Avoid mishandling data

Last year the Information Commissioner’s Office (ICO) dealt with 84 reported cases of data misuse, prosecuting in 18 instances and issuing fines in 11.  Of the 84 cases reported, 37 involved public sector organisations, including one housing association. Mishandling sensitive client data can be costly both in terms of monetary penalties of up to £500,000 and reputational damage. In the future, the most serious of cases could lead to a custodial sentence.

So what can you do to avoid a data disaster?

“There is absolutely no room for error under today’s rigorous policies.”

The most common issues of data mishandling in public services include mislaying USB sticks, failing to change passwords, not disposing of hard drives securely, leaving devices on trains, not putting in place software to remotely wipe out files, and lack of safeguards on access to personal computers.

In my experience, there are a number of reasons these problems occur, namely;  lack of training and guidance, budget pressures leading to ill thought out use of IT shortcuts, and adoption of ‘bring your own device’ remote or mobile working situations, which are not backed up by appropriate safeguards and policies. 

In the case of Jephson housing association, which was cautioned by the ICO, several documents containing third party personal details were revealed during a litigation process.  

The necessary documents required for the case were reviewed and redacted  and placed on a desk in order to be photocopied, but a different member of staff was subsequently tasked with the photocopying  and, in error, the original unredacted documents  were copied, and disclosed  the sensitive information to the other party to the litigation. 

The investigation identified that, while checks had been undertaken during the review process, no subsequent checks were made prior to handing them over.  It also identified that, whilst data protection training was provided to staff at induction, refresher training was not in place at the time of the incident.

There is absolutely no room for error under today’s rigorous policies.  The issue of data mishandling is so sensitive that even the smallest slip-up can result in loss of tenant confidence, loss of revenue and, most importantly, unwelcome exposure for  your clients and customers.

So what are the three key actions to safeguard against mishandling of data?

• Analyse policies, enforce them and ensure support training is in place which deals with data handling in an organisation;
• Ensure repeated,  job-specific training to account for people taking up new job roles and therefore encountering  potential different data handling requirements; and
• Analyse what led to any breaches in data handling and adapt policies and support training as necessary.

Opting out is not an option. Data handling polices and training are a necessary and integral part of any responsible organisation and needs informed and proactive engagement from top to bottom. 

Susan Hall is a partner at  law firm Clarke Willmott