Numpty Nigel forgets to lock the door

For many people the bathroom is a safe place. A private space. Imagine you have a state of the art Japanese toilet. The seat is heated. Your expensive bluetooth stereo system is playing your favourite tunes through hidden speakers. The air conditioning system with built in AI knows just the temperature you like it. You sit down, get nice and comfortable and then………..

By Nigel Jones

Co Founder of The Privacy Compliance Hub

April 2020

Numpty Nigel

………….your three year old bursts in, desperate for the toilet.

Remember, good security is not just about technology.  There is no point in firewalls and penetration testing if you don’t lock the door.  In this short article we discuss the third most common ‘Privacy Fail’ – allowing papers containing personal data to be lost, stolen or kept in an unsecure location.

Each of the ‘Privacy Fails’ we discuss in this series of short articles are real.  They are based on things we have seen at the The Privacy Compliance Hub.  They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied.  These things do happen.  A lot.  Don’t let them happen to you.  Don’t be a numpty.

The privacy fail

People still use paper.  They write things down. Like passwords.  Like names.  Like telephone numbers.  Like account details.  Like personal reasons for absence.  This creates a privacy risk which if not dealt with, leads to data breach.

Some organisations don’t have adequate security at reception which means anyone can wander around.  They don’t have a culture which empowers staff to challenge strangers in the office.  Staff don’t keep their notebooks locked away at night.  Management don’t lock the filing cabinet with employee or customer data in it.  People leave private documents on the printer.  Some people don’t tidy their desks.  

Some organisations don’t restrict who has access to what personal information.  They don’t have a policy of data minimisation.  They don’t have a secure archiving solution.  They don’t have a secure shredding solution (which means confidential paperwork ends up in the bins out the back of the office).

People leave for new jobs and nobody empties their desks or their offices of potentially private or confidential information.  And some people simply don’t lock the door.

You get the idea.

A privacy statistic

The second most common data breach in Ireland in 2019 was due to the loss or theft of paper containing personal information.  It was the fourth most common data breach in the UK.  In other words, failure to deal with this privacy risk does lead to data breaches which the regulators get involved in.

Real life example(s) with real life consequences

In the UK, the Information Commissioner’s Office (ICO) fined a London-based pharmacy £275,000 for failing to ensure the security of special category data (previously known as ‘sensitive data’).  Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware, London.  The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

Watch this short video to see Kelly at Credit Kudos explain how The Privacy Compliance Hub helps her company build and maintain a culture of continuous privacy compliance.

Watch video

How to avoid this privacy fail

Train your staff.  Make them understand the consequences of seemingly innocent actions/inactions.  Make them care by explaining the possible consequences of getting things wrong.  And make them do what you train them to do.  This is all part of creating any culture of continuous privacy compliance.

Have an information security policy which everyone knows about and follows.  Test it and ensure that there are consequences for anyone that doesn’t follow it.  Make sure that your information security policy is dealing with the risks that most often lead to data breaches.  Refer to your information security policy in your standard employment documentation such as your employee handbook.

Finally, if a mistake is made (and everyone does make mistakes) and you are deciding whether you do need to notify the regulator or the individual or individuals concerned, you are likely to find this article very useful.  Be careful, under the GDPR you only have 72 hours to notify.

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.  It reduces the risk of data breach.

Numpty Nigel

Numpty Nigel’ is fictional.  He is not based on any person living or dead.  Any resemblance or similarity to any person living or dead is purely coincidental.  It’s just that one of our Co Founders is called Nigel.  He is not a numpty.  But he does think that ‘Numpty Nigel’ sounds funny.  And the name Nigel is slowly dying out.  So this series of articles is for all the Nigels out there.

More to watch and read