In the words of Simon & Garfunkel, it is important to keep the customers satisfied.…
According to the Privacy Rights Clearinghouse (and other sources), security breaches typically result from one of the following five causes:
- Unintended Disclosure: Someone in or affiliated with your organisation inadvertently posts private or sensitive company or customer information on a website, Facebook or a blog or in an email, fax or letter.
- Hacking or Malware: Unauthorised individuals gain access to your computers often due to inadequate firewalls or weak passwords and steal or corrupt data by using malicious software programs known as malware.
- Payment Card Fraud: Information is stolen from a point-of-service credit card or payment terminal.
- Bad Employees: Someone who works for you intentionally steals or leaks sensitive information.
- Lost, Discarded or Stolen Paper Documents
The Information Commissioners Office (ICO) states that – There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
In brief – what does the Data Protection Act say about information security?
The Data Protection Act says that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The Information Security Breach Policy of the Parliamentary and Health Service Ombudsman suggests that with respect to Preventing information security breaches;
All staff are responsible for protecting our information assets from misuse, loss or unauthorised access, modification or disclosure. This does not mean that information cannot be used or shared, but that appropriate steps must be taken to ensure that information is protected in the process. All staff are expected to attend training relating to information security, and should read and apply the protective marking scheme and handling arrangements outlined in the Security Guidance to ensure they are using and sharing information appropriately. The FOI/DPA team can advise further on which information can be shared externally.
PHSO is required to take reasonable steps to protect the personal information we hold. Where the ICO finds significant failings in protecting personal information, a fine of up to £500,000 can be levied on any organisation. All staff are therefore expected to take responsibility for personal data in their care by following internal policies and guidance relating to information security. Failure to do so may result in disciplinary action. Annex A provides further details on how staff can help to avoid information security breaches.