The biggest threat to public sector data comes from employees, a new PHS Data Solutions survey has shown. 83 percent of the 141 senior public sector managers and other staff polled by Ingenium said they were most concerned about internal loss or misuse, with just ten percent worried about the external threat posed by hackers.
Despite this, only 18 percent use a secure managed offsite records facility, with 41 percent storing data on-site and 21 percent relying on staff to dispose of documents using general waste, recycling bins and office-based shredding machines. “Physical records stored within public sector buildings are extremely vulnerable to being lost or misplaced by employees,” says Anthony Pearlgood, managing director, PHS Data Solutions. As well as the threat of fraudulent activity, internal shredding and storage can increase the risk of records being saved or destroyed incorrectly. Here, guidance from an accredited records management and shredding provider can help public sector organisations achieve a safe, compliant approach and avoid costly and damaging mistakes.”
Several recent high-profile information security violations in the public sector have involved personal data being passed on to third parties electronically following Freedom of Information requests. However, the threat posed by accidental loss or deliberate misuse of physical documents and IT equipment also remains. Earlier this year, one council breached the Data Protection Act by losing sensitive social security records. In 2011, a computer and some papers containing the personal information of 7,200 people was discovered in a skip, having been left in a vacated council building and disposed of by the new tenant.
According to the Information Commissioner’s Office, common areas for improvement needed in the public sector involve asset management around printers, faxing, laptops and removable media devices, the movement of manual records and the transfer of electronic records along with the disposal of personal data held in manual and electronic form. “The Code of Practice for Archivists and Records Managers under Section 51(4) of the Data Protection Act 1998 confirms the fact that many breaches are accidental and result from insider action or inaction,” added Pearlgood. “It also emphasises the requirement for proper disposal of data, advising that unwanted documents are disposed of by shredding, pulping or incineration. Electronic data should also be disposed of securely and in such a way that it cannot be reconstructed.”