You may know that a personal data breach is considered to be ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Your organisation likely has a data breach policy or procedure to follow. You may even have experienced a data breach at some point.
But here at Hope & May we find that, in practice, sometimes people struggle to recognise certain personal data breaches when they occur. It’s important to be aware, because breaches could potentially lead to fines. Take a look at these 5 scenarios which you may not immediately consider as data breaches, so you can recognise and respond if they ever happen in your organisation.
Mistakenly using CC instead of BCC
The most common incident leading to a data breach as reported by the ICO is ‘emailing data to the wrong recipient’. However, have you considered that improper use of the CC/BCC functions may also lead to a breach?
When emailing large groups of people or when sending sensitive information, you should use the BCC (blind carbon copy) function to hide email addresses from all recipients. Using ‘BCC’ provides an extra level of privacy and security, and helps us to avoid the risk of revealing personal data to those who should not have it. Therefore, using CC by mistake can very easily lead to a personal data breach.
Paper documents being lost or stolen
Imagine you’re doing some work on the train or in a café. When you get to your next destination you realise that you’re missing a piece of paper you were working on, and that paper unfortunately included some personal data. This loss of paperwork also means loss of control of that paperwork, you now no longer know who has access, what it will be used for or where it will be kept. This is now considered a data breach.
Incorrect disposal of paperwork
If you collect or store personal data in paper form, you must destroy or dispose of that paperwork securely when the time comes. Using a shredder, a shredding service or confidential waste service is advised. Simply putting the paper in the bin could easily lead to a personal data breach, and should be avoided at all costs.
Unauthorised internal access
You may consider someone gaining access to your organisation’s personal data an obvious breach, but have you considered that this could be happening internally? Organisations should keep data secure by limiting access to that data – this should be based on role and need. Believe it or not, employees accessing sensitive data where there is no need could be considered a data breach.
Verbal disclosure of personal data
A verbal data breach is when someone who has access to data verbally discloses it to someone who should not have access. Oral disclosure of data is considered processing of data, and therefore you should be careful when discussing personal data, especially in public places.
How you can help prevent these breaches from happening at your organisation:
- Consider seeking help from an expert – Hope & May can help your organisation implement the below and provide staff training! Find out more.
- Include guidance on using email BCC function in your policies
- Use mass emailing platforms for emailing groups to eliminate human error
- Include physical security measures to keep personal data secure in policies and practice, e.g. not working on paperwork in public places, keeping paperwork in locked cabinets
- Shred paperwork that contains personal data when the time comes to destroy or dispose, or use confidential waste or shredding services
- Implement Role-Based Access Control to ensure staff only have access to data they need
- Log breaches/incidents to learn from past mistakes
If you have any questions regarding data breaches, please do not hesitate to contact at info@hope-may.com
