Please read the training material below and then go back to the previous page.
Data Security Awareness
Data security has always been important. In fact, it is more important today than it has ever been, but it has become more complex and time-consuming to manage now that technology is so central to the way we live.
Technology and systems must be designed with privacy in mind to ensure the safe and effective use of information that does not pose unacceptable risk to our business or the people in our care.
We all have a duty to protect people’s personal information in a safe and secure manner and share appropriately.
Everyone should be able to trust that their personal information is protected.
A person’s safety is supported when the confidentiality of personal information is maintained, its integrity is protected against loss or damage and the information is accessible by those who are authorised.
Organisations must ensure that information is used appropriately and only when absolutely necessary.
The Value of Information
It is important to comply with the law to protect personal information. Poor security can cause personal, social and reputational damage.
Losing information – Personal information may not be protected if:
Computers or mobile devices are lost, Information is disclosed over the phone, Faxed paper records are lost or sent to the wrong place and paper records are left on photocopiers or till points.
Theft of information – Information can easily be stolen by criminals, for example, if you click a link to a fake website.
Insecure storage – if your paper or computer records are insecure, or if they are not disposed of securely, they can easily be lost or stolen.
When volunteering you will come into contact with various types of personal and sensitive information. It is important to be able to identify these different types of information so that they can be appropriately protected when they are used and shared.
Personal information
Information about someone is ‘personal’ when it identifies an individual.
A person’s name and address are clearly personal information when presented together, but an unusual name may, by itself, enable an individual to be identified.
Confidential information
Confidential information can be disclosed to you in confidence, for example, a health condition. Everyone expects that information to be treated confidentially.
Confidential information can include names and addresses, as well as a person’s sensitive personal information, for example, health and care information.
Third-party information, such as family details, added to a patient or service user’s notes, should also remain confidential.
Anonymised information
Anonymised information does not identify an individual and cannot reasonably be used to determine their identity. Anonymisation requires the removal of name, address, full postcode and any other detail or combination of details that might support identification.
Anonymised information does not identify a person, so it cannot be personal or confidential.
Pseudonymised information
Pseudonymised information is information in which individuals are distinguished by using a unique identifier, that is, a pseudonym. This does not reveal their real identity, but allows the linking of different data sets for the individual concerned.
What is Confidentiality?
Confidentiality is the need to keep information private and only sharing it with the specific consent of the individual that the information relates to. This includes not sharing information with people you volunteer with, other organisations you may volunteer for or friends and family.
Introduction to Law
Everyone has the same rights.
Rights
Everyone has the right to:
- Make requests to access their own personal information. This is known as subject access requests (SAR)
- Have inaccuracies corrected
- Have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances
- Object to direct marketing
- Restrict the processing of their information, including by automated decision-making systems or programmes
Recording facts
In addition to accurately recording facts, we must consider that the individual might be able to view their record online.
Access
When providing people with access, care must be taken not to reveal information that they do not already know relating to third parties.
For example, information in their record about family members, other service users and so on.
GDPR is a new set of rules governing the privacy and security of personal data and information. They have been designed to give power back to citizens over how their data is processed and used.
Under the new rules, individuals have the right ‘to be forgotten’, meaning they will be able to request that businesses delete their personal data.
As a volunteer, if you do process personal data, then you must:
- Know the purpose of needing the individual’s data
- Be transparent
- Only collect the personal data you need to
Freedom of Information Act
Where an organisation uses public money, the Freedom of Information Act 2000 puts a duty on the organisation to provide information to individuals who make a written request for it. Members of the public can make Freedom of Information (FOI) requests in three ways – by letter, fax or email.
Handling Freedom of Information requests is a technical skill that should be dealt with by trained staff.
Good Record Keeping
In some roles you may be required to create and update records in your organisation. These records should be:
- Recorded as the event occurs
- Complete
- Free from duplication
- Quick and easy to locate
- Compliant with procedures
Certain simple actions can ensure that you comply with the principles of the Data Protection Act. Your organisation will have policies and procedures and can give you training to help ensure good governance of personal information.
It is important that records are full, accurate, dated and timed. They should distinguish between service user records, your opinions and any information provided by others.
- Be accurate
- Record information while the event is still fresh in your mind
- Enter accurate information into records and ensure that the information is kept up to date
- Give individuals the opportunity to check and confirm the details held about them
- Avoid creating duplicate
Threats to Data Security
Criminals will often take weeks and months getting to know a place before even coming through the door or making a phone call. Below are some of the ways criminals gain your trust:
Preparation
Their preparation might include finding your organisation’s details online. The goal is always to gain the trust of one or more colleagues, through a variety of means.
In the office
‘Can you hold the door for me? I don’t have my key/access card on me.’ How often have you heard that in your building? Although the person asking may not seem suspicious, this is a very common tactic used by criminals.
On the phone
A criminal might call and pretend to be from your organisation, or a trusted outside authority, such as the police or an auditor.
Online
Social networking sites have opened a whole new door for scams. One of the latest scams involves the criminal posing as a Facebook ‘friend’, however, you can never be certain that the individual you are talking to on Facebook is a real person Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.
There are examples of many people being scammed by criminals pretending to be calling from a call centre.
For example, they may say they are calling about an online order you’ve made. If you’re expecting a delivery, it is easy to be taken in. The criminal may already have a lot of information about you and ask you to confirm additional details about your online account, so that the order is not delayed. If they have your email address, they may try to get you to click on a malicious link in an email they send you.
Social Media
Revealing any information about your organisation on social media can be valuable to a criminal. Look at the messages on the mobile phone. A criminal reading these posts will gain vital intelligence about how the organisation’s processes work.
What information could a criminal get?
- Find out where John’s office is by searching his organisation’s website, then aligning John’s online pictures to that office
- Gain access to John’s office using the door entry code
What could a criminal do with this information
- Install malicious software that corrupts data or prevents the organisation using it until they pay a ransom
- Gain access to data to sell on to other criminals
- Access details listed in the system, to steal a person’s details
Email can be the most efficient option for exchanging information securely but, as with all forms of information transfer, there are risks. Hackers and criminals sometimes use uninvited emails that contain attachments or links to try to trick people into providing access to information. This type of threat is known as ‘phishing’
Click on a link – The email might look like it is from a genuine company and may contain a link it invites you to click on by creating a time-limited or pressured situation.
It could state that you need to click on the link to ensure you still have access to your account, or to reset your password for example.
Or the link could take you to a website that looks genuine and asks you to enter sensitive or financial information about yourself, service users or your organisation. If you receive an unwanted email that contains links that you have not asked for, or look suspicious, do not open them.
Open an Attachment – The email might contain an attachment which could look genuine, such as an invoice.
However, the attachment could contain a virus or software which automatically downloads onto the computer, allowing the hacker to steal data from your computer or your organisation. If you receive an email that contains attachments you have not asked for, or looks suspicious, do not open them.
Untrusted Websites – Be vigilant when you visit a website that is declared ‘untrusted’. If a web browser states that you are about to enter an untrusted site, be very careful. It could be a fake phishing website that has been made to look genuine.
A browser may display a red padlock or a warning message stating your connection is not private.
If you receive a request from a supposed colleague asking for login details or sensitive, financial or personal information, you should always double-check the request with the colleague over the phone.
Equally, if you receive an unsolicited email that contains attachments or links that you have not asked for, do not open them.
Remain vigilant and report the suspicious email to your volunteer coordinator.
Never give your login details to anyone.
Good Practice
It is important to use strong passwords on all of your devices to prevent unauthorised access. You should also use different passwords for each account.
Complete
The environment where you access information is also important. Do not assume Wi-Fi hotspots are secure in public places including cafes, fast food chains, public transport, patient homes, hotels, shops, etc. You should:
- Password protect your device
- Use personal hotspot for internet access
- Keep belongings close by
- Sit where you are not overlooked – back against the wall is best
- Keep paperwork or documents to a minimum
- Not discuss personal or sensitive data on the phone
Remember to keep secure and be vigilant at all times.
Data Breaches
The most common forms of security breaches are:
- Loss or theft of paperwork
- Data posted or faxed to the wrong recipient
- Emails sent to the wrong recipient
- Personal details mistakenly given over the phone
As a volunteer, if you think that any of these things have happened, speak to your Manager who will be able to help.
Session Summary
Key Points
- We all have a duty to protect public information in a safe and secure manner
- We all have a responsibility to use information lawfully
- Make sure that information is shared in a secure way and that you have consent to do so. Give individuals an opportunity to check the accuracy of information and records held to enable any mistakes to be corrected
- By following good practice, you can help to ensure that personal information is not put at risk
- Good data security is important and we are all bound by legal requirements
WHEN YOU HAVE COMPLETED THIS MODULE PLEASE GO BACK TO THE PREVIOUS PAGE