Personal data and flash memory sticks

7 May 2010 by Stephen Owen  
Filed under NHS and health

The need to encrypt personal data for security and privacy has long been acknowleged, and yet still stories come up in which stored data is made available inappropriately because of the failure to follow basic security procedures.

One of the most recent cases involved a lost USB memory stick containing names, addresses, and medical records of both patients and staff associated with a secure hospital in Stenhousemuir.  The memory stick was found by a twelve-year old boy in the car park of a near-by Asda store.

It’s clear why these things are near-ubiquitous: USB memory sticks are designed to be cheap, easy and convenient to use, and able to hold large amounts of data; they are ideal for transporting data from place to place.  These very factors are what makes them dangerous in environments where sensitive data is handled, as their familiarity makes them seem benign and their portability (and losability!) serve to heighten their threat to data security.

The lessons are sadly familiar:

Control access to sensitive data using hardware and software: if you restrict access to sensitive data, you lessen the possibility of data leaks and data loss, and can streamline people’s working practices too.
Consider and adapt practices which require data to be moved ‘outside of the system’: large software systems often have complex security controls build in, and while these might not be perfect (indeed might not even be adequate), controls can only be of use when they can be applied.  Once data is removed from the system, for whatever reason, new practices are needed to work with the existing in system controls – designing and implementing these practices can be non-trivial, but even recognising the need to supplement existing controls can be difficult.

Teach the people who must handle the data why controls are necessary: if everyone understands what the needs are and why they’re important then this can be a way to ensure that safeguards are both comprehensive and workable for those that must deal with them day-to-day.

Full story: “Lost mental hospital memory stick had health records”

Data Protection in events management

11 March 2009 by Ken Brown  
Filed under Event management

The Data Protection Act (DPA) seems to affect every walk of life. As soon as you store information about someone else you become responsible for ensuring that their information is kept securely and used appropriately.

So how does that change the way in which you have to think about event data you ask? By running events and taking registration information about your delegates and more often than not offering catering you become party to what is classed as highly sensitive information in terms of the DPA. Someone’s dietary requirements or requirement for disabled access/parking may seem trivial to you, but to the individual it could well be something far more personal.

Delegate lists are hot property to certain people that attend events; in fact for some people the delegate list is as important as the event itself. If you plan to issue a delegate list with contact information for all those attending then you need to have everyone’s permission to do so (it’s the same with taking photos at an event). A delegate’s name, job title and organisation are the only details that you can really share without asking for permission as they are essentially in the public domain anyway. If you want people to network either ensure that they know that they need to bring business cards with them or leave a pile of blank business cards on the tables so that delegates can use them to exchange details during the event.

If you use a web based event management/registration system you can quickly and easily ensure you meet DPA guidelines by offering an opt in / opt out marketing section within the user registation profile. EventManager has this functionality already included as standard, as a high percentage of our clients work in the Public Sector. You can even market delegates direct from the application, advising them of future events that they might be interested in all within DPA guidelines as anyone that has opted out is not included within the copy list and those that are, are BCC’d so that delegates information is kept private and secure.

Here’s a sample DPA statement that I wrote a few years ago in conjunction with a DPA / FOI lawyer:

Delegate lists and Data Protection

Under the Data Protection Act delegates need to be given the opportunity to opt in/out of a list of delegates, if it is to be issued to a third party. If participants are not given the chance to opt in/out you cannot assume that it’s OK to disseminate their information.

If a delegate list is to be produced, an opt in/out tick box needs to be incorporated into the booking form, with words similar to:

‘I agree that the event organisers may pass on my details to other registered delegates for this event and am aware that I may be contacted about future [your organisation name] events. I agree that the organisers may pass on my details to any third party.’

If all Data Protection requirements are met (i.e. delegates are made aware that their information may be shared with third parties and they are given the opportunity to opt in/opt out of this) it is simply a matter for [your organisation name] to decide whether we share the information with others.

If Data Protection requirements are not met The Freedom of Information Act (FOI) should not override a delegates’ right to privacy.

Section 40 of FOI states: http://www.ico.gov.uk/documentUploads/AG%201%20personal%20info.pdf

“If the personal data is about someone other than the applicant, there is an exemption if disclosure would breach any of the Data Protection Principles. (This is the main issue explored in this guidance.) There are also some special rules to be applied in cases where the personal data is about someone who has formally objected to their disclosure. The term, “third party data,” is used to describe personal information about someone other than the applicant. “

“The term “personal data” is defined in the Data Protection Act, as amended by the Freedom of Information Act. “Personal data” is information about a living individual from which that individual can be identified. It may take any of the following forms:

• Computer input documents;
• Information processed by computer or other equipment (e.g. CCTV);
• Information in medical, social work, local authority housing or school pupil records;
• Information in some sorts of structured manual records;
• Unstructured personal information held in manual form by a public authority. “

If however Data Protection requirements have been met and necessary consent has been given then we have an obligation under FOI to provide these details to a third party if they are requested.

As a rule of thumb, [your organisation name] Events Team will not include an opt in/out option on bookings forms, unless otherwise requested by Event Commissioners. This will allow us to ensure that delegates’ details remain protected in the vast majority of cases. In the unlikely event that a request is received under FOI where Data Protection requirements have been adhered to, the Events Team will seek the appropriate advice from the [your organisation name] Legal Team.

All of the systems and processes used, designed and created by Kent House for our clients are designed to store and manage the information that cleints need to keep on their users securely, whether it be for event management or as part of a database.

If you have any queries regarding our Products and Services and how they can help you to be DPA compliant for your events delivery, please feel free to contact us at info@kenthouse.com or 0845 638 0700.