You might think data protection isn’t straightforward, and we don’t deny it can be a complex topic, what with the GDPR (General Data Protection Regulation) to contend with, and the DPA 2018 (Data Protection Act 2018) on top of that, with all their legal conditions, exemptions, derogations (and other -ions!)
However, some elements of good data protection are, or should be, very straightforward and simple. Unfortunately, the Heathrow Airport data breach has shown us what can happen when organisations overlook these simple steps. So, let’s remind ourselves of what went wrong and what lessons can be learned.
What happened?
In October 2018, it was reported that Heathrow Airport Ltd (HAL) had been fined £120,000 by the Information Commissioner’s Office (ICO) for failing to keep personal data secure. The data in question was found in October 2017, by a member of the public, on a USB memory stick that had been lost by an employee of HAL. You may well wonder what hacking skills this member of the public happened to have, to be able to view the personal data on a USB that must, surely, have encryption and password protection. But no hacking skills were required; they were able to pop the USB into a computer at a local library and view the contents, which included 76 folders and over 1,000 files, because it was not encrypted or password protected!
Reportedly, only a small percentage of the total amount of data on the USB was personal data, but the ICO particularly highlighted a training video that was on it, which they said contained information about ten people, including their names, dates of birth, and passport numbers. The USB also contained details of up to 50 HAL employees described as aviation security personnel.
What had gone wrong?
The ICO investigated the incident and found that HAL did have policies and guidance that banned the use of removable media. However, it was clear that staff were not following these rules, as the ICO found “widespread use of removable media”. There was also a lack of effective controls that would prevent downloading of data onto unencrypted removable media, such as the lost USB stick. The investigation also found that only two per cent of HAL’s 6,500 employees had received data protection training, which would likely contribute to the non-adherence of policies and guidance.
There’s also the training video that contained the real details of ten people, which seems strange content for training in the first place.
What can we learn from this?
This breach shows that it doesn’t really matter what you write in your data protection or security policies if you don’t follow through with training and controls to ensure employee awareness and compliance. The GDPR requires both ‘technical and organisational measures’ regarding security, and HAL failed on both counts. Technical measures could and should have prevented the use of unencrypted USBs, and organisational measures include training, which should have communicated to all employees what they should and shouldn’t be doing with personal data, in line with the policies.
Even if your organisation can’t implement all the technical controls available, you should still ensure that data protection and security policies are not only written but clearly communicated to all employees, through training and regular updates.
The ICO’s 'A practical guide to IT security' provides helpful advice on areas to focus on, including:
Please speak to Clare Paterson, Peter Coe or Eeshma Qazi for data protection advice, and support in writing appropriate policies and training.
We have submitted our response to the White Paper Consultation based on the discussion held at the “Planning for the Future - what does this mean for affordable housing” webinar we held on Fri 9 Oct
Anthony Collins Solicitors is pleased to have been ranked as a Band 1 firm once again.
Since March 2020, commercial property owners and occupiers across many sectors, whether housing associations, charities, care providers or local authorities, have been impacted by the rules regulating how they deal with their tenants and their landlords. It seems each week there is a change in policy, regulation or legislation, governing how they must respond.
A key element of the Bill is the establishment of a duty holder regime and requirement to maintain the ‘golden thread of information’ throughout the life cycle of high-risk residential buildings
We have been working with care homes to update their contracts and advise on the risks of charging the resident a regular “top-up” or additional fee where a resident is funded through NHS CHC
The parliamentary processes are complete and the Restriction of Public Exit Payments Regulations 2020 (“the Regulations”) which cap exit payments in the public sector at £95,000 will be in force from 4 November.
As the UK’s social housing sector recovers from the initial Covid-19 outbreak and lockdown, now is the time to focus on the challenges that may emerge next.
There is no universal approach to regenerating town centres. However, housing must be considered a key part of any regeneration project – providing well-needed new homes and economic growth.
Friday 16 October marks the 6th annual Wear Red Day in England, Wales and Scotland. Wear Red Day is the brainchild of the charity; Show Racism the Red Card (SRTRC). SRTRC aims to educate young people so they are equipped to recognise and challenge stereotypes, misconceptions and negative attitudes towards race.
Alongside the Building Safety Bill published in July 2020, the Fire Safety Bill is a key step in the Government’s strategy to improve building and fire safety in the wake of the Grenfell Tower tragedy
To receive invitations to our events, as well as information and articles on legal issues and sector developments that are of interest to you, please sign up to Newsroom.