Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Breach Case 8: Holding on Neil Sanson
30 October 2018 at 15:39

file archive

A recent data breach incident provided an example of how your responsibility to protect personal information in your care remains a duty until you securely dispose of that information.

All employers receive applications for jobs. When these were on paper, the task of getting rid of the ones that you did not want was obvious. The pile of paper sat there as a constant reminder. With the move to digital files, that prompt to action is no longer so obvious, so applications can easily be kept for longer than you intend. And that can lead to other problems.

A health organisation gave a zipped folder of files to a contractor. When the contractor opened the folder, they found a sub-folder of three-year-old job applications. As these were not relevant to the task, the contractor deleted that sub-folder and notified the agency.

The organisation realised the sub-folder of job applications had been included because it was misnamed. (See Breach case 1 Name your documents clearly for another instance, and our advice on using clear file names.)

The organisation also realised they had kept these job applications for three years despite their policy of disposing of unsuccessful applications after one year. They searched for any other old job applications and deleted those they found; and reviewed their practices to ensure that they would adhere to their policy in future.

Securely disposing of personal information that you no longer require is the most effective method of ensuring that information is not misused or exposed in a breach. This benefits not just the individuals whose information you hold, but also your agency, by minimising the size of any breach that may occur (and therefore the costs of responding to the breach). It also avoids the question that will otherwise be asked of why you still retained the information.

We regularly get data breach notifications and this year we will be sharing the lessons learned from these more regularly. If you want to know more about data breaches, please check out our Data Safety Toolkit.

Image credit: File archive - free image via Pixabay

Back