………….your three year old bursts in, desperate for the toilet.
Remember, good security is not just about technology. There is no point in firewalls and penetration testing if you don’t lock the door. In this short article we discuss the third most common ‘Privacy Fail’ – allowing papers containing personal data to be lost, stolen or kept in an unsecure location.
Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
People still use paper. They write things down. Like passwords. Like names. Like telephone numbers. Like account details. Like personal reasons for absence. This creates a privacy risk which if not dealt with, leads to data breach.
Some organisations don’t have adequate security at reception which means anyone can wander around. They don’t have a culture which empowers staff to challenge strangers in the office. Staff don’t keep their notebooks locked away at night. Management don’t lock the filing cabinet with employee or customer data in it. People leave private documents on the printer. Some people don’t tidy their desks.
Some organisations don’t restrict who has access to what personal information. They don’t have a policy of data minimisation. They don’t have a secure archiving solution. They don’t have a secure shredding solution (which means confidential paperwork ends up in the bins out the back of the office).
People leave for new jobs and nobody empties their desks or their offices of potentially private or confidential information. And some people simply don’t lock the door.
You get the idea.
A privacy statistic
The second most common data breach in Ireland in 2019 was due to the loss or theft of paper containing personal information. It was the fourth most common data breach in the UK. In other words, failure to deal with this privacy risk does lead to data breaches which the regulators get involved in.
Real life example(s) with real life consequences
In the UK, the Information Commissioner’s Office (ICO) fined a London-based pharmacy £275,000 for failing to ensure the security of special category data (previously known as ‘sensitive data’). Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware, London. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.