Nearly 15,000 people were affected by 39 personal data breaches reported to Guernsey's Office of the Data Protection Authority between April and June this year.
Each of the 39 breaches reported during Q2 were discovered by people, said the ODPA, meaning none of the breaches were detected through system auditing or testing.
The latest personal data breach statistics have been published with the ODPA offering advice on "what can be learned from them".
It says this information - available HERE - is aimed at all organisations looking to improve their breach preparedness.
“A prevailing theme of the case studies in this report is ‘attention to detail’," warned the Bailiwick’s Data Protection Commissioner, Brent Homan.
"In each situation the organisation was trying to uphold data rights, but in one case they included the password in an email with an encrypted document, and in the other they packaged third party sensitive info with an individual’s access to information request. When sending out sensitive information it is always a good practice to ‘pause and verify’ before you hit that send button.”
Case study 1
An organisation sent a password-protected document containing information about a person to an incorrect recipient. On its own this would not necessarily constitute a serious breach, as the password-protection of the document would prevent the incorrect recipient accessing the information. However, in this instance, the organisation sent the password for the document in the same email as the document itself thereby rendering the technical measure used to protect the information (the password) useless.
Learning: this case study brings home how security measures implemented with the best of intentions can fail due to poor execution. You must make sure your staff are adequately trained for handling personal data safely, and that they understand the importance of implementing security measures appropriately.
Case study 2
A service user submitted a ‘data subject access request’ (DSAR) to an organisation, asking for all the details the organisation had about them and what they were doing with it. Whilst staff were gathering the hard copies of this information for the person, they accidentally picked up a document which contained highly sensitive information about several vulnerable children and included it in the pack sent out to the service user.
Learning: whenever any member of staff, regardless of their status or knowledge, is handling highly sensitive information about people they must recognise and carefully consider the risks involved, slow down and ensure they take extra care that the information is not accessible to (or in this case, given to) people with no right to see it. Mistakes will happen, but their likelihood can be reduced if extra care is taken. Remember, the Bailiwick is a small place so the chances of individuals knowing each other is high, which heightens both the risks and potential damage associated with breaches of this kind.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.