As an organisation, we have to care about the security of our information. There are any number of legal reasons to do this, but in its simplest form, it comes down to being the guardians of the information we keep and holding the trust of both the public, our staff and the organisations and individuals that we do business with.
In my role as Senior Information Risk Officer (SIRO), I am responsible for leading and encouraging a culture of good information management, owning the overall information risk policy and to understand where the lessons can be learned when there are information incidents. The current Information Governance agenda is doing much to drive that message out to everyone but I would like to highlight a key issue for everyone.
In recent weeks, there have been a number of data incidents where information has been shared and stored inappropriately. It is everybody’s responsibility to ensure that they take steps to ensure that the information they are working with or sharing is being done in a secure way.
Sensitive documents and personal data should be only be stored on drives where access is restricted to the appropriate people and should never be stored on the hard drives in laptops.
Emails are a method of communication that has become common place in a 21st century working environment. Onward transmission of emails has brought about a complacency in terms of assuming that everything contained within that email thread needs to be shared. This is usually not the case.
It is therefore good working practice to remember the following:
- If you are contacting someone for the first time, especially if it is outside of our organisation, send a test message to establish you have the right person and refrain from sending or saying anything confidential until you have ensured you have the right person.
- Use council email accounts only for work-related activities.
- If you are forwarding emails, check through to see if there is any personal information contained within the thread and, if there is, only include it if the recipient should have that information.
- If you are replying to an email, do not automatically “reply to all”. Consider who has been sent or cc’d into the message and whether the information needs to be shared with all those included.
- If you are in regular contact with an external agency or person, ensure there is an established data sharing agreement in place.
- Do not email any council data, whether sensitive or not to a personal email address
- Do not open emails from unknown external senders or click on suspicious links within emails.
Thanks for your help out on this important topic.
Speak again soon. For daily updates, discussion, personal opinion, comment or just to connect or keep in touch you can follow me on Twitter at http://twitter.com/#!/drcarltonbrand.
Carlton