Keeping Data Secure
I am writing this blog because it is interesting when you start looking at security issues from a DPOs point of view as it links the security principle, art.5(1)(f), the responsibilities of the controller, art.24(1), and the security of processing, art.32, together. These three elements bring together appropriate security as appropriate technical or organisational measures. It can help to break down what technical and organisational measures are and the types of things that we look to achieve.
Keeping personal data secure is a legal requirement under the UK GDPR, as well as obligations contained in standards such as ISO27001 or PCI-DSS. More generally, it is in the wider interest of all organisations to maintain appropriate security as part of their risk management processes for the protection of personal information. Organisations must ensure that they have appropriate security and procedural controls and safeguards in place to preserve the confidentiality, integrity, and availability of personal information. Article 32 of the UK GDPR sets out some of the aims that technical and organisational measures should achieve to be considered appropriate for the protection of personal data. It is important for organisations, as part of their accountability measures, to always uphold, maintain and keep under review their security measures.
Below are some examples of how we can achieve this:
• Enforcing good password usage (hard-to-guess passwords)
• Regular pentesting (penetration testing) of security measures in place
• Risk assessing new projects that involve the processing of personal data (i.e., conducting appropriate DPIAs)
• Encryption (at rest and in transit)
• Device management, software updates, security and remote wipe facility
• Secure document retention and disposal procedures
• Conducting data protection due diligence checks on all contracts involving personal data to ensure they have appropriate security controls and safeguards are in place throughout the supply chain
• Appropriate and regular training for all staff
• Role-based access controls and effective joiners, movers, leavers process
• Ensuring systems are configured appropriately (e.g enhanced settings not just default)
• Data loss prevention tools and secure data transfers/sharing
• Multi-factor authentication
• A framework of appropriate policy and procedures
• Internal audits and compliance reviews to demonstrate/provide assurance that appropriate controls and safeguards are maintained
• Strong antivirus and cyber protection through to security information and event management (SIEM).
One of the biggest challenges of organisations is keeping data secure both on-site and off-site.
Keeping Data Secure On-Site
Paper: When you need to work with paper records these must be locked away when not in use and at the end of each working day. In terms of deletion or removal and disposal, they must be disposed of when they are no longer needed by using confidential waste bins, confidential disposal or a cross-cut shredder. Shredding can also be through a company that does shredding on-site or take away disposal service. Alternatively, you can shred it on site but depending on the sensitivity of the information on the paper, you may need a particular grade of shredding in order for it to be secure.
A clear desk policy should be applied when leaving your desk and you must ensure that no paper records are left behind unattended. All printed material should be collected immediately and not left on the printer. Paper records must be kept to a minimum.
Electronic: Laptops, tablets, smartphones, and any other electronic devices should be appropriately protected (e.g encrypted hard drives, mobile device management), multi-factor authenticated or password protected as a minimum, with an automatic lock set. When leaving your desk, you must always lock your screen so people cannot read what is on it or access your workstation or machine. A simple rhyme is ‘Control, alt, delete before you leave your seat’. You could also request from IT a privacy screen for your monitor and/or laptop to also guarantee your privacy when working on your device.
A further consideration is that sensitive and/or commercial information must not be included in the title when naming a document as some new scan and print services may keep records of the documents that are printed /scanned.
Email: Where possible emails should be sent in an encrypted format especially if communicating personal, sensitive, or confidential data with external organisations. Familiarise yourself with O365 encryption (and data loss prevention measures) and request that IT set the necessary permissions (if they are not already set) before sending an email. You should liaise with your IT department if you need help with O365 encryptions.
Keeping Data Secure Off-Site
Serious consideration should be given to when and whether it is necessary to take information off-site, especially paper records containing personal, sensitive, commercial or otherwise confidential data. Before taking paper records off-site you should check whether there is an alternative way of accessing those records (such as scanning or accessing them online via an encrypted laptop). If you must take them, you should also ensure that only the minimum amount of paper records needed for the required task is taken off-site. Additional security considerations may also need to be applied to ensure the security of the paper records.
When taking information off-site, including that contained on mobiles, tablets, and laptops you may wish to consider the following:
• Are you authorised to take documents/information off-site and/or work remotely from the office?
• Bags containing information should never be left unattended (i.e., without physical safekeeping), especially in public places (e.g., trains, pubs, etc).
• Whenever possible, paper documents should be kept separately from electronic data or other personal valuable items.
• Information should be transported in a way that avoids the risk of theft, loss, unauthorised access or disclosure (i.e., kept in physical safekeeping at all times).
• If it is unavoidable to leave information/devices in a car (e.g., whilst filling up with petrol), information/devices should be locked in the boot of the car.
• Information/devices should always be secured at home at the end of the day in the same way you would do at work.
• Organisational policies and procedures govern the way you work at work, they are not however bricks and mortar bound. Therefore, organisational policy and procedure will apply wherever you are entitled to work (home, remotely, client site etc).
• Sharing of personal data should only be done when it is absolutely necessary to do so and always ensure any personal data shared is fair and relevant and in compliance with the data protection principles.
• If you are required or requested to share personal data with another controller (e.g., the police, a GP practice, a school, or a local authority) you must be satisfied that the reason for sharing is lawful and justified. You must also ensure that both you and the receiving controller are protecting the information equally and, if necessary, keeping it current and regularly updated. When sharing personal data with another controller you must follow some basic rules for data sharing, such as having relevant and up-to-date data sharing agreements in place outlining the reasons and the way in which personal data will be shared.
• Personal data can only be shared outside of the UK if there is an appropriate transfer mechanism in place (eg Adequacy, IDTAs, SSCs with UK addendum) to ensure that adequate data protection measures are in place to protect the personal data shared.
The other thing that we also need to be mindful of in terms of data security is environmental issues, for example, if you have important paper documents kept in a non-fireproof filing cabinet that could well be lost or damaged in the case of a fire. Likewise, if you have paper documents that may be subject to water ingress because they are kept in a basement or the filing cabinets that are below water pipes again could be lost or irreparably damaged by the water. Apart from making sure that data is secure we also need to be mindful of data loss potentially through environmental factors. More importantly, such loss would amount to a personal data breach and possibly subject to ICO and/or data subject notification.
Bearing this in mind, the server rooms need to be maintained by specific environmental controls which can include temperature and humidity sensors to monitor the climate within the room and adjust as required. Further security may include air conditioners and fire suppressants that react to certain stimuli. Monitoring is essential so we can be appropriately alerted prior to any environmental factors causing any damage to the servers or wider network infrastructure. Security of data goes beyond keeping it securely locked up, preventing it from being damaged, lost or unlawfully/unauthorised access. Therefore, although we might not be able to completely eradicate certain risks (like fire or water ingress), we might be able to better mitigate them (eg. using a fireproof filing cabinet, relocating away from water ingress opportunities).
Although the regulation is not prescriptive with a mandatory or specific set of security measures, it does set some expectations or aims to achieve for security to be considered appropriate and it expects organisations to take ‘appropriate’ actions and implement appropriate measures that would protect the personal data that they process. You should be looking at data security from the point of the data lifecycle (creation through destruction) and anything that can or may have an impact at any stage of that cycle. While organisational measures such as policies and procedures are usually seen as fundamentals, you also ought to be looking at things like compliance reviews and audits of the measures that you have implemented to ensure that they remain current and effective. So, although you might all have an idea of what data security is, do you do any testing of the security measures in place to identify whether they are appropriate to the risks? Do you check if the measures are maintained, and adhered to or whether they work sufficiently to protect the organisations and the data that you are processing? How often do you look for areas for improvement and is this evidenced for accountability purposes? Testing is a very important aspect of keeping data secure so let’s not forget to always test what you have in place as what may be appropriate now may not be appropriate in the future, so you need to make sure that it is maintained.
Our mantra here at Data Protection People is to make data protection easy! I hope you find the blog interesting. If you need assistance with data protection or if you feel we can help you or need assistance with understanding the security of your environment, please come and talk to us. Our dedicated team of experts are always on hand to help.
If you would like to get in touch and see how we can assist you, click here.