When we talk about data breach, the most prevalent scenario that comes to mind is that of a hacker gaining illegal access to an organisation’s network. However, most Data Protection Officers (DPOs) also know that the weakest link in data security are the people in the organisation themselves.
As such, the need for Data Protection Certification has been highlighted. Participants can learn advanced data protection techniques and information security measures when they attend courses and seminars.
Data Protection Certification participants are mostly data protection officers (DPOs), compliance managers, and those personnels with data protection responsibilities. It also attracts individuals that are handling personal data like those in human resource, IT, customer services, and sales and marketing.
Nowadays, many intuitively believe that disgruntled employees are the culprit behind data breaches. However, a study conducted by Data Protection Excellence Network (DPEX) revealed that malicious is only 13% of all the enforcement cases revealed by the PDPC in 2018. The truth is, the most common cause is just sheer carelessness.
Recent case was against a preschool provider. A teacher sent an attendance list to a group of parents. However, what the teacher didn’t realise is the list contained NRIC numbers and contact numbers of five of the group numbers. While the teacher deleted the file, the breach has already occurred.
Unfortunately, personal data that has been leaked will be at risk forever. There is also the case of a sports federation where the NRIC numbers of the students were disclosed accidentally in a PDF document on a federation site.
The author was unaware that content copied from a PDF document and pasted in Excel or Word will reveal content that had been “hidden” in the source Excel document before it is converted to a PDF file.
What is ironic is the source Excel file was encrypted to safeguard the personal information. The scenario could have been prevented with a simple check. There are several other cases that highlight how infallible humans can be. So what can organisations do to protect personal data that is in their care?
Having an information security policy would be a good place to start. Employees also need to be aware if their actions are permitted by the organisation. They need to also know what the requirements of the data protection law are alongside the applicable sectoral regulations like the Employment Act.
Employees need to also be aware that confidential data should be encrypted prior to hitting the “send” button. When sending unencrypted emails, all the confidential files or documents should be deleted first. Imagine the damage that can happen when confidential files are forwarded accidentally to unauthorised individuals.
For those who use cloud storage for files, it is recommended to add more layers of protection that have security functions like the two-factor authentication (2FA). The two-factor authentication requires a login password and a security code that is sent to the email address or the phone each time you add a new device to your account or log in.
It is also ideal to use the password-protect function in PDF and Microsoft documents to further protect personal data in one’s care. When sending a protected document to someone, it is ideal to give them the password separately and not in the same message.
Another practical piece of advice would be to check phone numbers or email addresses to ensure you are sending personal data to the right recipients. You can also send an initial message to the recipient first and wait for them to reply so you can confirm if you will be sending a file to the right people.
