Report on data security talk
Report on Sheila Logan’s talk – Fostering Security in the Workplace
Data Security – 20th May 2008
The Business Matters Trust is very grateful to Anderson Strathern for their hospitality in providing the venue and the buffet lunch.
Iain Archibald welcomed those attending this, the third talk in the series on Fostering Security in the Workplace, and introduced Sheila Logan, Operations and Policy Manager with the Scotland Information Commissioner’s Office. Iain alluded to the fact that in a conversation with Sheila in preparation for this talk he had described how he was attending the UK Biobank as part of a wide ranging medical scientific study and Sheila had congratulated him for being so brave. Not, he learned, because he was willing to have a multitude of needles inserted and blood withdrawn but, rather, that he was willing to have large amounts of personal data stored as part of the study process. This had got him thinking!
The PowerPoint presentation which Sheila used to accompany her talk can be accessed at the foot of the page. What follows is a prose summary of her talk.
Sheila started by remarking that it was unusual for her to be invited to speak to a private sector audience since many large companies have Data Protection Managers in place and good systems up and running. The Data Protection Act is not an optional extra since it is legally enforceable. It is, however, often maligned and misinterpreted. Sheila quoted the example of a police officer being refused information as to whether a certain telephone number was assigned to a public call box because “the Data Protection Act forbids it”. Since the Act applies to information about living identifiable people, this was stretching its bounds rather too far. Sheila emphasised that the Act is the key foundation for good Data Protection Management.
Overview
The Act itself has eight main principles but Sheila indicated that, to cover the topic of the talk, she would concentrate on principle seven: data must be kept secure.
This small statement has huge implications for an organisation’s reputation if things ever go wrong, but, as we considered them and perhaps were tempted to look for “easier” ways to proceed, Sheila asked us to remember that many people and organisations have our data held in their records – so it is very much a case of “do unto others as you would have them do unto you.”
The importance of information to a company cannot be overstated: it is a business’s second most valuable asset after people. An organisation will be very clear on who its staff are, what their roles are and when and where they are at work. For many companies the same clarity may not be in place as to what information is held, how and where it is stored, who has access to it, and how it is accessed, transferred and ultimately destroyed. The consequences of a breach in data security are only too apparent from recent, well publicised incidents, e.g. at the DWP and HMRC, and no business would wish to have such a failure appearing, in Sheila’s words, on “tomorrow’s fish and chip paper.”
Procedures, Particulars and Preventative Measures
Sheila suggested that any organisation should be clear who is responsible for data security and that it should not just be the Data Protection Manager. It is vital that, from the top of the company down, there is a commitment to having written procedures in place, training available for staff so that they understand how to implement those procedures, and some sort of system of checks and balances to ensure that the procedures are actually working in practice. Audits should be undertaken in a thorough manner, not just “ticking the box”. Sheila suggested that it is not over zealous to rummage through a few waste bins in the office so that the reality of what is being disposed of by non-secure routes can be checked. Another useful strategy is to ask staff from another department to come and carry out the audit; that way you get round familiarity with procedures possibly breeding complacency.
Just as staff are a company’s most valuable asset, they are also the source of the majority of problems with data security. Sheila asked a number of questions in the area of staff recruitment and practices.
- Do we have the right staff?
- Have we carried out the correct disclosure checks where appropriate?
- Have we taken up staff references? Sheila told us that, in a previous career position, she had worked for a company for over three years but that they had not taken up her references from her previous employer and so would not know of any issues – she hastened to add that there were none!
- Are we clear in an employee’s contract of employment as to what their rights are to use information they acquire whilst at work – both while in employment with the company and after leaving?
- Have we considered the appropriateness of an employee’s internet access rights and what limits should be placed on the ability to transfer information, both online and also on portable data storage media?
An example of good practice which, judging from conversation after the talk, was not well known to many present, was to avoid outside of the workplace wearing identity passes which bear the company logo. This is not so much to avoid giving people opportunity to steal a badge and falsely enter premises but rather, as happens in some cities south of the border, to avoid instances of the “procurement” of information by “befriending”. Someone who has been spotted wearing a badge is approached in the pub after work and a conversation strikes up which, after perhaps a number of meetings, leads to the unintentional divulging of information or even the extraction of information by threat.
Physical security, in its wider sense, can also be an issue and Sheila expressed herself “scared” at the thought of the number of staff who carry company phones, laptops, Blackberrys etc. with them wherever they travel and sometimes “mislay” them. She quoted an empirical observation from her experience of dealing with such issues that Tesco is an all too easy place for people to put down valuable items, from memory sticks to PDAs – perhaps it is a case of the “ordinariness” of the act of grocery shopping leading to us lowering our alertness levels? Company premises also have to be assessed – it can sometimes be easy for someone with a little prior knowledge to enter an office, access a quiet, low occupancy area and then exit through a fire door carrying a laptop and huge amounts of information under their arm.
Disposal of paper waste is also a major issue to be thought through. The era of the “paperless office” is not yet with us and many companies rightly employ contractors to dispose of confidential paper waste. An instance from Sheila’s own office served to illustrate that even this needs to be audited: her office received an empty bag from the contractor for disposing of their waste and, when it was turned upside down, they found a benefit statement for a totally unconnected individual at the bottom of the bag.
Technology offers many potential “banana skins”. For example, companies should ensure that hardware and software are configured to prohibit the copying of large amounts of data if that is a sensitivity. Often forgotten is the possibility of a data security breach by the corruption of data being held in-house, so the use of appropriate firewall and virus screening technologies is essential. Disposal of old computer equipment is best left to reliable experts since PC hard drives are very difficult to wipe and short of blasting them into space, Sheila suggested that it was difficult for most companies to ensure a satisfactory outcome, quoting the example of the Scottish police force who had the embarrassment of one of their old computers being sold in the Barras market in Glasgow with large amounts of confidential police data still on it. Despite the fact that the contractor employed, rather than the police force, was at fault here, the tarnishing of reputation rested with the police.
Having a concern for good practice when it comes to modern technology should not blind us to the need to have good protocols when it comes to traditional items. Take keys. Sheila drew our attention to simple steps such as ensuring that a key register exists and is used, ensuring that keys and passes are physically returned by staff when they leave the company, and supplying lockers for staff, both to protect their belongings and to allow the prohibition, if necessary, of camera phones at the desk.
Conclusion
Sheila ended her talk by emphasising that there are benefits to be had from all of these precautions and that efficiency, reputation and customer confidence will all increase in a company where proactive, good quality, data management procedures are employed.
Questions and Answers included
“Is there an example of where a potentially serious breach of data security has resulted in definite criminal activity – for example as a result of recent DWP records going missing?” Sheila said that she was not aware of any mass use. However, she has been involved with many individual instances where people have gone to their bank accounts to find them empty, or have received bills for car rental in Spain or some other country not visited. Sheila said that often the use of the information occurs many weeks or months after it has been acquired – the thieves lie low with it for a while, so vigilance is necessary at all times.
“Are problems greater in smaller organisations than larger ones?” Sheila answered: issues are more down to culture than size. A culture of “don’t bother, it will be alright” is a problem in any organisation. Often in larger organisations the procedures are in place but the real challenge is to ensure that all staff understand and follow them.
“Is there a “good practice” guide for the use of ID badges?” There is not a guide as such but good practice is to achieve the balance between being recognisable within the office while preserving confidentiality/anonymity outside. The Information Commissioner’s Office ID badges, for instance, show a photograph, a name and a number but no company name on the badge or, indeed, the lanyard.
“Have companies taken note and learned from the high profile instances of the last 12 months?” Sheila answered that her office has never been so busy, so she believes they have!
As an additional piece of information, the following list of contact details in this area may be of use:
THE INFORMATION COMMISSIONER’S OFFICE
Guidance for the public and technical guidance for organisations. Information includes Employment Practices Code and Data Protection Act 1998 Legal Guidance.
OFFICE OF PUBLIC SECTOR INFORMATION
A copy of the Data Protection Act 1998
BUSINESS LINK
Compliance advice for businesses
DISCLOSURE SCOTLAND
OFFICE OF PUBLIC SECTOR INFORMATION
A copy of the Computer Misuse Act 1990
INFORMATION TRIBUNAL
Hears appeals under the Data Protection Act 1998
After we thanked Sheila for her presentation, there was the opportunity, taken by a good number, to talk with her and network with others.
Eric Smith
Consultant to business matters