Tag Archives: data security

Data Security – Microsoft Office XP and 2003

Leave a reply

8 April 2014On 8 April 2014 , office support for Microsoft’s Windows XP and Microsoft Office 2003 will come to an end.  Not the end of the world, you’d think, but if your organisation keeps personal information on those versions, this is a significant problem.

Though PCs will continue to run, the issue is that Microsoft will not be providing any further updates or fixes to these products. This means that in the event of any security flaw, your system will be vulnerable, and so in turn will any personal data you hold.

It is inevitable that, over time, attackers will increasingly find the vulnerabilities within these products, which will provide them with more and more opportunities to access and manipulate your systems.  To prevent the risk of personal data breaches in these circumstances, the best advice is to migrate to a supported system before the deadline of 8th April.

It’s not just Microsoft where stopping system support is an issue – the same is true of other providers who do not support their systems.  So it’s well worth making sure that you and your organisation have ‘appropriate technical organisational measures in place to keep individuals’ personal data safe.

Failure to do so puts you in breach of the Data Protection Act, and the ICO has the power to levy a fine of up to £500,000 to any organisation whose failure to comply with the DPA has led to serious issues of data security.

The size of fine varies enormously depending on the scale and potential damage caused by the breach.  For example the ICO has recently fined the British Pregnancy Advice Service £200,000 after a hacker obtained thousands of individuals’ personal details due entirely to poor data security.  And, on a smaller scale, the owner of a loans company, Jala Transport, was fined by the ICO after his car was broken into.  The thief stole £3,600 and a hard drive. Even though the hard drive was password protected, the data within was not encrypted and it included customers’ names, dates of birth, payments made, and the identity documents provided to support the loan application.  His fine could have been as high as £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

In both cases, the breaches were perpetrated by a malicious third party.  But it was the lack of the businesses’ security and protection of the personal data that was the root cause of the fines. This is why it is so important that companies remain ready for the security issues which will inevitably arise when their service providers switch off support – whether the provider is Microsoft or another.

Data Compliant helps businesses build policies and processes to enable them to become and remain secure and compliant both in terms of systems and governance – if you have any concerns over your data security, don’t hesitate to contact us on 01787 277742 or email tony@datacompliant.co.uk

NHS Data Sharing – why the delay?

Leave a reply

iStock_000006820636Medium

It’s good to see that common sense has prevailed, and the roll-out of care.data has been deferred until Autumn – primarily, it would seem, to allow time to make absolutely certain that all patients have been made aware of the plans to do so.

The media, privacy lobby groups and, most notably, both the ICO and The Royal College of General Practitioners flagged their concerns that communicating the NHS data sharing plans with patients had been inadequate, leaving many individuals throughout the country unaware either of the plans to share their sensitive, confidential patient data, or indeed of their right to refuse to participate (see more here about how and why your patient data is to be held in a central NHS database).

There has been some attempt to inform the public – primarily by GPs (mine was excellent, providing information and opt-in / opt-out forms with repeat prescriptions; issuing leaflets and showing posters in the surgery; and showing information on the website ).  The NHS distributed some 22 million leaflets which were apparently delivered in January / February, but there has been a great deal of criticism of the leaflet’s creative approach, which has been described as bland … appalling … one-sided … and more.  I have to say, I never received it … or if I did, I threw it away unread on the assumption that it was “junk mail”.

I was interested to read what the Royal College of General Practitioners think, and of their own strong desire that GPs, patients and the nation are all properly informed and able to make their own decision whether to support the development of the NHS database or opt out. http://www.rcgp.org.uk/news/2014/february/college-welcomes-decision-to-delay-care-data.aspx

On the subject of making people aware … I find it quite fascinating to watch the government’s delight in using broadcast channels like TV and radio to promote themselves when it suits them.  Yet they seem curiously reluctant to use these same channels to inform the public of an issue as significant and important as the sharing of our own sensitive and confidential medical data.

However, it is quite clear that the NHS must now decide how it will ramp up its communication campaign before the Autumn in order to satisfy the public, the ICO, the RCGP and the media.  Only then will it be possible for the launch of care.data to take place.

Data Compliant Ltd provides advice on data compliance, data security, and runs training classes and workshops.  If you or your business have any concerns over your data being compliant and secure, please contact Michelle or Victoria.  

victoria@datacompliant.co.uk                        michelle@datacompliant.co.uk

 

Data Compliance – Monthly Round-Up

Leave a reply

September 2013 Round-up

Information Commissioner toughens up Direct Marketing Guidelines

data compliance consentThis month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent.  Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid.  Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy.  Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers.  It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

telemarketingThe Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls.  The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator.  The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls.  DM Design, was fined £90,000.  In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims.  These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area.  For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

If you have any concerns over how to ensure your telemarketing is compliant, please contact Victoria – victoria@tuffillverner.co.uk

Encryption: do you understand the  options available and how you can use them?

data protection encryptionThe Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation.  If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Keyboard - blue key AccessFollowing the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important.  After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

If you are unclear of your obligations and would like advice on the matter, do contact michelle@tuffillverner.co.uk

Do your employees work from home?  Or use a smartphone?

istock multi media croppedIt is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure.  It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office.  If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information.  Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.

victoria@tuffillverner.co.uk   01787 277742 / 07967 148398

michelle@tuffillverner.co.uk   01206 392909 / 07760 257427