Friday, 23 February 2018

GDPR and PHYSICAL security – How important is it?


Regular readers of this newsletter will know that I have paid a lot of attention and focus to the General Data Protection Regulation (GDPR). To recap, the GDPR is EU Data Protection legislation which is coming into force in May. It is a ‘beefed up’ version of the UK’s Data Protection Act 1998 and aims to introduce a common standard of data protection across the European Union – particularly covering the latest advances in social media. Despite Brexit, the UK will be under the legislation from May 25th 2018 and the legislation is expected to make its way into British law after our exit from the European Union.

In the last couple of articles that I have covered the topic of GDPR in, I have focused primarily on GDPR in cyberspace – the need to focus on cyber security in order to keep on the right side of the legislation. Cyber security in the context of GDPR is no doubt extremely important, but for this article I would like to move away from technology and focus on GDPR in the context of physical security.

When referring to GDPR and compliance, very few commentators refer to the necessity to secure physical data. However, personal data is still stored in a physical format and therefore is still subject to GDPR legislation. For example, many schools use physical folders with pupil and parent information. Remember that Article 4 section 12 of the GDPR states that a “‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This means that a member of staff, or worse a pupil, accessing sensitive data without proper consent is classed as a breach.

Think also of physical computers. Most staff will have access to a computer that they use for their work. In many cases, this will contain sensitive information. Do you have a policy in your school that staff must lock their computers if they leave their desk, even if it is only for a short while? Are those computers protected with strong passwords? In my experience working in the IT industry for many years, most users will not set strong passwords. They are usually easy to guess, or in the most worrying cases, system defaults such as ‘password’.

A report for the Telegraph newspaper in 2017 found that the top 10 most common passwords are as follows:
1.       123456
2.       123456789
3.       qwerty
4.       12345678
5.       111111
6.       1234567890
7.       1234567
8.       Password
9.       123123
10.   987654321

Granted, passwords are difficult to remember, especially when you have lots of different passwords for lots of different user accounts. Nobody wants to have to keep phoning their IT department because they’ve forgotten their password again.

Nonetheless, a strong password is absolutely critical to keeping sensitive data secure. A handy tip for creating passwords is to think of a phrase that sticks in your mind. For example: ‘the quick brown fox jumps over the lazy dog’. Now take the first letter of every word in that phrase and combine them to make a word: ‘tqbfjotld’. The password itself is unlikely to be guessed, but because you remember the phrase, you remember the password.

What about the security of your devices and servers? If you keep a server on-site a determined intruder could gain access to it on location. This would allow them to copy data onto an external drive and remove it from school grounds. If you do keep a server on-site, make sure that it is in its own locked room – and preferably that that room is air conditioned to avoid overheating. If you would like an extra level of security, then CCTV is a really good option. It is now possible to get ‘Cloud CCTV’ options, whereby a camera (or network of cameras) are installed in your school and connect to the internet network. It is then possible to access a live video feed of all your cameras in one online portal. The cameras can also record snapshots or video, allowing you to obtain the evidence you need to prosecute should the worst happen. The cameras are small and unobtrusive and are reliable – speak to me if you would like to find out a little more.

A good starting point for getting your physical data security up to scratch would be to assess what data you hold in physical form, where you keep it, and whether you need to keep it any longer. First of all, any data that is not crucial to running your school should be destroyed – there is no use keeping data unnecessarily.

Build up a list of your data sources and the data you hold. Then consider who has access to it, both intentionally and possibly unintentionally. If you keep folders with sensitive information in on school grounds, are they kept in an area away from unqualified staff? Are they kept in locked cabinets? Do your staff know exactly who should have access to what and can you be sure that they know not to share information with others? If you have important data stored on hard drives in servers and computers, do you ensure that you encrypt that data?

It is also worth introducing a policy around external hard drives and USB sticks, as well as personal cloud drives such as DropBox and Google Drive. We recommend that use of external drives is at least restricted, but preferably banned outright, and the use of personal cloud storage should also be banned – it is untraceable. Personal accounts for these services follow users wherever they go, meaning staff could potentially access sensitive material even if they are no longer employed by your school.

By ensuring all your staff (and pupils) understand and appreciate GDPR and how it affects your school, you can make sure everyone is pulling in the right direction to help your school be compliant. GDPR compliance involves an effort from all stakeholders in your school and the first step is strong, unambiguous policies surrounding data security.

For more information on GDPR, or for an IT security audit of your school, please do not hesitate to get in touch with me on 0330 002 0045 or contact schools@entrustit.co.uk.

No comments:

Post a Comment