Data Privacy Breaches to beware of

Today, an increasing number of jurisdictions require notification of data breaches to relevant supervisory authorities. In the Philippines, you will have to inform the National Privacy Commission within 72 hours! The details of the laws differ, but the mistakes that lead to breaches, wherever they happen.

Kevin Shepherdson, William Hioe and Lyn Boxall have written a book ’99 Privacy Breaches to beware of’ – Practical Data Protection Tip from Real-Life Experiences. The book draws upon the experience of the authors to provide a roadmap for addressing day-to-day privacy issues at a pragmatic level.

The book is primarily directed at people in business who have responsibility for handling information, and provides direction in the form of guidelines, checklists and practical examples.

From time-to-time I will highlight ‘breaches’ described in the book – with the consent of the authors – to raise the awareness how breaches – in the interest of the organization – can be avoided. Let me start with a short version of one ‘breach’ selected for today:

Bad things happening with documents and personal data:

Personal data has been lost, misplaced or accidentally exposed and the regulator has prosecuted individuals and organizations.

Case 1 – Sensitive documents were left behind in a plastic shopping bag on a train

Case 2 – Documents with personal data were stored in transparent bags

Case 3 – Recycled paper with personal data was found in public recycle bin

Tips to help you avoid doing those things:

1. Mark files or folders ‘Confidential’

* An organization should have confidentiality policies governing which of its employees are permitted to see various categories of documents, including those marked as ’Confidential’. And complying with these policies should be part of the organization’s employment contract so that all employees are legally obliged to comply with them.

2. Secure any file or bag containing personal data

* When you are handling personal or sensitive data of clients, be sure that you carry the data in secure bags or sealed envelopes.

3. Do not expose personal data by recycling paper

* While saving the environment is an important initiative, protecting personal data is a legal obligation under the data protection law. There are other ways of reducing paper usage while not exposing the organization to data protection compliance risks.

4. Dispose of unwanted documents containing personal data securely

* You should always shred any documents that include personal data.

5. Beware when submitting or archiving personal information

* Never leave a document containing personal or sensitive data on someone’s desk or even in an exposed tray for incoming documents. You never know who may walk past and see it.

Checklist for good practices:

Organizations and individuals handling documents containing personal data or other confidential information should do the following:

a. Ensure that all physical files and folders containing personal data are clearly marked ‘confidential’

b. Put in place policies and practices that require any files or bags containing personal data, particularly where it is sensitive, to be secured so that the personal data is not disclosed when the files or bags are in transit or taken into meetings

c. Ensure that no personal data is exposed due to any paper recycling and that documents are disposed of securely, such as secure shredding

d. If you are constantly on the move as part of your job, do not dispose of personal data carelessly, leave it exposed when delivered to someone else or submit it to an organization in an unsecure manner.

Feedback is more than welcome – email me at [email protected]