In 2022 we reported 7 data breaches to the ICO.
These consisted of the following incidents:
- 2 x emails being sent by cc rather than bcc.
- 4 x email attachments containing personal data that should not have been sent.
- 1 x technical error causing a data processor to send a letter to an incorrect recipient.
No further action was taken by the ICO in any of these cases but they provided the following recommendations:
- Check that your policies and procedures are fit for purpose.
- All staff who handle personal data should receive regular data protection training.
- Specific steps should be implemented to prevent a recurrence of an incident.
- Ensure staff are aware of how and when to blind copy email recipients and that they’re reminded regularly.
And in relation to an attachment containing personal data that should not have been sent:
- Implement password protection on documents attached to electronic communications. This will reduce the risk of unauthorised individuals being able to gain access in the event it is sent to the incorrect recipient.
- Emphasising the importance of maintaining the accuracy of the personal data on your systems. This will ensure communications are sent to the intended destination and aid in preventing the potential disclosure of information to an unauthorised party. See link for more information on data accuracy.
- Including a notice within any documentation sent externally which advises the recipient of the steps they should take in the event that the correspondence contains personal data which is not for their attention.
- Ensuring there are appropriate checking and verification measures in place with regards to sending personal data outside of your organisation. There should be a robust double-checking measure to ensure information is sent correctly.
- Issuing regular reminders of the importance of data protection, individual responsibilities, and the correct processes to follow. All staff should be aware of their responsibilities and obligations regarding personal data confidentiality.
- Identifying any staff that require refresher training on your processes and data protection. Training should be tailored to specific job roles and on completion their knowledge should be assessed.
The ICO also provide the following tips on how to prevent some common personal data breaches:
Personal data security: how to prevent some common personal data breaches
1. Take care when printing and photocopying
If you’re printing or photocopying on a shared printer, check you’ve left nothing behind before returning to your desk. Put a sign at the printer to remind staff to collect all of their paperwork, including original copies.
2. Double-check letters before posting them
Picking up two letters instead of one is an easy mistake to make if you’re working your way through a stack of them. Ask a colleague to double-check that the right letter is in the right envelope before you post them. Or you could use place-markers to help you spot where one letter ends and the next one starts.
3. Include a return address on your envelopes
If you send a letter and it ends up at the wrong address, the person who receives it by mistake can return it without opening it if you put a return address on the back.
4. Disable autofill in your email settings
If people’s email addresses come up automatically when starting a new email message then you have autofill enabled in your settings. While this tool might save time, it could cost you if you send an email to the wrong person by mistake, so it’s a good idea to disable it.
5. Close your messages when screensharing or presenting online
If you’re doing an online presentation to a group of people, the last thing you want is for a personal message or email to pop up. Close your emails and messaging services before sharing your screen with others.
6. Lock your screen when you’re away from your desk
Encourage everyone to lock their screens when they’re away from their desks. This helps prevent others from seeing information they’re not authorised to see.
7. Don’t share passwords
Staff should all have their own separate log-ins and passwords. They shouldn’t share their passwords with each other. This increases the risk of an unauthorised person seeing or reading personal data.
8. Send electronic documents securely
If you need to send electronic documents, consider encrypting or password-protecting them. This reduces the risk of the wrong person being able to access the documents.
9. Send passwords to protected documents in separate emails
If you’re sending password-protected electronic documents, make sure you send the password separately.
10. Keep your IT systems up-to-date
You can reduce your risk of cyber threats, such as attacks on computer systems, by making sure you regularly install security updates.
1 Comment
Best method is to share the document with OneDrive rather than email anything.