Data Protection as a Service April 2024 Newsletter
Cyber Security Partners Your Trusted Security Partner
ICO publishes guidance to improve transparency in health and social care
ICO published new guidance to improve transparency in health and social care. If you work in the health and social care sector it gives you examples and case studies of how you can be transparent with people about how their personal information is being used.
They are shortening the time limit to comply with steps ordered in decision notices issued under section 50 of Freedom of Information (FOI) Act from 35 calendar days to 30 calendar days. This brings the time limit for decision notice steps in line with that given in information notices issued under section 51 of the FOI Act. This change took effect in decision notices issued from 15 April 2024
Newsletter Highlights
• ICO publishes guidance to improve transparency in health and social care
• 5,000 Guernsey patients included in States data breach
• Housing association receives reprimand from the ICO
Cyber Security Partners’ DPaaS Information Handling
Training can provide this to your users on either a scheduled or ad-hoc basis.
5,000 Guernsey patients included in States data breach
Island FM News
The States has apologised, after private data on healthcare debts owed by 5,000 locals was sent by email to an islander living in the UK.
The Office of The Data Protection Authority is investigating after the private information of 5,059 individuals was shared by a member of Guernsey's Corporate Debt Management Team.
The States are blaming the incident, which occurred on 18 April, on 'human error'.
It says the information shared - which included full names and money owed - was not enough to enable someone to commit identity fraud.
No personal medical information was included.
The person who received the email says they deleted the data sent to them.
Chief Resources Officer, Bethan Haines apologised 'unreservedly'.
“I know that this incident will cause frustration and distress and I want to unreservedly apologise for the lapse in security of customer data.
The States of Guernsey has strict internal training requirements specific to confidentiality and data safeguarding, with refresher training for the Corporate Debt Management Team occurring at least annually.
We take matters of data security extremely seriously and have taken immediate steps to strengthen our security measures, whilst we continue to carry out an investigation into the incident in order to capture the lessons learnt.”
CSP’s advice:
To prevent this happening to your organisation, here is our advice:
Develop comprehensive data protection policies that outline procedures for handling and sharing information, making sure your employees are aware of them.
Clyde Valley Housing Association Reprimanded by the ICO
The Herald | Craig Williams
Provide regular training to reinforce best practices.
Regularly review and update data handling processes to minimise the risk of accidental data disclosures.
A housing association has received an official reprimand after a new computer system enabled residents to access each other’s personal data. Clyde Valley Housing Association received the reprimand from the Information Commissioner’s Office (ICO), the UK data protection regulator, following the launch of an online residents’ portal on July 14, 2022.
Implement measures such as double-checking recipient lists that are built into the process.
On the day the system went live, a resident contacted the housing association in Lanarkshire to say they were able to view other residents’ information, but the staff member who handled the call failed to escalate the matter.
Investigate potential email quarantining when large volumes of data are attached.
The association eventually suspended access to the system on July 19 after receiving four further reports from other residents – meaning the personal information remained accessible for five days.
Clyde Valley Housing Association Reprimanded by the ICO cont.
CSP’s advice:
For help implementing data protection services, contact us via: Jenny Brotchie, ICO Scotland regional manager, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information.
Here is some advice to prevent this happening to your organisation:
Implement a privacy design philosophy when creating new products or data access pages
Ensure that access control tests are built into any testing frameworks.
www.csp.partners
info@csp.partners
0113 532 3763
Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH
Beta release any new pages to a select group with minimum data to provide a larger, real-world test. Ensure incidents are validated and acted upon quickly, even if that means disabling a new service until the problem is resolved.