In April 2017, the National University of Singapore (NUS) was given 120 days to ensure that all its students in leadership positions were trained in personal data protection. This unexpected announcement was made following a recent data breach by the NUS that risked student data.
What caused the breach?
The PDPC had found that a URL link for a Google Sheets spreadsheet containing personal data of 143 students was circulating without adequate security and could be accessed without proper authorisation. Although the document was originally created with sufficient security safeguards, an unknown party had changed the settings to “share using link”, which means anyone could have access to the data as long as they had the link. The origin of this data breach was human error, caused by the ignorance of the university’s student leaders, who had initially created the spreadsheet for the school’s freshmen orientation camp in 2016.
What can businesses learn from this?
- PDPC's findings underscored the importance of educating staff and students on the right data protection protocols. In this case, there should have been a proper system set up to ensure access to the spreadsheet was restricted. But even then, students and staff should have been properly trained and reminded on a regular basis of their obligations and the necessary precautions they should take when handling sensitive personal information.
- Encryption is also key when it comes to the protection of personal data. Had the document been encrypted, it would have created one more hurdle for an unauthorised person to access the information, even if they had the link.
- Organisations cannot be satisfied with merely having a cyber security plan when it comes to data protection. Steps must be taken to ensure that processes are followed in practice and a system of checks and balances should be in place to ensure that if and when mistakes happen, lapses can be identified and corrected quickly.
- While this particular breach involved personal information stored digitally, institutions should not forget to look at other media such as physical access to paper documents for example. Often, paper breaches are more difficult to trace. For example, if anyone had printed out the NUS document, it would have been difficult to find out where it eventually could end up. This is especially true for paper that is not securely disposed of.
- When discarding confidential papers, organisations wrongly assume that the documents will be destroyed right away. Unfortunately, it is very common in Singapore for the documents to end up in the hands of the karung guni man. He then sells the documents to recycling companies. It can be a long process and the documents usually stay intact throughout the entire process, with the organisation unable to keep track of where the documents are and who has access to them. This in turn, increases the risk of a data breach. The best way to prevent a data breach when it comes to physical data is to implement a Shred-it All Policy for documents.
All organisations need to understand that when it comes to data protection there are always going to be risks, but employers and employees alike must remain mindful of their responsibilities and to do their part to implement and enforce processes and policies to minimise those risks.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.