the Information Commissioners Office in the first instance, to engage certification bodies that are able to offer full training, support and certification/accreditation packages.