The managers of the Tavistock and Portman NHS Foundation Trust may have let out a sigh of relief recently when the Information Commissioner’s Office reduced its fine for a GDPR breach from more than £784,000 to £78,400. The breach happened in September 2019, when the trust sent an email promoting a competition to the patients of its Gender Identity Clinic without BCC’ing the addresses, thereby revealing their identities.
The reduction marked a step change in the Information Commissioner’s approach when reprimanding public sector organisations. In a recent speech, John Edwards said he plans to try a new approach over the next two years, using his office’s discretion to reduce the impact of fines on the public purse, and driving best practice through practical examples showing lessons learned. It’s expected financial penalties will only be issued in the most serious of cases.
Those working in the public sector know the importance of privacy. Organisations such as the NHS, HMRC, Ministry of Justice, Department for Work and Pensions, the police, schools, and local authorities collect, process and distribute some of the most sensitive data UK citizens have. And yet, with 5.7 million people working in the sector, it can be tricky to build and maintain a culture that puts privacy first. That gets even harder with a workforce that may be working between the office and at home.
When around 88 percent of data breaches are down to human error, people really are a public sector organisation’s best defence and greatest weakness when it comes to privacy compliance. And while the ICO’s new approach may signal the end of eye-watering fines paid for by the public purse, it’s no reason for workers to forget about privacy.
Personal data isn’t about numbers on a spreadsheet, metrics to drill down on, or KPIs to meet. It’s about people and the type of world that we want to live in. Privacy is a basic human right and one that we have to fight to protect before it’s gone.
Here are 10 simple steps those working in the public sector can take to protect privacy:
1. Use a password manager or Single Sign-On
Passwords are frustrating, hard to remember and a major cause of data breaches when they’re not used properly. I use a password manager and one really secure password, which I only share with my password manager software. The software then chooses really long and obscure passwords for all of the services that need one. At last count there were over 170. A good alternative to a password manager is Single Sign-On. The Government Digital Service (GDS) is reportedly launching a Single Sign-On service later this year, which allows employees to automatically gain access to a variety of online apps and services without having to remember multiple passwords.
2. Keep work data on work devices
With more people working from home, it’s more tempting to view sensitive work data on personal devices. But if you do, there’s a good chance you don’t follow the same security protocols that the clever people in IT make sure are mandatory at work. Make sure you run any software and operating system updates as soon as they become available to keep everything secure (go and make a well-earned cup of tea while your device restarts). The WannaCry ransomware attack of 2017 cost the NHS £92 million and was largely made possible because people were running outdated software that hackers could find their way around.
3. Only use secure Wi-Fi
Libraries and cafes can offer a much needed change of scenery when working remotely but make sure you don’t trust public Wi-Fi networks. It is too easy for them to be taken over by people with bad intentions. I have software set up on my phone and my laptop which automatically routes all my wireless traffic through a virtual private network (VPN), which adds an extra layer of security to any work you’re doing online. And don’t forget to ensure your router is password protected at home too.
4. Beware of video calls
Can anyone overhear your conference call or see sensitive information in the background? Make sure you use headphones if you’re in a public space, and blur your background (or use a generic background) to prevent someone from seeing something they shouldn’t. Ensure video meetings are kept private by requiring a password or controlling guest access from a waiting room. And think about other tabs or information that may be visible when sharing your screen with others.
5. Use two-factor authentication
Two-factor authentication (also known as 2FA) is an extra step to keep online accounts secure. After entering my username and password, I am asked to provide a second piece of information – usually a six-digit code that’s sent to my mobile phone – but it could also be answers to a secret question, a specific keystroke pattern or involve use of a tool such as Google Authenticator. It can be used in combination with a Single Sign-On (SSO) system, and ensures that even if an SSO password is compromised, a cyber attacker still cannot gain access.
6. Be wary about using print outs
Most people recognise the benefits of going paperless but an alarming number of organisations within the public sector still rely on reams of paper to operate. Make sure you lock sensitive print outs away at the end of the day, shred documents you don’t need anymore (particularly those with personal information on them) and avoid taking any paperwork home if you can prevent it. We don’t want any confidential details turning up at a bus stop in Kent.
7. Save files to the cloud
Always use a centralised storage solution or cloud-based app, rather than saving files locally. This will provide protection in case you ever damage or lose your device. It’s also a good idea to enable the ‘remote wipe’ function on your work laptop, tablet or phone, in case it’s ever stolen. Resist the temptation to use unapproved tools or store data outside of official channels.
8. Brush up on your privacy training
Good privacy compliance is like a finely tuned car. It needs regular maintenance to run in top condition. Regular training reinforces good privacy practices, and reminds people to be aware of threats such as phishing attacks, which are evolving all the time. Make sure you take every opportunity to brush up on your privacy training at work. Perhaps you could even become one of your team’s privacy champions?
9. Always report incidents
If the worst happens, always report any privacy issues or attempted attacks to IT and your designated Data Protection Officer straight away. Organisations should have a contingency plan for data breaches, which will include notifying the ICO and possibly affected data subjects and investigating the incident to prevent it from happening again in the future. Managers should also make sure staff feel comfortable reporting anything they feel compromises the privacy and security of employees or the public, and not feel personal repercussions for doing so.
10. Ask what does that mean for privacy?
Everyone helps protect personal information – from IT and HR, to administrators and front-line staff. The war on privacy can only be defeated if we work together. At a basic level, everyone needs to ask themselves ‘what does that mean for privacy?’, when a decision is made at work. If we all did our part in caring about data privacy, the sum of all of those efforts would be incredibly powerful. We can preserve this fundamental human right if we resolve to play our part in whatever way we can.
Nigel Jones is co-founder of The Privacy Compliance Hub.
