data breaches

Data Breaches Happen

How will you deal with one?

 

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.

Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.

Staff should know to look for:

  • Information being put in the hands of the wrong people
  • Paperwork or devices being lost or stolen
  • Significant errors in information – including being out of date
  • Issues with email both recipients and content

Handling a breach effectively is practical, preventing breaches is nearly impossible

 

Here are some elements you’ll need in your breach plan:

 

INVESTIGATION

The fundamentals

You’re in the 72 hour window.

  • Get the facts, don’t look for blame
  • Involve the person who discovered the breach
  • Make records, you’ll need them later

Critical things to know.

  • How many people might be affected
  • What sort of data is affected and how much of it
  • An initial understanding of how the breach happened
  • Has anyone been affected by the breach
  • How might people be affected

Difficult, but must be done.

  • If you think criminal action is involved report it to the police
  • You might have to initiate disciplinary action

 

MITIGATION

Where possible;

Depending on the nature of the breach, there may be little that can be done

  • The type of breach governs what can be done
  • The objective is to minimise the harm that may come from the breach
  • By acting quickly then it’s possible to stop any harm

There is no rocket science here.

  • Lost devices may be able to be remotely locked or wiped
  • Credentials can be forced to be changed (even if that’s everyone)
  • Incorrectly distributed material can be recovered
  • Inaccurate information can be updated

But remember:

  • Keep records of all the actions you take
  • Don’t create a new breach by updating with inaccurate information
  • Rushing to tell affected individuals may make the situation worse

 

NOTIFICATION

A need to know basis:

This is where you need a level head and good advice

  • You need the initial investigation and know that mitigation is underway
  • This is a judgement about the risk to the data subjects
  • You don’t have to have evidence of harm before reporting

The basic decision seems simple.

  • What might happen because of the breach
  • How likely are those consequences?
  • What might the emotional impacts of the breach be
  • What might people need to do to protect themselves from further harm

Reporting requirements:

  • All the information gathered in the investigation is required
  • If you can, report by calling the ICO – have the paperwork ready
  • The report is often not the end of the process

 

REPAIR

Stopping it happening again.

The reason why you need to keep a breach record:

  • Record the details of every breach
  • Patterns can tell you something is wrong
  • Having no breaches logged probably means you’re not spotting them

Delivering a long-term fix can require several actions, for example:

  • Identifying that there is a need for additional training
  • Implementing additional protections to existing situations (having lockable drawers for example)
  • Introducing new working methods (cloud storage rather than USB storage)

Sometimes more detailed work is required.

  • If a particular system or process has been involved in more than one breach, you need to understand why
  • Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
  • This may lead to significant changes to the way you process personal data.

 

For further information on managing breaches, speak to our team today.

Summer Updates!

With our brand, we didn’t want to completely change the GDPR Sentry our customers know and love, so we made some minor improvements instead, and wanted to share them with you! Can you spot any new features on our website?

As well as website changes, our technical team have also been busy making some improvements to our Sentry System, all as a result of our customers’ feedback.

Sentry System: What’s new?

Restricted Access

Sometimes the information recorded about a subject access request or a breach is highly confidential. Our Sentry System now allows access to records to be limited to the person who restricts them and those users assigned to the case.

The tools you need for this are on the status page. Users who have not been assigned do not even see the item in their list of records.

You might consider using this function if data concerns child protection, any form of criminal action or disciplinary actions where it would be inappropriate for all users to see. Remember that Standard users also see only those items that are assigned to them. If you’d like to discuss how to manage user access levels, please get in touch.

 

 

Auditing

As outsourced DPO’s, we visit schools, trusts, colleges and universities annually to perform compliance audits. We look at things such as display of data, data handling, and security including where paper data is located and secured. We would then put together a report of our findings. All auditing requirements and reports are now available within Sentry, which means you can complete audits and upload the reports directly into the system for your records.

 

Notifications

We have had many requests for a notification feature to be added to Sentry, so we added it. Notifications are extremely useful when managing compliance across a number of schools or a large college. The new notification feature alerts you to any new SARs or Data breaches that are added to the system, for any of your schools or sites.

 

Customer feedback is valuable to us, and we can usually tailor Sentry to work for your individual requirements.

Check out our updated website gdprsentry.com, where you can also look at all of our products and services, such as Training, Auditing and outsourced DPO.

For further information on any of our services, please speak to our team today.

 

DPO

Since 2017, Schools, Trusts and Colleges have been bombarded with stories about the requirements and risks of failing to comply with GDPR. The mass of information around the internet can seem daunting even overwhelming, but we are here to help you on your journey to compliance.

Any schools in state sector, including local authority nursery provision, are required to have a data protection officer (DPO) by law. Many schools have already met this requirement, by allocating this role to an existing member of staff, often IT managers or Business managers. Others have bought in services from providers like local authorities, legal firms, IT suppliers and specialised consultants, however, it isn’t always easy.

Being a Data Protection Officer (DPO) demands a deep knowledge of data protection law and practice. It also requires that the DPO has no conflicts of interest. For most schools, and trusts, having a person who can meet these requirements is extremely challenging.

The DPO is responsible for:

  • Informing the organisation on its GDPR obligations
  • Monitoring the compliance
  • Being the first point of contact for employees and supervisory authorities
  • Ensuring that staff are properly trained
  • Conducting audits and supporting data protection impact assessments

GDPR compliance must integrate with the day to day operation of the organisation, how confident are you that you are doing everything required by the ICO?  

As practicing DPO’s ourselves, we are here to support you.  

Being appointed to this demanding role comes with a heap of confusion, our aim is to bring you solutions to control your compliance.

That’s why we have developed the Sentry System, specifically for the Education Sector. Sentry allows you to manage all compliance in one place, whether it is for one school, across a trust or a multi campus college.

To find out more about how our Sentry System can help you, click here. Or, if you require additional support, we are more than happy to help. Contact our support team here.

With so much confusion and little understanding around GDPR, we were always expecting some interesting headlines.

This week, The BBC reported how a local authority in Sweden incurred a large fine, after trialling facial recognition on students to keep track of attendance.


The Swedish Data Protection Authority (DPA) fined Skelleftea Municipality  200,000 Swedish Krona (£16,800) for flouting a privacy law.

The trial took place in autumn 2018 and had been so successful, the school considered extending it. The DPA noted that, if the trial had been carried out for longer, the fine would have been significantly higher.

The reasons behind the fine…

The GDPR, which came into force last year, classes facial images and other biometric information as being special category personal data (we used to call it sensitive data), with added restrictions on its use.

Although the Swedish local authority did receive parental consent for such actions, the local authority still needed to show it was necessary to use biometric data rather than an alternative.


The local authority had broken the third principle of data protection by using personal data beyond that which was necessary to manage the task of tracking and monitoring attendance.

As a result, the DPA found that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.

From the school’s point of view, they may have seen this as a great management initiative, a safe and secure way of tracking attendance, thus reducing the time teachers spend monitoring this, but unfortunately for them, they had not done their homework on GDPR.

Read the full story here

Back to school

We are all guilty of shuddering a little when hearing the words ‘GDPR’, right? This is especially true when facing the beginning of the new academic year. The maze of legislation, the do’s and don’ts of data, what to do when a data breach occurs? These are common concerns for many education providers around the UK.

The bad news is, data breaches need to be taken seriously and dealt with appropriately, the good news, there is support available to help you deal with them.

Any organisation within the Education sector, dealing with the personal data of students and staff must be compliant. It is also a legal requirement for schools and colleges in the state sector to have a data protection officer (DPO).

What does ‘being compliant’ mean?

You should be able to answer the questions below confidently, but also show how you do them – where do you keep a record of all data breaches? How do you know when these should be reported to the ICO?

• How does personal data flow across your school, trust or college?

• Having does your organisation deal with data breaches?

• What happens if someone makes a subject access and other requests?

• Who has data protection expertise within the organisation?

• Have all your staff been trained?

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word could be as serious as a confidentiality breach.

We have put together a ‘To Do’ list when dealing with a data breach;

• When dealing with a breach, you should always start with the assumption that you’ll be notifying the ICO, in which you only have 72 hours to do so.

• Get the facts, don’t look for blame and always involve the person who discovered the breach.

• You’ll need records later, so begin making records now with every action you take.

• Get the initial investigation going and know that mitigation is underway.

• You must make a judgement about the risk to the data subjects.

• You don’t have to have evidence of harm to make a report, gather all the information for the investigation. If you can, report by calling the ICO with the paperwork ready. Remember, the report is often not the end of the process

The above outlines a simple checklist for dealing with a data breach, but as we all know, data breaches are just a small percentage of compliance.

As practicing Data Protection Officers, we can provide support and advice on data breaches as well as SAR’s, DPIA’s, processes, supplier data and more. Speak with our team today.

Sentry matches the requirements of the ICO

It’s now less than four months until enforcement of the GDPR begins. You’d imagine that every now knows about the regulation even if they’re not totally clear about the impact.

On Tuesday of this week (24th January), the Department for Digital, Culture, Media and Sport released some preliminary results from Cyber Security Breaches Survey.
With less than four months to go until enforcement begins, significant numbers of businesses and charities had not heard of the GDPR. This included 20% of businesses and 25% of charities with more than 250 employees.

The highest levels of awareness were in the finance and insurance, information and communications and education sectors (79%, 67% and 52%). Still meaning that almost half of the organisations in the education sector were still not aware of the regulation. If you remember the game show Family Fortunes, the cross is showing and the ‘Eh-Uhh’ noise is blaring.

Of those who were aware of the GDPR only about a quarter have taken action. Like lots of us with Christmas shopping it looks like there will be a last-minute rush. Of course, just like joining the last-minute rush – you may not get what you want.

The fact that you’re reading this post, plainly means that you’re in the group that’s aware of the GDPR, but you may be wondering what you need to do next.

If you haven’t done it start with an audit of the personal data you are holding. It’s worth remembering that the scope of what counts as personal data is pretty broad. As well as personal data in IT systems, paperwork in any form of filing system may well hold personal data as well.

You may well find that a name and address, for example, is held in 5 different places and be from more than one source. It may take a long time, but once you understand where personal data is located and how it’s held, many of the other requirements for compliance start to fall into place.

If you don’t want to get trampled in the mad last minute rush it’s time to get going.

On Wednesday 17th January, the Data Protection Bill completed its journey through the House of Lords and headed back to the Commons. This means it’s heading toward the last stages before it becomes law.

Over the last few weeks I’ve been asked several times what the difference is between the Bill and the GDPR, also whether the Bill will mean that the GDPR will no longer apply. If you were hoping for this outcome, I’m afraid to dash those hopes. The Bill mentions GDPR 480 times, the Regulation is inextricably woven in.

The Bill enshrines the requirement to comply with the terms of the GDPR into UK law. This means of course that after Brexit you’ll still be required to manage personal data to the same standards as the rest of the EU. This will provide real benefit for firms wanting to do business in Europe.

But, the GDPR doesn’t cover every situation where the UK needs to manage personal data. This is particularly in relation the operation of the government itself, and situations relating to national security.

There has been some friction between the ICO and the government over these additional regulations. The Information Commissioner is concerned that government is giving itself the right to impose a different framework on a range of organisations only loosely connected with delivering public services. There are still some things to be ironed out before the Bill is given the Royal Assent.

For most organisations, these considerations will have little or no impact. The requirement to manage personal data under the terms of the GDPR remains the same, and the 25th of May remains the deadline for compliance.

Happy New Year! Welcome in the GDPR

You know what it’s like, the New Year celebrations are done and its back the realities of work. Part of that reality for 2018 is the enforcement of the GDPR that starts on the 25th May. You’re probably familiar with the basics, but just in case here is the GDPR in 59 words.

The General Data Protection Regulation replaces the Data Protection Act. It extends the definition of personal data and sets tougher sanctions for non-compliance. A new right, Data Portability, allows individuals to take personal data from one organisation to another. Organisations must take a risk management approach to data protection and some are mandated to have a Data Protection Officer.

There’s quite a lot more to it of course and the Regulation is not light reading by any means.

It’s important to recognise that that GDPR has been designed as a set of practical regulations. Let’s take data breaches, the GDPR sets out that there are three classes of breach and then mentions a deadline of 72 hours for a breach to be reported to the supervisory authority (the ICO in the UK).

With the emphasis on risk management though, only breaches that present a risk to peoples’ rights and freedoms must be notified. This was confirmed by Elizabeth Denham, the Information Commissioner back in September of last year.

Data mapping is the key to this risk assessment and its one of the most important things you can do to prepare for compliance. It’s about understanding how personal data flows through the systems and processes of your organisation. From this map, you’ll be able to see the potential risks to ensure the proper security in in place. In the event of a breach you’ll be able to know what data has been compromised and where suspect data can end up.

To see how we can help you be prepared click here

Get the training you need with GDPR Sentry services

Among all the questions about the impact of the GDPR, it’s interesting to see another perspective on concerns about personal data. This comes from consumers in the USA, a country with some mixed attitudes toward privacy in general. From a survey conducted in September 2017, PWC have produced a report for their Consumer Intelligence Series called Protect.me.

There are some fascinating insights into the representative American adult. Fully 45% of the sample thought that their email or social media accounts would be hacked in the next 12 months, 29% expected to be the victim of credit card fraud (really 29%?) and 21% expected their employer would be subject to a cyberattack.

It’s perhaps worth pointing out that 25% of the people asked thought they would have a lottery win in the next 12 months so despite the worries there is still optimism

Of the people asked only 10% felt they have complete control of their personal information. More than 70% felt that the company holding their data (the Data Controller from our perspective) was better qualified to protect that data compared to the Government. At the same time more than 80% felt that there should be regulations covering how companies can use personal data.

What’s interesting is something that makes it into the report almost as a throwaway line.
“Unlike the European Union’s approach to data privacy regulation—known as the General Data Protection Regulation (GDPR)—most US data privacy laws vary by sector, data type, or from state to state.”

Whether we are in the EU or not our decision to implement and abide by the requirements of the GDPR means that we are likely to be given trusted status. This means that there are more that 600 million people whose data can be processed here in the UK. It also means that firms in the EU will be able to outsource to the UK easily. Sometimes there are advantages to doing things as a group!

Mention the UK and the EU right now you’ll almost certainly hear about Brexit.  Organisations pondering life outside of the EU may be forgiven for not being totally up to date with the details of the GDPR.

Take a journey back in time with me to 1963. Britain was trying to get into the six member club that was the EEC. General De Gaulle had just given his first ‘non’ because of a perceived lack of commitment to the principle of the community.

In the same year Richard Mayne the personal assistant to the first President of the EEC said

“On the principle that ‘the devil is in the details’, what should have been a merely formal occasion developed into a debate about the Community’s official languages and the site of its headquarters

It’s arguable whether De Gaulle was proven right in the end, but if the GDPR is anything to go by Mayne was spot on.

The problem is that despite the 99 Articles, the 173 recitals and the hundreds of pages of guidance there are still plenty of places where the regulations must be interpreted. There is discussion about how case law will develop around these blank spaces but who wants the be the name on the court case?

For organisations who are moving towards compliance a judgement must be taken on how to proceed in the world away from the ‘Eurocrats’ (reputedly another Mayne invention). There is a balance between being able to deliver service to customers, keep their information secure and avoiding enforcement action.

The 25th May is not going to be the end of the process by any means. We’ll all be adjusting our view of what the regulations really require for some time to come.

If you want help understanding what the GDPR means for you click here