Tag Archives: DPA

Communicating Data Breaches with Employees

June 16, 2016 Rob Mackle

Data breaches happened less frequently in the past. With the increased activity in ransom-ware, data breaches are now becoming a daily occurrence. Major corporations like Sony, Domino’s and Home Depot have been hacked. It is believed that there will be more data breaches in the coming months and years. If, as an employer, you find yourself in the unfortunate situation of a data breach, how are you going to communicate the breach to your employees? What happens after the security breach?

Be Transparent

Employers should notify the breach to employees as soon as possible once they have all the facts about the breach. Employees have the right to know about the breach incident directly from the employer, rather than from the rumours circulating. On the other hand, the companies are also required to make sure that workers will keep the shared information strictly confidential or at least until it is officially announced.

An Inside Job?

It is essential to ensure that employees are receiving the right information in a timely fashion. Tell them that concerned department has started investigations about the matter; without divulging too much details into the breach, so as not to alarm the culprit in case it is an inside-job.

An Outside Attack?

Share more detailed information (as they become available) about the breaches if your investigation confirms that the cause is not internal. Update them as frequently as possible. This will ensure that the workers are not worried about their personal information. Personal information, like: address, social security numbers, birthday, salary amount, etc. could be recipes for an identity theft.

Personal Information

You need to think about Data Protection Act (DPA). In the UK, for instance, businesses must adhere to DPA. This act ensures that employers holding personal information on their workers must keep the information safe and secure. DPA is very helpful to avoid information breaches.

Businesses must report data breaches to the Information Commissioner in the UK. It also makes sense that employers inform and update their employees at the same time. If it is confirmed that employees’ personal information have been compromised, then the employer should offer support to its affected employees. Advice such as what the next steps should be and what to do if unauthorized credit card transaction is posted in their account. Detailed procedures should be described so that the victims can take immediate action whenever they face identity theft or unauthorized bank transaction.

It would be better to develop a database or provide a fully dedicated hotline so the staff can call and ask questions about the breach.

Official Press Release Statement

It is important to communicate with all employees, informing them that they are not authorized to speak to the press media about the incident at all times. Tell them that it is a standard process and everyone should obey this because the breach is related to company’s reputation and business.

Remember that data breaches are juicy stories. Reporters and bloggers love to write about them. Many true and false stories will be written. The key is to share the details with employees and release an official press release. You can win the trust of your employees by sharing timely information with them. This will give them more confidence and they will not share the details outside the company. The last thing you want is for the employees to learn about the breach from a third-party website or other traditional media.

DPA breach by Scottish Court Service investigated by ICO

January 7, 2011

The Information Commissioner’s Office (ICO) has become involved in an investigation into an alleged breach of the Data Protection Act (DPA) by the Scottish Court Service.

Private data contained within court documents was improperly disposed of at a recycling centre in Glasgow, according to reports, which has led to the ICO confronting the organisation with a formal undertaking.

The initial data loss was discovered in September last year when a local newspaper was alerted to the fact that highly sensitive details had been dumped in a public recycling bank and the ICO was subsequently involved in looking into how this could have occurred.

Scrutinising those responsible for the data allowed the ICO to determine that it had in fact been lost by an individual who had edited law reports for the service. The breach had been made possible because no member of the organisation had ensured that this person was properly informed on how to safely use this type of data.

The ICO’s Ken Macdonald,said that there was a possibility such a loss would damage the trust which people involved in the Scottish legal system would feel for the framework of justice that should, theoretically, protect their most basic rights.

Mr Macdonald said that the data should not have been taken outside of the courtroom and warned that if it had been picked up by a malicious third party, it could easily have resulted in the exploitation of those implicated in its contents.

From now on workers at the Scottish Court Service will undergo training in order to ensure that they all understand the data protection policies enacted by the organisation. This includes not only the way in which data is handled and used, but also how incidents of loss or theft are reported.

As part of the ICO’s measures the formal undertaking will require that every employee who shares data as part of their work is signed up to this so-called Memorandum of Understanding sanctioned by the powers that be.

Council data loss tackled by ICO

November 17, 2010

The Information Commissioner’s Office has concluded that New Forest District Council was in breach of the terms of the Data Protection Act (DPA), when in 2008 it exposed the details of private citizens online.

The data leak occurred when the council made public details of an application for planning permission, while failing to omit information which could have been exploited. This led to a complaint from the implicated party.

The ICO said that while the council had initially made the mistake of distributing the data via the internet, it had reacted swiftly to rectify the situation and prevent any further access to the information.

Despite the appropriate response in this case, a member of the public kept tabs on the council’s activities over the following months and alleges that similar failings in data protection were easily observable.

The ICO said that it has carried out an investigation which was able to unearth private data as recently as July 2010. As part of its review of the council’s operation, it questioned a number of employees.

The ICO’s Sally-Anne Poole said that following on from the incident and its investigation, it is now confident that no further incidents of data loss similar to this will occur from within this particular organisation.

Poole explained that the council has implemented a number of new policies governing the way in which data is handled and the ICO is satisfied that this should help to stem further leaks.

Poole pointed out that the ICO did not expect public or private sector organisations to be completely watertight when it comes to data and adherence to regulations, but that it did want to see evidence that attempts were being made to work closely within regulations, so that the integrity of private details is retained.

Critics of the ICO have pointed out that it has once again failed to impose a monetary penalty as a result of this data leak, despite the fact that it can seek up to half a million pounds for a serious breach of the DPA.

ICO criticises city council in Portsmouth over data leak

November 5, 2010

The information Commissioner’s Office (ICO) has revealed details about an unintended data leak which saw Portsmouth City Council hand over sensitive information about a local resident, after a request was made for details relating to another person entirely.

The ICO said that this occurred after a subject access request, during which a worker neglected to fully redact the documents before distribution, allowing private information to leak.

The ICO investigated this incident and revealed some worrying facts. Firstly, the person who was charged with redacting the documents was not directly in the employ of the council and, secondly, they were not adhering to the regulations relating to terms of service.

In addition, the ICO concluded that staff had not been properly instructed on how to handle and protect personal data.

The ICO’s Mick Gorrill, said that this data loss incident could have been prevented had those involved been subjected to rigorous instruction relating to the requirements of the Data Protection Act, backed up by managerial support.

Mr Gorrill said that unnecessary stress and worry could have been caused as a result of these careless actions on behalf of the council, particularly as the individual who had details exposed was completely unrelated to the issue covered by the request.

The council has said that it is aware of the severity of this incident and will endeavour to make sure that it does not recur. The ICO is hoping that this event will act as further incentive to other local authorities around the UK, resulting in a greater degree of compliance with the DPA, even when outsourcing work to third party firms.

The council head, David Williams, followed in the footsteps of other leaders by committing to an ICO formal undertaking, that will require improved training and greater data monitoring within the organisation and across its external contractors.

Experts are concerned that the ICO’s powers to fine up to half a million pounds for data loss and DPA breaches, is not really enough to encourage public sector organisations to change their policies and improve security, leading some to call for greater powers to be handed out to the regulator.

Fines issued over NHS data loss

October 19, 2010

Fines are being issued by the Information Commissioner’s Office (ICO), after it found the NHS-regulated Healthcare Locums agency to have been in breach of the rules of the Data Protection Act (DPA), with regards to data loss prevention and information security.

The agency in question was responsible for large amounts of data relating to doctors working for the NHS and the ICO implemented fines after a data loss incident exposed details on certain medical practitioners.

The ICO was alerted to malpractice within the agency when an online auction site was used to sell a hard drive, which was packed with data relating to doctors’ visas and security information.

Although Healthcare Locums reported the incident and notified the ICO, it could not explain to the regulator how such a serious breach of data handling practices was possible. Further investigations revealed that the storage device had been either lost or stolen during transit from Skipton to Loughton.

The ICO identified that the agency had failed to record the reason for the transfer or the specific data that was held on the hard drive, which subsequently went missing. The only reason that it was able to detect that the data loss had occurred at all, was because a private citizen alerted them to the sale.

The ICO’s Sally Anne-Poole, said that this latest data loss from within an organisation linked with the NHS, identified the significance of compliance with the rules of the DPA, in relation to the proper transportation of private details.

She went on to explain that the recruitment agency had since made sure that its policies on data handling and transport were improved, so that further breaches of the DPA would not occur.

Healcare Locums’ Mo Dedat, committed to ensuring that future incidents of data loss are not possible within the firm. This includes not only losses resulting from actions of direct employees of the agency, but also any third party firms which it uses in the process of managing, storing and transporting data.

ICO seeking greater investigative and punitive powers

October 8, 2010

The Information Commissioner’s Office (ICO) is seeking to earn greater powers to help curtail the actions of those individuals and businesses which breach the terms of the Data Protection Act (DPA), through inadequate security, data loss or theft.

The latest news from within the organisation is that it will be requesting the ability to impose custodial sentences on offenders, rather than the current fines, which are the maximum applicable penalty for such an incident.

The ICO has been approached by the Ministry of Justice in order to provide it with details of how data protection legislation currently operates. It announced that there need to be greater deterrents in place to ensure that the private information of normal citizens is not being abused or handled irresponsibly by businesses and public sectors organisations.

In a statement, the ICO said that offences involving selling or bartering with sensitive personal data should be punishable by a prison sentence in the most extreme examples.

It explained that the circumvention of data protection policy within organisations was most regularly carried out by lone agents, but complained that the threat of fines was insufficient to prevent future loss or theft under the current DPA rulings.

As well as highlighting the inadequacy of fines in combating DPA breaches, the ICO said that its current investigative abilities are underwhelming and inappropriate for the task in hand, when it is asked to examine a particular organisation.

The ICO said that at the moment it is only able to investigate those directly involved in handling data if they allow it. As such, the Information Commissioner is said to be in the process of collecting evidence which indicates the frequency with which those responsible for data refuse to co-operate with an ICO investigation.

The ICO said that it is the private sector in which this refusal of involvement is most regularly found and, ideally, the Ministry of Justice will be convinced of this when it has been given the opportunity to look over the evidence provided in the coming weeks.