Data, data everywhere
Housing Associations rightfully possess a lot of information regarding their residents. This information is needed to ensure that they are provided with the right services and support that they need. Some of this information is incredibly personal and confidential, and it is vital that this information is only seen and used by those who need to. Data Protection laws are in place to ensure that organisations like Housing Associations manage and protect this information correctly, but with large changes due to come into force in the next 12-18 months, what more can be done to ensure that sensitive data is handled in the most secure way possible?
Draft Legislation is currently making its way through the European Union Parliament which will see some sweeping changes to Data Protection laws. The key points of this legislation are:
- Fines of up to €100 million or 5% of income for breaches of Data Protection laws
- Individuals now have the right to claim compensation if their personal data is leaked or abused by organisations
- Individuals have the right to be forgotten
- Explicit permission required to collect, use and market personal data
- Change to enforcement regime rather than today’s self-regulation and education
The most striking of the changes is the increase in the maximum fine that can be levied – although the absolute value is not strictly relevant to most Housing Associations, the EU felt that previous fines weren’t big enough to really get the attention of senior people within an organisation. The ability to fine a proportion of income is designed to address this perceived issue.
The increasing rights of the individual
The changes with probably the biggest likelihood to affect Housing Associations are the changes around the individual. The right to claim compensation for a Data Protection breach is likely to focus the attention of a wider section of society on data breaches. Housing Associations can also be called upon to prove that they have destroyed the data of a customer who has moved on – this has repercussions for IT systems and platforms – what constitutes destruction? Can the deletion of a record in a database be said to conform to the destruction of that data? Or does the data need to be destroyed using techniques pioneered by defence agencies? These questions will need to be fully answered by the European Union and the answers will need to be used by systems developers and IT partners to ensure their products and services are compliant with the legislation. Questions also remain over what data is allowed to be kept – safeguarding information and bad debt records are two areas that spring to mind. Housing Associations would rightly feel entitled to retain this information, even after the tenant has left, but this has yet to be confirmed by the EU.
Explicit consent will now be required from customers before their data can be used by a Housing Association – for example before they can be sent newsletters or other marketing information. Housing Management systems will need to be modified so as to track whether consent has been obtained from a customer or not, and this consent will need to be periodically renewed.
Documentation and publicity materials leaving the business need to be sanitised before use – there have been cases of customer information being left in screenshots of software sent in newsletters, and personal details have been emailed to the wrong user – sometimes a misplaced full-stop or letter in an email address is all it takes to send confidential information to a complete stranger.
The protection and correct use of data is therefore becoming increasingly paramount. So what can be done to ensure that all measures are taken to prevent leaks? Housing Associations have traditionally focussed on procedural and cultural changes to ensure that data is not misused. Procedural changes are very important and can be effective in raising awareness of the importance of Data Protection. Cultural changes need to be directed by the senior people within a business and without this direction, the workforce is unlikely to realise the importance of changing their working practices. However, procedural and cultural changes are only one aspect of a holistic Data Protection strategy. These changes, in combination with secure technologies offer the best levels of protection, but what technologies are on offer, and how can they help?
Three practical steps to improving compliance
These are three areas that can help protect against Data Protection violations
1. Encryption of information both in transit and at rest
Data needs to be secure both at rest and while in transit. Laptops, tablets and portable media such as USB sticks and DVDs should be encrypted so that in the event of loss or theft, data stored on them cannot be read by unauthorised parties. Historically the use of encryption has necessitated complex and expensive products and services, but these are now baked into Windows operating systems and key management is a feature of Active Directory; meaning a lost or forgotten key is no longer the large issue it used to be. Laptops now commonly come equipped with the hardware necessary to ensure that if a hard-disk is removed from the computer, it cannot be read on another machine, further increasing security.
2. The use of data transmission policies to prevent certain types of data being emailed
Organisations should and often do have written policies in place around the transmission of sensitive data via email, however, policies sometimes fail due to human factors and so it is important to have security systems in place such as those found in Exchange 2013 which can detect the transmission of sensitive information such as bank details, tenancy information and other personally identifiable information and can either warn the user that they are about to breach a data protection policy, or block the communication entirely.
3. Limiting user access to sensitive data to authorised parties within a business
Platforms such as Identity Rights Management, a feature of Microsoft’s Windows and Exchange servers, allows organisations to restrict information so that it cannot pass between functional boundaries within the company; information that may be pertinent to Finance might not necessarily be suitable for use by Marketing, and so policies can be configured to prevent that information being transferred electronically. This has the effect of preventing information that in one context the usage of is entirely appropriate, being used in another which is not.
With all of this in mind, it is important to remember that all the technology in the world cannot prevent a malicious or very misguided user from simply copying information down onto a notepad, or taking a photo of the screen in order to use restricted information for some other purpose. However, Data Protection laws require that the organisation makes all practical efforts to secure sensitive information, and systems such as those discussed during this paper satisfy that requirement.