07 February 2012 | Restore Datashred
Employee annoyances
Anthony Pearlgood, commercial director of PHS Datashred and chairman of the information destruction section of the BSIA, discusses how irritating office habits can affect the security of your organisation.
The number of people employed in the UK economy is roughly 24.5 million. Self-employment accounts for another 3.5 million.Of this number, over 10 million of us are office workers. We work in over 200 million square metres of office space representing a capital investment of more than £120 billion. (UK National Statistics).
So, roughly a third of us sit at desks and computers in premises where others also work. More than half of the UK''s white-collar employees - equivalent to 8.7million people - work in a culture where coming in early, staying late and battling on when ill is expected, according to research.
It would be wonderful to report that we all do so happily, but, sadly, we are not all happy all of the time. Inevitably, there are occasions when we tend to annoy each other.
The list of ways we irritate each other is very long indeed and equates to the reasons why we like or dislike people in any other spheres of life. It’s sometimes connected to our senses. We may dislike something about the way a work colleague looks or sounds. Or, even more likely, the dischord might relate to their behaviour; in the course of a seven-or-eight hour working day some aspects of their conduct may strike a colleague as rude, inconsiderate, insensitive, offensive, threatening, intrusive, deceptive, vulgar, moody….the list goes on.
The great majority of white collar workers are sufficiently mature to let these foibles go but more deep-seated habits can have more serious business implications.
The paperless office
The corporate guru, Gerry Robinson, was an advocate of the policy of never letting a piece of paper touch your desk twice; in essence, a way of striving to get things done as they arise, rather than putting them off until later.
As we all know, it’s not an entirely practical idea. It would need to be transcribed as ‘never open an e-mail or text message twice’, these days, an even less practical thought. The underlying principle of getting things dealt with or securely filed instead of burying your desk under a pile of paper is a practical solution. Leaving confidential information in places accessible to, say, a visitor, outsourced staff or service operatives, is no longer an acceptable option in the days of Data Protection laws and identity fraud.
With so much business information held in electronic form and increased awareness of environmental concerns, the concept of the paperless office seems more attractive but old habits die hard.
Many administrative and clerical workers still rely on the reassuring permanence of the printed word. There are others who correlate a desk piled with charts, printed e-mails, correspondence and other ‘paperwork’ with the appearance of being productive and hard-working.
Phrases like, ‘I’m snowed under’ and ‘I’m buried under a pile of work’, are evidence to support the contention that a cluttered desk overflowing with paper, can mask a number of unwelcome situations.
The employee in question may, in fact simply be thoroughly disorganised, or they may be overworked and unable to cope.
Not everyone has the ability to manage their affairs or workload systematically and what they are almost certainly doing is leaving confidential business information in a place where it could be accessed by those with less than honest motives.
Data security
The days of private sector organisations being able to brush data protection breaches under the carpet are over. Proposals have been set in motion to update the EU Privacy Directive which is set to change the Data Protection rules across the EU.
In practice this means that the way in which businesses notify the governing body about serious data breaches will alter. Previously only telecomms, financial and public sectors were required by law to publicly disclose data breaches. It was announced in 2011 that this would be extended to all sectors and all size of business or organisation. The new proposals set out today suggest that it will soon be law that these public disclosures happen within 24 hours of the breach.
This could have a significant impact on the reputation of an organisation, as well as their finances. Notifying the governing body, and in the most serious cases, all affected members of the public, could be costly in terms of communication, but also in potential loss of revenue and brand damage.
This ever growing focus on the threat of fraud across Europe is certainly toughening the regulatory stance on the need to protect data, and the Justice Commissioner is looking to persuade businesses and organisations into taking action on their Data Protection policies by increasing the financial impact of data breaches.
The current maximum fine applicable in the UK by the Information Commissioner''s Office, for a serious data breach, is £500,000. However, the updated EU Privacy Directive aims to make this fine more proportionate to turnover, by changing the penalty to up to 2% of turnover. In the case of some businesses, this could run into millions of pounds.
Further impact on the organisation comes from the third key change to the EU Privacy Directive, which directly impacts the current UK''s Data Protection Act, is that all companies with more than 250 employees will be required to employ a Data Protection Officer whose role it will be to monitor and safeguard data processing and disposal within the organisation.
Businesses should start preparing now for what is soon to be an updated and stricter Data Protection Act, by putting in place a strong Data Protection Policy, encouraging buy in from all parts of the organisation.
EU Data Protection Directive
For the technically minded; the EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence.
There are seven broad principles within the Data Protection Directive. These include:
- Security
- Purpose
- Disclosure
- Notice
- Accountability
- Consent and
- Access
A long list includes a variety of examples such as phone numbers, credit card details, home address, dates of birth, bank account details and many other items. All this and more; in particular, to the reference of a distinguishable identification number (such as a national insurance number, driving license number, passport or job number) or to other factors - specifically relating to his or her physical characteristics (i.e. eye colour, height, tattoos, scars, etc) physiological, intellectual, financial, artistic or societal individuality (being a minister of religion, perhaps).
The new Directive will go through a process of consultation over the next 12 months but is expected to be adopted and in force in the UK by early 2013. All sectors will be required to report breaches to the Information Commissioner''s Office. It stipulates that seriously affected individuals are also to be informed.
Re-think
From an operational perspective, this will present a major task for many organisations. There will be a need to a shift in management approach and training, reflected in the re-engineering of mechanisms to detect breaches and report them to responsible internal officers. It will then fall to these managers to inform the Information Commission and individuals who may have been significantly affected by the breach.
Processing is also broadly defined. It relates to any manual or automatic operation involving personal data, including its collection, recording, organisation, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction (Article 2b).
Many more organisations are going to be relying on the services of professional data destruction contractors.
Storm clouds?
Many data compilers have been concerned about third-party responsibility and safety for data in an information cloud. However, The Data Protection Directive includes a ‘binding safe processor rule'', whereby data owners will not be liable for loss at the hands of a third party cloud provider.
Under the new rules, when the use of data is outsourced to a certified business, the provider will not be liable for subsequent breaches involving their data from this source. This will be a very positive step toward the adoption of internet cloud services by businesses.
These data protection rules apply when the responsible party (called the Controller in this EU directive) is established or operates within the EU and also when the controller uses equipment located inside the EU to process personal data from elsewhere. Controllers from outside the EU who process personal data inside the EU must nevertheless comply with this directive.
Notification
EU member states have supervisory authorities to monitor data protection levels in their state and to advise the government about related rules and regulations. It is their responsibility to initiate legal proceedings when data protection regulations are infringed. Controllers must notify their governing authority before commencing any processing of personal information, and such notification prescribes in detail what kinds of detailed notice is expected, namely:
- Name and address of the controller or representative
- Purpose(s) of the processing
- Descriptions of the categories of data subjects
- The data or categories of data to be collected
- Recipients to whom such data might be disclosed
- Any proposed transfers of data to third countries
Organisations of all sizes and complexions would be well advised to respond now. The data police are coming to town - and they mean business.