Data Protection as a Service February 2024 Newsletter

Data Protection as a Service February 2024 Newsletter

From Cyber Security Partners

Your Trusted Security Partner

Stratford - on - Avon Council

Data Breach

Source : The Register | Connor Jones

A former council staff member for Stratfordon-Avon District Council concluded its investigation into a November data breach, finding thousands of email addresses were stolen from a garden and waste collection database. A database holding information on Warwick District Council residents was also accessible due to a joint working arrangement between the two councils, with a total of 79,000 addresses being stolen.

"On behalf of the council I would like to apologise for this data breach," said David Buckland, chief executive at Stratford-onAvon District Council.

Newsletter Highlights

• Council Insider Steals 79,000 Email Addresses

• Serco issued enforcement notice for staff biometrics

• ICO approves legal services certification scheme

"It is important to stress that this information only contained email addresses, it did not contain any bank details, or names and addresses. We have concluded through our investigations that this data breach was a deliberate act by an individual, and not a breakdown of the robust internal controls we have in place."

The addresses were stolen for the purposes of promoting the individual’s business, unrelated to the council. The person responsible no longer works for the council.

The unnamed individual has been referred to the Warwickshire Police and was subject to investigation from law enforcement but has escaped with an official caution.

CSP’s advice:

If insider threats are a concern for your organisation, we suggest to:

• Limit access to sensitive databases and information only to authorised personnel who have a legitimate need. Use strong authentication mechanisms like two-factor authentication to ensure only those with authority can gain entry.

• Educate employees about the importance of data security and potential consequences of insider threats. Include topics such as data protection, acceptable use, and the risks associated with unauthorised data use.

• Implement a separation of duties policy to ensure that no single employee has excessive access privileges or control over critical systems and data.

Cyber Security Partners’ DPaaS

Information Handling Training can provide this to your users on either a scheduled or ad-hoc basis.

S erco issued enforcement notice for staff biometrics

Source: The Register | Lindsay Clark The ICO has issued an enforcement notice to stop Serco from using facial recognition and fingerprint scanning to monitor staff at 38 leisure centres it runs.

An investigation by the ICO found that Serco Leisure and several associated community leisure trusts had unlawfully processed the biometric data of over 2000 employees at all the leisure facilities to track attendance and to calculate pay. The ICO has also ordered them to destroy all biometric data that they are not legally obliged to retain within three months.

Information Commissioner John Edwards said the data represents a risk to individuals in the event of inaccuracies or security breaches and added that the context in which Serco and the trusts were using it, facial recognition was neither fair nor proportionate under data protection law.

Serco issued enforcement notice for staff biometrics cont’d

“Serco Leisure did not fully consider the risks before introducing biometric technology to monitor staff attendance, prioritising business interests over its employees' privacy. There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they must hand over their biometric data to work there,” the Commissioner said in a statement.

Authentication Types

To prevent this scenario happening to you, we recommend that you:

• Conduct a thorough Privacy Impact Assessment to assess the privacy risks and ensure compliance with data protection laws. The assessment should consider the necessity, proportionality, and potential impact on individual’s rights and freedoms.

• Conduct regular audits and assessments to ensure ongoing compliance with internal policies and data protection laws. Include monitoring the use of biometric systems, evaluate their effectiveness, and address any identified risks or noncompliance issues.

• Define clear guidelines for the retention and deletion of biometric data. Ensure data is not retained for longer than what is necessary and make sure it's securely deleted when no longer required for its stated purpose.

ICO approves legal services certification scheme

Source: ICO

The ICO has approved a certification scheme designed to assist legal service providers demonstrate compliance with UK data protection law when processing client’s personal data. It is called the Legal Services Operational Privacy Certification Scheme (LOCS) and aims to provide enhanced confidence and trust that personal data and data subject rights are protected.

The scheme applies to legal service providers (both processors and controllers), including law firms, barrister’s chambers, barristers, solicitors, and other providers for their processing of personal data in relation to the legal services provided.

It is the fifth set of UK GDPR certification criteria that the ICO has approved, and it follows four others that have been approved successfully and published on the ICO website.

There are many security standards that all organisations can select to prove their status as good, secure data processors/controllers. The available certifications to enhance their reputations range from:

• Cyber Essentials (Plus) – a government backed scheme developed for all companies and organisations,

• International security standards such as ISO27001,

• More stringent industry standards, such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA).

For help implementing data protection services, contact us via:

0113 532 3763 info@csp.partners

Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH www.csp.partners