A lot of the time we as consumers have the option to choose which service we entrust with our data.
Choosing the right communication for information security
When choosing a bank one might go with the one we felt had the most secure online banking service or when shopping online choosing a retailer that uses PayPal to take payment. We can’t however choose a council or an NHS trust, (well, apart from choosing where we live of course). These organisations hold sensitive personal data on us that we have the right to request, but sometimes we don’t have the same assurances that come with other services. For example the news from earlier this month that reported that councils commit four data breaches a day is worrying for everyone. One of these statistics states that in 3 years there was 628 instances of the wrong data being shared via letters, emails or faxes.
The ICO is an organisation that helps ensure that the Data Protection Act is being adhered to, and when the NHS or Councils are found lacking, they step in. They are calling for tougher sentencing for people within these organisations committing the data breaches.
Another incident of a similar nature that happened within the NHS in March last year shows faxes containing patient identifiable information were sent to a member of the public from North Tyneside Hospital. The ICO looked into this matter and this is their report.
As part of our information security management system (ISMS) we have a policy on the use of faxes; they are not to be used AT ALL for any communications that contain patient identifiable or restricted information! But part of the problem at North Tyneside Hospital was that there was suitable policies in place to prevent these type of occurrences but they weren’t adhered to across departments. When further security incidences of the same type were discovered this is when the ICO stepped in.
Choosing how best to communicate with customers or clients can be tricky, often we trade security for convenience but this can sometimes create problems with over-familiarity and then that is when errors can occur. Most of our communications are sent via email and as apart of our internal information security training, staff are taught to analysis the content of their email and mark them as restricted in the subject line if they contain sensitive information. Patient identifiable information is never sent online unless it is encrypted.
Our ISMS is certified to ISO27001:2013 and we are registered as data controllers with the ICO. We pride ourselves on communicating with our clients in the manner most convenient for them, but we have to consider information security at the forefront of all our communications. Mistakes do happen, but when data breaches occur because people are willing sharing information they should not; we welcome the ICO’s call for custodial sentences as punishment.