Check your security
As part of local scouting, sensitive personal data (also known as special category data) is gathered, processed and transferred frequently. As part of the new rules you must ensure that personal data is held securely. This includes protecting data against unauthorised or illegal use and against accidental loss, destruction or damage.
When it comes to the protection of data there are some common best practices that can help maintain strong processes. For example:
-
new joiner details, be that adult volunteer or a young person
-
processing of this data for the purposes of events, awards, moving on
-
annual reviews of this data through census or further data gathering to update medical records
-
management of safeguarding incidents where data needs to be transferred to 3rd parties for assistance
Consideration needs to be made for the security processes in place when collecting, managing and transferring the data required to operate local Scouting.
This can include locking filing cabinets and password-protecting any of your devices and cloud storage that hold your members’ personal information.
You must ensure that personal data is held securely. This includes protecting data against unauthorised or illegal use and against accidental loss, destruction or damage.
You need to ask the question “Where do I/we store the data I/we have for local Scouting?” There are many places this data can be stored, and these will normally be chosen based on ease of use or what you are used to using. Consideration needs to be made for the decision as to where the data is stored such as:
-
Is the storage system secure and safe?
-
Who needs access to the system and can we easily collaborate?
-
Can I trace access to the storage location and minimise where necessary?
-
Is there a reputable system available today that I can use? Such as:
-
Secure cloud storage
-
Online membership system.
-
Steps you can take to protect the personal data you hold include:
-
password-protecting and encrypting your electronic devices
-
pseudonymisation (the use of made-up names)
-
setting up firewalls
-
installing anti-virus software
-
securing your business premises,
-
using securely locked storage for paper records.
To find out more about securing your IT systems, you can read the Information Commissioner’s Office ‘Practical guide to IT security’
Click here to download our data security register
Click Here to download our data risks register
Data media guidance...
Today’s technology age means that there are many tools available to us all when it comes to the management of our day to day jobs and activities.
This situation exists within local Scouting and in most cases, you will opt to use the tooling you are familiar with or makes your operation as easy as possible. The below guidance draws out these technologies and gives advice on the security measures that should be considered:
Paper
Whilst not strictly a technology, paper is still widely used to capture and retain data. This is the case within scouting and as such needs to be considered, for example paper-based records could exist for the following:
- New joiners form
- New joiners waiting lists
- Events consent from parents
- Annual health records updates
- Events coordination with events companies
- Award notifications/nominations
The following should be considered when using paper:
- Not digitally searchable – not easy to find specific information
- If lost or damaged it’s not recoverable
- Not easy to transfer
- Prone to error or misinterpretation
- Requires physical storage and security
In some cases, paper-based records are justified or the only means of data capture, where this is the case then duty of care needs to be considered, such as:
- Minimise the use of paper to only what is required.
- Transfer of paper is secure, such as physical hand to hand transfer or registered post.
- Paper forms are securely destroyed post use if possible.
- Secure destruction should be through a shredding machine.
- Keep the paper records secure always, especially when in transit, consider using:
- A lockable brief case.
- A lockable filing cabinet if long term stored.
- If transferred to somebody, audit that they return them when complete.
Paper should be considered a last resort for data gathering/storage or transfer.
Digital forms
Digital forms offer the ability to capture data in a digital means via a website link. The form is presented to the person entering the details as designed by yourself.
The following should be considered when using web forms/online surveys:
- Digital forms can be from your own website, online survey tool or a membership database.
- Digital forms are widely used and accepted as means for gathering data.
- They need to be carefully created to capture only the data required and offer a clear capture flow.
- Digital forms reduce mistakes of data capture.
Where web forms or digital surveys are being used the following best practices should be considered:
- The presentation of the form is easy to understand and follow.
- The form itself is using a secure transfer mechanism, the link to it should start with ‘HTTPS://’.
- You understand how the data is used after the form is completed, is it emailed to yourself, is it retained in the website?
- If the detail is emailed to yourself post it being completed this email should be treated with care and deleted when not required any further.
- If the data is retained on the website, then ensure access to this website is protected by a strong username and password and the access to it is limited to only those that require the data.
- Delete any data that is not needed from the locations it is stored.
Digital forms are a good way to gather accurate data in a secure way.
The most common communication tool used today is email. This can be either personal or corporate email from a large variety of providers. Email is used commonly to transfer all types of data and can be used to either transfer forms with information in or the data directly in the body of the email itself.
The following should be considered when using email to gather or transfer data:
- Emails are sent in clear text, this means that if they are intercepted the contents can be read.
- Most email systems retain lots of copies of the data sent and received, for example in:
- Inbox folder
- Sent items folder
- Deleted folder
- It is easy to mistype an email address or select an incorrect pre-populated address.
- The security of an email system varies depending on the service provided.
- Emails can be stored locally on your laptop/desktop.
Where e-mail is being used the following best practices should be considered:
- Free email services generally lack a level of security appropriate for sending lots of sensitive personal data.
- Review the email service you have; good service add-ons include:
- Anti-virus scanning
- Anti-malware scanning
- Encryptede-mail
- Delete emails when they are no longer required, especially if they contain data-based attachments, this should be from the folders highlighted above.
- Add a delay to the sending of your emails by 2 minutes. Most email clients allow this as a‘Rule’, any mis-typed email can then be stopped before it leaves.
- Don’t store your emails locally on your computer (laptop, desktop or tablet), to minimise the data you store, guidance can be found here.
- Minimise the use of email to what is necessary when it comes to gathering or transferring data.
- Take care when replying to all in the email chain, you may not want all email participants to be part of any on-going communications.
- If you are looking to send an email to multiple individuals and don’t want everybody to see the email addresses on the distribution list, then simply add all of their email addresses to the ‘BCC’ field. You can then add your own email address in the ‘TO’ field, this will mask all addresses except yours.
Additionally, email mass mailers may be used to communicate with the local scouting community, this is required for updates, events and other operational means. When looking at a service like this you should consider the following:
- Is the service with a reputable provider?
- Is the data set I am providing minimised to only what is required?
- Does the data get stored with the provider, if so can I delete it when finished with?
E-mail is an effective way to communicate but can lead to lots of data across lots of folders. 85% of all reported data breaches in the UK come from e-mail to the wrong recipient.
Laptop / Desktop / Tablet PCs
Laptops / desktops / tablets are common place in most households as well as in peoples place of work. As Adult Volunteers within The Movement you will probably have access to or be using this type of technology to manage the operations for local Scouting.
Security of laptops / desktops / tablets is key when gathering, storing or transferring data, the security already in place for the physical device could vary depending on if this is company or personal asset and your line of work.
The following should be considered when using a laptop/desktop to gather, store or transfer data:
- Is the laptop/desktop a shared resource?
- Who owns the laptop/desktop and is ultimately responsible for it?
- How is the laptop/desktop/tablet to be used?
- Transient,data comes in and out but is not stored on it.
- Data is stored locally.
Where a laptop/desktop is being used the following best practices should be considered:
- The laptop/desktop is protected by a username and strong password, strong is defined as:
- Consists of at least eight characters.
- Combination of letters, numbers and symbols (@, #, $, %, etc.)
- Contains letters in both upper case and lowercase.
- The laptop/desktop includes hard disk encryption – Check your operating system provider and google for options of hard disk encryption.
- Software packages such as anti-virus and anti-malware are included.
- Software on the laptop/desktop is up to date.
- Implement a digital password safe to store all passwords you must remember, there are
- many free tools available.
- Storage of data locally is minimised to only what is required.
Laptops especially are very useful for mobile management of local scouting, but the mobile element introduces a loss or theft risk. Reduce the exposure by considering the measures above.
Cloud based store environments
Cloud-based environments offer many advantages to organisations. However, they also introduce a number of technical security risks which organisations should be aware of such as:
- Data breaches
- Hijacking of accounts
- Unauthorised access to personal data
Organisations should determine and implement a documented policy and apply the appropriate technical security and organisational measures to secure their Cloud-Based environments. If organisations do not implement such controls, they may increase their risk of a personal data breach.
Organisations should apply technical security and organisational security measures in a layered manner consisting of but not limited to:
- Access controls
- Firewalls
- Antivirus
- Staff training
- Policy development.
A layered approach to cloud-based security mitigates the risk of a single security measure failing which may result in a personal data breach.
Many Cloud-Based providers, such as Microsoft’s Office 365 and Google’s G-suite provide advanced settings and solutions which can assist organisations to appropriately secure their use of cloud-based services. These providers, in most cases, also offer best practice guidance to assist organisations in securing their cloud-based environments.
The DPC has listed five key ways organisations can secure their cloud-based environments to mitigate their risk of a personal data breach.
1 - Access control and authentication
Organisations should implement strong password polices to ensure that users accessing personal data within Cloud-Based environments do so in a secure manner.
Organisations should implement two-factor authentication. Two-factor authentication is an effective way to further enhance Cloud-Based security and is available from most Cloud-Based providers.
Organisations should be aware of and document user access privileges within their Cloud-Based environments. User access control is particularly important where group mailboxes or shared folders are utilised. Organisations should also document each user’s specific access requirements and ensure that these are supported by an appropriate change control process.
Security measures applied by an organisation must be supported by regular reviews of user access to ensure that all authorised access to personal data is strictly necessary and justifiable for the performance of a specific function.
2. - Review default security settings
Organisations should not rely on Cloud-Based service providers’ default security settings.
Organisations should review the Cloud-Based security features available from the Cloud-Based service provider to ensure that they are applied appropriately and in a layered manner.
Examples of security settings and controls provided by Cloud-Based service providers often include:
- Centralised administration tools
- Mobile device management
- Multifactor authentication
- Login alerts
- Encryption during message send and receive
- Encryption of message content
- Account activity monitoring and alerts
- Data loss prevention
- Malware protection
- Spam and spoofing protection
- Phishing protection
Organisations should also be aware that Cloud-Based services might be publicly accessible and organisations should review and implement the appropriate security settings to secure remote access.
Click here to download the ICO guide to cloud computing...
3 - Seek assurances from your ICT service provider
Organisations may utilise external ICT services providers to implement their Cloud-Based environments. It is vital during such engagements that organisations seek formal assurances from their ICT service provider that the security controls which have been implemented meet an organisation’s specific security requirements and protect the organisation’s personal data.
Organisations should proactively engage and conduct regular security reviews with their ICT service providers to ensure the security controls in place are up-to-date and are effective to protect the organisation in an evolving threat landscape.
4 -Clear Policies and staff training.
Organisations should ensure that staff receive appropriate training on social engineering attacks, phishing attacks and security threat practices. Such training should be supported by refresher training/awareness programmes to mitigate the risk posed by an evolving threat landscape.
Organisations should have clear policies in place with respect to the usage and security of Cloud-Based services, especially where these services are being accessed outside of the organisation corporate network under Bring Your Own Device (“BYOD”) policies.
Organisations should have clear “employee leaver” and “succession” policies in place and these should be applied to an organisations Cloud-Based environment.
Organisations should have a clear policy in place for data retention and conduct regular reviews to ensure that personal data is not retained longer than necessary or where the original purpose for the use of the personal data has ceased.
5 - Know your data and secure it
Organisations should understand and monitor the types of data that is stored in their Cloud-Based environments. Knowing the types of data stored in the Cloud enables an organisation to ensure the appropriate security and access controls are applied to protect the data.
Organisations should utilise data classification methods to identify the data which they store and process within Cloud-Based environments. The process of data classification enables an organisation to categorise their stored data in order to determine the appropriate security controls.
Organisations should carefully evaluate Cloud-Based vendors based on the security features they offer and how they specifically meet with their organisational requirements.
Who has access to your data, how is it secured, how often is the data backed up and if the Cloud-Based environment aligns to your organisational policies are all vital questions to ask of both your Cloud-Based service provider and / or the ICT service provider charged with implementing your environment.
Applying the appropriate security measures is not a once off “Set and forget” exercise. Cloud-Based security settings should be reviewed on a regular basis to ensure that they are still appropriate and up-to-date.
Further DPC guidance on data security can be found at:
https://www.dataprotection.ie/docs/Data-security-guidance/1091.htm