( 1 Vote )
March 2010 was the last month before a number of changes to the penalty and enforcement rules are expected to the Data protection act, (including custodial sentences and far heftier fines), and it was local government and Finance/Insurance houses that came out badly. With 3  reported breaches  to each industry it was an unwanted draw, although hospital trusts will be happy to have  avoided recognition this month. What is most interesting however is the range of risks exposed. We had the usual lost Laptops and memory sticks but we also had wider process failings and a return of the age old "lost tape"

Concerning the process failing I have long advocated businesses reviewing how information is processed and managed through an organisation and generating a process map/ information flow policy.

 

Look around many departments still using paper and there are multiple filing cabinets with contents that are well understood, access is controlled to those with need  and because there is a physical interaction somehow the policy is better understood and adhered to, photocopies controlled and if someone asks to see a part of it there is an inbuilt human response to question need.  Contrast this with departmental IT systems and file systems in particular. Firstly everything is geared to sharing, rather than separate cabinets there are departmental shares. Its often overlooked that a department may need multiple shares to replicate the cabinet analogy .

Secondly copying and sharing is far easier and because there is no physical interaction with the information somehow the inbuilt restrictions are lessened and individuals are  more likely to add an attachment to an email when asked. This is exacerbated with the lack of version control seen. There are more document types to manage. Standard Office, images, PDF reports may all contain sensitive information but if within a single department users favour different data recording methods it becomes extremely difficult to track personal data exposures especially with staff changes.

If you want to see how much of a  DPA risk your file server is, run a system analysis and If like others you have over 1000 spreadsheets per user, upwards to 10% duplication /copy rates, or "backups" that are .zip/.bak and not controlled then its time to run a process mapping session with your business users.  If you are unsure how to perform a system analysis drop me a line and I will send over the PowerShell command to extract the data to interrogate. (Also let me know if you need a free analysis of the data to avoid writing your own queries).

Finally regarding lost backup tapes. The required encryption technology has been available for a number of years to avoid this exposure. I wonder whether it was a budget/risk decision which caused it to be discounted or whether this was IT not informing the business of the exposure?