Information Commissioners office report on data management and security practices by adoption agencies and general practitioners. Useful insights for practices to be followed and deficiencies watched for in the Australian context.
February 10, 2014 |
The Information Commissioner’s Office in the UK has produced 2 interesting reports of data maintenance by independent fostering and adoption agencies and general practitioners and primary healthcare providers. The reports highlight positives and negatives on data handling and security processes in each industry group. The general practitioners and primary healthcare providers seem to have been more compliant than foster and adoption agencies.
Given the soon to be expanded role of the Privacy Commissioner and a more assertive regulation of data management and data security the findings by the ICO should be noted, studied and implemented. Each jurisdiction may have particular issues however many good data management and privacy enhancing processes are universal.
Regading data management, security and privacy issues warranting concern and requiring improvement the ICO made the following comments:
- highly sensitive personal information concerning foster carers and looked after children is routinely emailed between agencies and local authorities without encryption safeguards in place.
- local authorities are often reluctant to accept encrypted information via email as their IT security systems block the messages, it is time consuming and difficult to unblock them & that local authorities may not wish to deal with a multitude of encryption programs being used by different agencies. As a result foster agencies often send information without encryption because they feel that if they do not provide a quick means for local authorities to access their foster carer’s information, a local authority will simply use another fostering service.
- agencies did not encrypt mobile devices used to process, store or transport personal data, including laptops and USB sticks.
- fostering agencies while requiring carers to provide updates do not provide secure methods such as VPNs by which to do this. Sensitive personal information is therefore processed on home computers and stored in the ‘cloud’ in ISP or webmail accounts (Hotmail, Gmail etc.). Agencies should provide clear guidance on what carers should include in these updates to ensure that the personal data processed is relevant and not excessive.
- some agencies allowed staff to carry out work involving sensitive personal data on their home computers instead of providing appropriate remote access to their network, an encrypted memory stick or a work issued encrypted laptop on which to save their work. This information can then be saved or printed on home computer systems, raising numerous risks in relation to security, access, retention and deletion of looked after children and foster carers’ sensitive personal information.
- a lack of adequate data protection/information security training provided by agencies to their staff including the need for specific data protection/information security training at induction and refreshed periodically thereafter.
- in most agencies visited staff passwords allowing access to network and information systems are not changed on a regular basis and some agencies did not enforce the use of complex passwords.
- secure printing procedures not widely adopted to ensure that confidential information is not left on printers or gathered into other printed material.
- endpoint controls (restrictions on the use of removable media) often not in place, exposing sensitive personal data being extracted from IT systems without the organisation’s knowledge or the IT systems being deliberately or inadvertently infected with viruses or malware.
- the majority of agencies did not have policies covering building security, information security or data protection. This leads to a lack of clear direction and strategy in these areas, and the adoption of inappropriate or inconsistent procedures by staff.
- few agencies had information security breach procedures in place to monitor, record and investigate any information related securityincident.
- few agencies had retention and disposal policies or schedules setting out what records should be retained, for how long and how they should be securely destroyed when no longer required.
Regarding a review of general practitioners and primary healthcare providers the ICO noted concerns and room for improvement in the following areas:
- where surgeries used CCTV cameras for security purposes, fair processing notices were not always used, and in some cases there was no policy in place regarding how the systems were operated or who had access to the images they created. Where CCTV was operated by a third party a contract with appropriate data protection clauses was not always in place.
- some surgeries’ websites contained only limited or very general fair processing information or details of cookie use.
- general lack of specific local procedures or protocols to review files and meet these standards and timeframes for records retention and disposal.
- in-house shredding of confidential waste was not effective with backlogs of files for disposal, and the volume of waste to be shredded was potentially more appropriate for a specialist third party contractor.
- several surgeries allowed unrestricted internet access by staff, including access to personal email/webmail accounts with the increased risk of data leakage, hacking and viruses. Local policies on acceptable internet and email were not always reflected in the software/tools that enforced them, which were usually applied by CCG- level IT providers.
- a need for fax policies and procedures in place, including the use of coversheets, pre-set numbers, telephone confirmations and ‘safe harbours’.
- although USB sticks were not in common use, unsecured USB ports still created a risk of unauthorised removal of personal data using portable media or the introduction of malware and viruses to the network
- in some cases local desktop C: drives could allow data to be saved on equipment and DVD/CD drives were enabled. The precise build and the mechanisms to lock down ports and drives was usually defined outside surgeries by ICT providers .
- paper medical records usually held in lockable filing cabinets or in separate lockable areas of varying security and quality.
It will be interesting to see how the Privacy Commissioner embarks upon his enquiries and what he reports upon.