Government data breach, tea at Elton’s?
Even the Government makes mistakes sometimes…a very public data breach. Publishing the home addresses of the 2019 Honours List, yes that would qualify as a memorable data breach.
https://www.bbc.co.uk/news/uk-50929543
It all boils down to only having what you need and why. Transfering data is one of the biggest risks and requires careful planning.
- Should the data be accessed not transferred?
- Anonymised?
- Encrypted?
So what did they do wrong?
Looking back at this Government data breach, they may not have considered the final destination of the data. Who would really need to see it? What exact details would the general public need to see? The Government staff would need contact details for admin etc but no one else would! That data could be accessed by only those employees that would need to see it. Role based access is a great principle for keeping data safe. For example, if you are in HR you don’t need sales information eg customer details. Its common sense.
Looking at the principles of the GDPR:
Personal data needs to be treated:
- Lawfully, fairly and transparently
The reasons for processing that data must be:
- Specified
- Legitimate
- Explicit
- Adequate
- Relevant
- Limited
Complete a data flow
A simple data flow which is a standard GDPR tool would have been very useful here. They would have realised that most of the information was not required by the general public. So when the data had reached that part of it’s journey it would be anonymised, thus protecting those individuals and their personal data. These are a very useful exercise, as GDPR consultants we don’t mind about the format: post it notes, marker pens on a flip chart or Visio. As long as you can plot the data’s journey its all good. We often follow processes in a mindless way. We have always done it like that is a phrase we hear a lot. Hence why we do a process review when we complete a data inventory. At TCS, we have fresh eyes and don’t mind asking stupid questions.
Some free and simple advice from Trusted Compliance Solutions would be:
- Always from need never from greed
- Do you need it? If not get rid of it
- If you need it yourselves but no one else does, anonymise it
- yes they they do need it too, password or encrypt it
Simples!
So Elton, no sugar thanks, but some vicky sponge would be super!