Data Protection as a Service November 2023 Newsletter
From
Cyber Security Partners
Your Trusted Security Partner
Source: ICO
The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Fife, after an unauthorised person was able to enter a ward and access the personal information of 14 patients.
In February 2023, an unauthorised person gained access to a ward. Due to a lack of identification checks and formal processes, the non-staff member was handed a document containing personal information of 14 people and assisted with administering care to one patient.
The data was taken off site by the person
• ICO Fines NHS Fife
• Universities Failure to Comply
• Charnwood Borough Councilreprimand Newsletter Highlights
and has not been recovered. While the hospital had CCTV installed, the wall socket the CCTV was plugged into had been accidentally turned off by a member of staff prior to the incident. The police have not been able to identify the person or recover the lost data, hindered by the lack of CCTV footage.
The ICO’s investigation concluded that NHS Fife did not have appropriate security measures for personal information, as well as low staff training rates. Following this incident, NHS Fife introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.
NHS FifeCSP’s advice:
In the CCTV instance, with NHS Fife, there are a number of ways that the power to the CCTV system could have been managed better, such as putting CCTV power sources in a secure communications room, establish a responsible person for all CCTV in your business, and ensure regular checks are made of the CCTV system. The following five top tips should be observed when operating CCTV for your business.
Cyber Security Partners’ DPaaS
Information Handling Training can provide this to your users on either a scheduled or ad-hoc basis.
5 Top Tips
An employer must register as a data controller and must notify the ICO and outline the purpose of using CCTV at work. Any footage collected cannot be legally used for any other purpose.
All employees must be informed that they are being recorded. This can be achieved by the use of clear and visible signage in any areas of the workplace that are being monitored
Cameras should not be installed in any private area of workplace where complete privacy is expected such as toilets and changing rooms.
If an individual has been recorded and requests to see the footage featuring them, you must provide access within one month.
ICO guidance states that a nominated person in the organisation should be made responsible for the storage of video, system procedures and reviews.
Please note CSP offices will close for the Christmas break on the 22nd December and re-open for business on the 2nd of January 2024. Thank you for your support throughout 2023!
Universities failure to comply
Source: 7 Dots – Digital Agency
A new report by digital agency 7DOTS reveals a failure of Universities and higher education institutions to comply with data protection laws. The study, based on a detailed analysis of 335 Universities and Higher Education colleges, highlights a startling 81% non-compliance rate with current General Data Protection Regulation (GDPR) standards. The widespread compliance failure revealed by 7DOTS raises significant concerns about the safeguarding of student and other website visitor data and the potential risks of hefty fines due to non-compliance.
Last week The UK’s Information Commissioner’s Office (ICO) warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.
The research, conducted using a custom cookie compliance testing tool developed by 7DOTS, reveals a strikingly low (32%) implementation rate of Consent Management Platforms, which are a crucial component for GDPR adherence.
CSP’s advice:
Cookies are regulated by both Privacy and Electronic Communications Regulations (PECR) and GDPR. We advise
• Cookies used to track page views may contain information that can be linked and tracked back to an individual – ‘online identifier’. Consider what data you are tracking as part of your cookie design.
• Review your existing or planned cookies and the data that is captured. Keep a track of this and log it in the DPIA if personal data is captured.
• Ensure that your websites have consent mechanisms in place that allow the visitor’s choice (consent or deny) to be recorded and implemented. Check that and data shared with third parties falls into the correct ‘consent third party’ category.
Charnwood Borough Council - Reprimand
Source: ICO
A Council had not communicated the process to make address changes to a vulnerable service user (the data subject) and consequently sent information on how to change address to the data subject’s old address. An alleged perpetrator of domestic abuse at the old address, opened documentation sent by the Council and found out where the data subject was now residing. In addition, the Council had not ensured that all members of staff involved in this incident had received data protection training in the twelve months prior to the incident.
CSP - Guidance and top tips
Here are some tips on how to reduce the impact of this incident occurring: In general terms, it is down to understanding how users of your service can update their information, change of name, address, phone number and other sensitive pieces of information.
1. Identify who owns the information in a database and establish responsibility for documenting procedures.
2. Establish a procedure for staff to enquire about how to manage changes to sensitive information.
3. Establish a formal training program about how to manage sensitive information, so people can learn about confidentiality and integrity of information.
For help implementing data protection services, contact us via:
www.csp.partners
info@csp.partners
0113 532 3763
Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH