June 15, 2020
When handling private and confidential data at work, it is important to understand the reasons they are designated that way. The loss of control over personal data can have dire consequences for the customers who have entrusted it to the organisation. A careless act can damage an organisation’s reputation.
Dealing with personal data and confidential information shared with and within the organisation, such as NRICs, phone numbers, and email addresses are a norm at work. However, when dealing with such information, it is important to recognise that these materials are not meant to be spread and shared among members of the public.
While financial and reputational consequences are well known, the information itself may cause further alarm and distrust in the community. There are several instances in which employees have found themselves carelessly sharing information and facing the consequences of doing so.
In the beginning of April, it was revealed that a government public servant had leaked to the public a draft copy of a media statement on upcoming measures to mitigate the spread of COVID-19. The announcement was only planned for dissemination later in the day.
Even though the woman was an authorised recipient of the confidential material, she had taken a photo of it and forwarded it to her husband, who was not supposed to receive it. From there, it was shared with his friends and soon the leaked photo was circulating through messaging apps, as well as social media. The woman and her husband were arrested under the Official Secrets Act, which governs how confidential material is handled within the government.
Another incident saw closed circuit TV footage of a woman injured by a falling door at a shopping mall, which was uploaded onto a video-sharing site, without permission. The footage had originally been used to aid in investigations, but due to the leak had sparked alarm amongst members of the public. As a result of the breach, the mall received negative publicity, and a spokesperson for the mall had to address the public alarm the leak had caused.
The above two examples offer just a small glimpse of how organisations lost control over confidential information, due to staff being too eager to share information they find ‘exciting’ with those close to them. Proper training of staff, present and future, thus remains a key tenet of every organisation’s data security plan. Staff need to be able to make proper judgement calls on when relevant parties are in need of the information, on a “need-to-know” basis. This is why it is crucial that all employees should be trained on the proper internal procedures of managing confidential data and privileged information.
For businesses, a proper risk assessment can serve as a gauge on where a company stands in terms of data protection best practices that minimises the chances of breaches happening. At Shred-it, we can help you to identify the gaps in your data protection policies. Contact us today for a risk assessment by us to keep your data protected and secure through regular shredding services.
This article is provided for your convenience and does not constitute legal advice. Readers should not take, or refrain from taking, actions based upon the content of this article. Prior results do not guarantee similar outcomes. Please seek professional legal advice.