Today’s Irish Independent has an article “The Perils of Identity Theft” citing me on some of the issues that staff need to be aware of when dealing with sensitive personal information belonging to the customers of their employer. We all need to be careful with the data we access in order to do our job and we need to handle that data accordingly.
When it comes to cash companies are quick to ensure staff know exactly what they are and are not supposed to do when handling that cash. Unfortunately when it comes to data many companies do not take the time to either identify what data is sensitive, how they should protect that data, who should have access to it and how those with access should treat that data. Very often companies rely on employees to “do the right thing” or that IT will have that covered.
Without a comprehensive, unambiguous and well communicated data handling and classification policy your company will be doomed to have a data breach at some stage. If you are a manager reading this and your company does not have such a policy in place then I recommend you look into this as soon as possible. Take it one step further and consider implementing the ISO 27001 Information Security Standard in your organisation. A key element of the standard is data classification and handling. By implementing the standard you will also have the confidence that your company has taken appropriate steps to make that data more secure.
If you are an employee and you are not sure what your company’s data classification and handling policy is then you should ask. If there is not one in place then insist that you are told exactly what you are supposed to do with the information you are working with.
Remember that some industries have regulatory and/or legal requirements for certain types of data and in any event the Data Protection Act places certain obligations on how companies deal with data.