The Data Protection Act means protecting personal data is now an issue affecting any organisation storing or using personal information about its prospects, customers, members, employees or anybody else.
โAny organisational head who has not ensured that all staff have received appropriate data protection training is sitting on a data loss time bomb.โ So says Barry Seward, Information Security Specialist with DLP Assured.
The consequences of a data leak can be very serious and very expensive. Currently, organisations are under a legal obligation to protect personal and sensitive personal data under their control. A data leak can lead to the imposition of large fines by the Information Commissioner. โApart from fines, anyone in breach could face huge cleanup costs and a damaging loss of reputation and trust.โ adds Seward. โIt has been reported that in 2011 the hack of the Sony Playstation Network led to a $171 million dollar cleanup bill.โ
The ways in which a data breach can leak of โpersonalโ or โsensitive personalโ information data (as defined in the Data Protection Act) or other breach can occur are many and varied and in addition to criminal activities include inadequate organisational procedures, employee carelessness or general ignorance of the appropriate practices and behaviours.
Significantly, it is widely held that eighty percent of data breaches involve employees not integrating adequate data security into their routine procedures. HMRC, for example, lost personal data concerning 25 million people because someone sent unencrypted CDs in the post.
The increasing use of mobile devices on unsecured networks in public places by staff also greatly raises the risks of data loss or theft.
Organisational managers need to consider every member of their staff who hasnโt received comprehensive, engaging, rigorous and up to date training as a potentially catastrophic loss of data waiting to happen.
According to Olivia Whitcroft, solicitor and sole principal of OBEP, an English law firm specialising in data protection and information law, โBreaches of the Data Protection Act arise from a failure to use personal data in accordance with certain key principles. This may include, for example, accidentally sending data to the wrong person, failing to give an individual a copy of their personal data upon request or inadequate destruction of data at the end of its lifecycle. It is therefore important for all staff to have at least a basic understanding of the obligations; the Information Commissionerโs Office expects this.โ Data Controllers are required to register with the Information Data Commissionerโs Office unless they are exempt, but exemptions are very unlikely to apply to large organisations. As part of the notification process organisations must confirm that theyโve trained their staff so theyโre fully aware of how personal data should be protected. This is a requirement of the Data Protection Act.
So what is likely to constitute suitable training to protect organisations from data loss breaches through employeesโ mistakes?
Whatever route organisations take to train their staff, the content needs to be engaging. Steve Bownass, pictured, Head of Educational Design for training producer New Compliance says: โMany people who handle confidential data on a daily basis see the subject of data protection itself as dull or technical and probably beyond their understanding and influence. So itโs vital they appreciate that the issues at the centre of data protection are both simple to understand and easy to incorporate into daily working practices. An ideal medium is video which is contemporary and familiar, as well as being powerful and easy to take in.โ
Another hurdle is that people donโt appreciate how important is their own implementation of security measures. How many people do we know, for example, who protect their computers with a password like โFidoโ or โJaniceโ? How many people do we know who spend at least a little of their working day opening and reading โround robinโ emails? Do we know anyone with a mobile โphone on which all the personal information is encrypted (as it should be)? An engaging training medium is vital in convincing them that they need to change their attitudes and practices.
In this digital age, protecting paper based data can easily be overlooked, as can the manipulative activities of colleagues and suppliers who may be trusted but may not be trustworthy and so the training must be comprehensive and cover these areas too, alerting people to the many routes to data loss and theft.
The best training will be rigorous too. Mechanisms for participants to positively confirm their understanding such as quizzes will go a long way towards increasing their confidence and motivation, persuading them that the issues are โfor themโ, that is, relevant and achievable.
Having the ability to monitor and record individualsโ performances in tests will provide organisations with evidence both that the training has been carried out and uptake of the key messages achieved, which will be very useful in identifying weaknesses and in providing mitigation in the event of a data loss incident. This argues for a technology-delivered approach such as an internet or intranet-based Learning Management System that includes automatic capture of performance statistics.
Refresher training based on the most up to date information should be delivered annually to fulfil the requirements of the Data Protection Act. Re-testing should then be carried out and the results retained to demonstrate compliance with the measures taken.
Data loss breaches are bad news and the biggest risk of the bomb going off lies in the people who handle the data. The best way to minimise the risk is to provide high quality training to engage people, give them the full picture, keep them up to date and to record the results. โAnything less,โ says Seward,โis a gamble no organisation can afford to take.โ
View – http://www.newcompliance.co.uk/Demo/Video.php
