Government data breach, tea at Elton’s?

Posted on 03/01/202003/01/2020 by ljh-tcs-b0ss

Even the Government makes mistakes sometimes…a very public data breach. Publishing the home addresses of the 2019 Honours List, yes that would qualify as a memorable data breach.

https://www.bbc.co.uk/news/uk-50929543

It all boils down to only having what you need and why. Transfering data is one of the biggest risks and requires careful planning.

Should the data be accessed not transferred?
Anonymised?
Encrypted?

So what did they do wrong?

Looking back at this Government data breach, they may not have considered the final destination of the data. Who would really need to see it? What exact details would the general public need to see? The Government staff would need contact details for admin etc but no one else would! That data could be accessed by only those employees that would need to see it. Role based access is a great principle for keeping data safe. For example, if you are in HR you don’t need sales information eg customer details. Its common sense.

Looking at the principles of the GDPR:

Personal data needs to be treated:

Lawfully, fairly and transparently

The reasons for processing that data must be:

Specified
Legitimate
Explicit
Adequate
Relevant
Limited

Complete a data flow

A simple data flow which is a standard GDPR tool would have been very useful here. They would have realised that most of the information was not required by the general public. So when the data had reached that part of it’s journey it would be anonymised, thus protecting those individuals and their personal data. These are a very useful exercise, as GDPR consultants we don’t mind about the format: post it notes, marker pens on a flip chart or Visio. As long as you can plot the data’s journey its all good. We often follow processes in a mindless way. We have always done it like that is a phrase we hear a lot. Hence why we do a process review when we complete a data inventory. At TCS, we have fresh eyes and don’t mind asking stupid questions.

Some free and simple advice from Trusted Compliance Solutions would be:

Always from need never from greed
Do you need it? If not get rid of it
If you need it yourselves but no one else does, anonymise it
yes they they do need it too, password or encrypt it

Simples!

So Elton, no sugar thanks, but some vicky sponge would be super!

If you need any help with data breaches, data flows or anything GDPR related do get in touch:

https://trustedcompliancesolutions.co.uk/contact

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.