Posts

data breaches

Managing Data Breaches

Data Breaches Happen

How will you deal with one?

 

Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word can be as serious as a classic confidentiality breach.

Part of your training for all staff needs to be about recognising when a data breach has happened. For schools’ breaches often involve misplaced papers or devices or emails sent to the wrong person. Although hacking does occur it represents a small fraction of the breaches reported by educational establishments.

Staff should know to look for:

  • Information being put in the hands of the wrong people
  • Paperwork or devices being lost or stolen
  • Significant errors in information – including being out of date
  • Issues with email both recipients and content

Handling a breach effectively is practical, preventing breaches is nearly impossible

 

Here are some elements you’ll need in your breach plan:

 

INVESTIGATION

The fundamentals

You’re in the 72 hour window.

  • Get the facts, don’t look for blame
  • Involve the person who discovered the breach
  • Make records, you’ll need them later

Critical things to know.

  • How many people might be affected
  • What sort of data is affected and how much of it
  • An initial understanding of how the breach happened
  • Has anyone been affected by the breach
  • How might people be affected

Difficult, but must be done.

  • If you think criminal action is involved report it to the police
  • You might have to initiate disciplinary action

 

MITIGATION

Where possible;

Depending on the nature of the breach, there may be little that can be done

  • The type of breach governs what can be done
  • The objective is to minimise the harm that may come from the breach
  • By acting quickly then it’s possible to stop any harm

There is no rocket science here.

  • Lost devices may be able to be remotely locked or wiped
  • Credentials can be forced to be changed (even if that’s everyone)
  • Incorrectly distributed material can be recovered
  • Inaccurate information can be updated

But remember:

  • Keep records of all the actions you take
  • Don’t create a new breach by updating with inaccurate information
  • Rushing to tell affected individuals may make the situation worse

 

NOTIFICATION

A need to know basis:

This is where you need a level head and good advice

  • You need the initial investigation and know that mitigation is underway
  • This is a judgement about the risk to the data subjects
  • You don’t have to have evidence of harm before reporting

The basic decision seems simple.

  • What might happen because of the breach
  • How likely are those consequences?
  • What might the emotional impacts of the breach be
  • What might people need to do to protect themselves from further harm

Reporting requirements:

  • All the information gathered in the investigation is required
  • If you can, report by calling the ICO – have the paperwork ready
  • The report is often not the end of the process

 

REPAIR

Stopping it happening again.

The reason why you need to keep a breach record:

  • Record the details of every breach
  • Patterns can tell you something is wrong
  • Having no breaches logged probably means you’re not spotting them

Delivering a long-term fix can require several actions, for example:

  • Identifying that there is a need for additional training
  • Implementing additional protections to existing situations (having lockable drawers for example)
  • Introducing new working methods (cloud storage rather than USB storage)

Sometimes more detailed work is required.

  • If a particular system or process has been involved in more than one breach, you need to understand why
  • Undertaking a Data Protection Impact Assessment will help you isolate the weaknesses
  • This may lead to significant changes to the way you process personal data.

 

For further information on managing breaches, speak to our team today.

/by

Why Schools Should Do Their Homework Too

With so much confusion and little understanding around GDPR, we were always expecting some interesting headlines.

This week, The BBC reported how a local authority in Sweden incurred a large fine, after trialling facial recognition on students to keep track of attendance.


The Swedish Data Protection Authority (DPA) fined Skelleftea Municipality  200,000 Swedish Krona (£16,800) for flouting a privacy law.

The trial took place in autumn 2018 and had been so successful, the school considered extending it. The DPA noted that, if the trial had been carried out for longer, the fine would have been significantly higher.

The reasons behind the fine…

The GDPR, which came into force last year, classes facial images and other biometric information as being special category personal data (we used to call it sensitive data), with added restrictions on its use.

Although the Swedish local authority did receive parental consent for such actions, the local authority still needed to show it was necessary to use biometric data rather than an alternative.


The local authority had broken the third principle of data protection by using personal data beyond that which was necessary to manage the task of tracking and monitoring attendance.

As a result, the DPA found that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.

From the school’s point of view, they may have seen this as a great management initiative, a safe and secure way of tracking attendance, thus reducing the time teachers spend monitoring this, but unfortunately for them, they had not done their homework on GDPR.

Read the full story here

/by

New Term, New Data, New Risks?

 

We are all guilty of shuddering a little when hearing the words ‘GDPR’, right? This is especially true when facing the beginning of the new academic year. The maze of legislation, the do’s and don’ts of data, what to do when a data breach occurs? These are common concerns for many education providers around the UK. The bad news is, data breaches need to be taken seriously and dealt with appropriately, the good news, there is support available to help you deal with them. Any organisation within the Education sector, dealing with the personal data of students and staff must be compliant. It is also a legal requirement for schools and colleges in the state sector to have a data protection officer (DPO).

What does ‘being compliant’ mean?

You should be able to answer the questions below confidently, but also show how you do them – where do you keep a record of all data breaches? How do you know when these should be reported to the ICO? • How does personal data flow across your school, trust or college? • Having does your organisation deal with data breaches? • What happens if someone makes a subject access and other requests? • Who has data protection expertise within the organisation? • Have all your staff been trained? Breaches come in many shapes, sizes, and severities. It’s critical to recognise that an integrity breach with a single inaccurate word could be as serious as a confidentiality breach.

We have put together a ‘To Do’ list when dealing with a data breach;

• When dealing with a breach, you should always start with the assumption that you’ll be notifying the ICO, in which you only have 72 hours to do so. • Get the facts, don’t look for blame and always involve the person who discovered the breach. • You’ll need records later, so begin making records now with every action you take. • Get the initial investigation going and know that mitigation is underway. • You must make a judgement about the risk to the data subjects. • You don’t have to have evidence of harm to make a report, gather all the information for the investigation. If you can, report by calling the ICO with the paperwork ready. Remember, the report is often not the end of the process The above outlines a simple checklist for dealing with a data breach, but as we all know, data breaches are just a small percentage of compliance. As practicing Data Protection Officers, we can provide support and advice on data breaches as well as SAR’s, DPIA’s, processes, supplier data and more. Speak with our team today.

/by