Data Protection as a Service November 2023 Newsletter

Page 1

Data Protection as a Service November 2023 Newsletter

From

Cyber Security Partners

Your Trusted Security Partner

Source: ICO

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Fife, after an unauthorised person was able to enter a ward and access the personal information of 14 patients.

In February 2023, an unauthorised person gained access to a ward. Due to a lack of identification checks and formal processes, the non-staff member was handed a document containing personal information of 14 people and assisted with administering care to one patient.

The data was taken off site by the person

• ICO Fines NHS Fife

• Universities Failure to Comply

• Charnwood Borough Councilreprimand Newsletter Highlights

and has not been recovered. While the hospital had CCTV installed, the wall socket the CCTV was plugged into had been accidentally turned off by a member of staff prior to the incident. The police have not been able to identify the person or recover the lost data, hindered by the lack of CCTV footage.

The ICO’s investigation concluded that NHS Fife did not have appropriate security measures for personal information, as well as low staff training rates. Following this incident, NHS Fife introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.

NHS Fife
CSP – DPaaS November 2023

CSP’s advice:

In the CCTV instance, with NHS Fife, there are a number of ways that the power to the CCTV system could have been managed better, such as putting CCTV power sources in a secure communications room, establish a responsible person for all CCTV in your business, and ensure regular checks are made of the CCTV system. The following five top tips should be observed when operating CCTV for your business.

Cyber Security Partners’ DPaaS

Information Handling Training can provide this to your users on either a scheduled or ad-hoc basis.

5 Top Tips

An employer must register as a data controller and must notify the ICO and outline the purpose of using CCTV at work. Any footage collected cannot be legally used for any other purpose.

All employees must be informed that they are being recorded. This can be achieved by the use of clear and visible signage in any areas of the workplace that are being monitored

Cameras should not be installed in any private area of workplace where complete privacy is expected such as toilets and changing rooms.

If an individual has been recorded and requests to see the footage featuring them, you must provide access within one month.

ICO guidance states that a nominated person in the organisation should be made responsible for the storage of video, system procedures and reviews.

Please note CSP offices will close for the Christmas break on the 22nd December and re-open for business on the 2nd of January 2024. Thank you for your support throughout 2023!

CSP – DPaaS November 2023

Universities failure to comply

Source: 7 Dots – Digital Agency

A new report by digital agency 7DOTS reveals a failure of Universities and higher education institutions to comply with data protection laws. The study, based on a detailed analysis of 335 Universities and Higher Education colleges, highlights a startling 81% non-compliance rate with current General Data Protection Regulation (GDPR) standards. The widespread compliance failure revealed by 7DOTS raises significant concerns about the safeguarding of student and other website visitor data and the potential risks of hefty fines due to non-compliance.

Last week The UK’s Information Commissioner’s Office (ICO) warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.

The research, conducted using a custom cookie compliance testing tool developed by 7DOTS, reveals a strikingly low (32%) implementation rate of Consent Management Platforms, which are a crucial component for GDPR adherence.

CSP’s advice:

Cookies are regulated by both Privacy and Electronic Communications Regulations (PECR) and GDPR. We advise

• Cookies used to track page views may contain information that can be linked and tracked back to an individual – ‘online identifier’. Consider what data you are tracking as part of your cookie design.

• Review your existing or planned cookies and the data that is captured. Keep a track of this and log it in the DPIA if personal data is captured.

• Ensure that your websites have consent mechanisms in place that allow the visitor’s choice (consent or deny) to be recorded and implemented. Check that and data shared with third parties falls into the correct ‘consent third party’ category.

CSP – DPaaS November 2023

Charnwood Borough Council - Reprimand

Source: ICO

A Council had not communicated the process to make address changes to a vulnerable service user (the data subject) and consequently sent information on how to change address to the data subject’s old address. An alleged perpetrator of domestic abuse at the old address, opened documentation sent by the Council and found out where the data subject was now residing. In addition, the Council had not ensured that all members of staff involved in this incident had received data protection training in the twelve months prior to the incident.

CSP - Guidance and top tips

Here are some tips on how to reduce the impact of this incident occurring: In general terms, it is down to understanding how users of your service can update their information, change of name, address, phone number and other sensitive pieces of information.

1. Identify who owns the information in a database and establish responsibility for documenting procedures.

2. Establish a procedure for staff to enquire about how to manage changes to sensitive information.

3. Establish a formal training program about how to manage sensitive information, so people can learn about confidentiality and integrity of information.

For help implementing data protection services, contact us via:

www.csp.partners

info@csp.partners

0113 532 3763

Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH

CSP – DPaaS November 2023

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.