Introduction
Data breaches and data subject access requests (DSARs) have been on the rise over the years and unfortunately there is little evidence to suggest that this is due to slow down.
The rise in DSARs means that organisations such as the NHS, struggle to cope with the level of incidents reported. Plus with the current UK situation, such as less staff, an increase in strikes, and lack of government funding, it is likely to only get worse before getting better.
According to the RCN, nursing staff across the UK are under such pressure that six out of 10 say they cannot provide the level of care they want to patients. While three in 10 have suffered physical abuse from patients or relatives in the past 12 months.
It’s incredibly important that organisations have the right redaction software in place to protect their employees and that DSARs are actioned efficiently. In the ICO’s latest incident trends report, statistics show that in the last quarter of 2022, there were 1,000 incidents of ICO “failure to redact”, that is, failures to mask or delete data. The significant failure rate suggests that the dramatic rise in DSARs is overwhelming Compliance teams.
What is a data breach?
Organisations such as the NHS hold a considerable amount of sensitive and confidential data – in both document and video format – such as patient and employee records, and CCTV.
There are several ways in which an organisation could experience a data breach. One of which is when a group gains access to a computer system by a phishing attack – they manage to hack into an employee’s private internal network, which has become easier to achieve since the rise in working from home. Once they have access, they can deploy malicious software that encrypts computers, and they will most likely ask for money in exchange for unlocking their computer. Data isn’t always taken during a ransom attack, but it is often used as part of a negotiation.
There was a large NHS data breach of patient records during March 2022. Reported by DRM Legal, the report explains how personal and sensitive data of thousands of people had been breached by PSL Print Management, the consultancy firm working with the NHS.
The breach was discovered after a whistle blower requested email and text messages relating to his employment at PSL. The employee was sent a memory stick containing the firm’s entire server! This contained patient letters and personal data. The ICO will likely impose a fine on the firm. It’s a massive failure to protect patient data and shows the risk when outsourcing your security and redaction requests.
Data privacy best practice
Data privacy best practice involves having comprehensive privacy protocols that are circulated to your staff to ensure they know what data is kept and how to work with it compliantly. One suggestion to aid this process is to ensure staff have read the privacy policy and receive periodic reminders to ensure that data privacy remains a constant in people’s minds, as data protection can often fall through the cracks with employees. They have their own roles to focus on and as we know, are already incredibly overwhelmed with their workload and industry pressures.
During October 2022 it was reported that even the most senior officials can forget or overlook guidelines and policies. The BBC reported that Home Secretary Suella Braverman repeatedly broke ministerial code by using a personal email address.
The increase in DSARs has prompted some organisations to outsource documents for redaction. Other organisations experimented with cloud redaction tools.
However, the overwhelming majority of Data Officers now argue that in-house data privacy processing constitutes best practice. Facit’s customers, for example, suggest that the idea of data leaving their organisation’s own secure IT environment makes them nervous as it introduces unnecessary risks. You can read more about this topic over on our blog Video Processing and Cloud Challenges.
Best practice in action
We are a proven partner with the NHS and Facit recently installed its video redaction software, Identity Cloak, to help King’s College Hospital to manage video data for its DSARs. The hospital’s Head of Security says: “We are completely satisfied with our choice.” He added: “The multi-mode options give us flexibility and enables us to ensure that we provide the correct video output for each specific request we receive.”
As a progressive organisation, the hospital sought to fulfil DSARs and comply with data privacy regulations without depleting precious budgets and wasting valuable expert resources on laborious administrative tasks. They chose Identity Cloak as its redaction tool for a few reasons which you can read here.
Our privacy software is designed precisely to enable businesses to take full, fast and accurate control of their data privacy management, entirely in-house but without the need for extensive hardware updates. We help organisations worldwide to automate complex video redaction, including busy waiting rooms and wards with sensitive data on display. Our document redaction software works across multiple formats including email and attachments, PDFs and complex spreadsheets. And importantly, it is flexible, scalable and designed to grow with your needs if data requests increase – there is no cost per redaction cost – it is an annual fee which ensures you remain in control of your budget.
