Protecting people is key to protecting data in the public sector, writes Phil Greenwood, Director at Iron Mountain.
Another day, another media story about a public sector data breach. Whether it’s a filing cabinet containing confidential prison documents unwittingly sold at auction, private employee data accidentally posted online, or papers sent to the wrong person by mistake[i], invariably, the end result is that the media have a field day and the Information Commissioner issues yet another reprimand or fine.
Are things really this bad when it comes to information protection in the public sector? Well, yes and no. We recently completed a study[ii] of how public sector bodies across the UK manage their information. The findings reveal that one in four (23 per cent) public sector organisations aren’t confident in their approach and recognise they are putting data at risk. Six in every ten (61 per cent) say poor information handling has resulted in important documents being lost internally, and 40 per cent have suffered an external data breach.
These trends are not confined to public sector organisations, but what sets them apart from private sector incidents is that data breaches are caused overwhelmingly by a single factor: what Verizon’s data breach investigations 2014 report calls a ‘miscellaneous incident’[iii]. To the rest of us it’s just plain old human error. In 2013, three quarters of the reported miscellaneous incidents worldwide involved the public sector.
Why is error so prevalent and what can public sector organisations do about it?
First, we should acknowledge that the public sector is transparent in its information handling. It is fast to self-report when things go wrong. The high numbers may well reflect the reticence in the private sector to report its miscellaneous incidents. Second, we should recognise the complexity of information governance in the public sector. The UK’s public sector is going through a period of transformation. From organisational restructure to estate rationalisation and the Digital by Default programme, many public sector organisations and their employees are facing a struggle to either achieve more with less or to do things completely differently. Our study shows that one in three organisations has had to make information management roles obsolete, with 91 per cent saying that valuable information handling skills and expertise have been lost. Well over half (59 per cent) admit that the staff who remain are having to take on information responsibilities beyond their grade.
Against this background it is hardly surprising that, when asked to name the weakest link in information management, the majority said over-burdened staff who lack the time to take proper care of data (81 per cent).
Overstretched employees struggling with an increased workload and additional responsibility they feel ill-equipped to handle will make mistakes. They will forget to tidy away or secure documents and are more likely send things on or out without thinking or checking.
This picture is repeated the world over. Verizon found the top three causes of accidental data incidents in 2013 were: sending documents to the wrong recipient (44 per cent), mistakenly publishing data online (22 per cent), and careless disposal (20 per cent). It concluded that highly repetitive and mundane business processes involving sensitive data are particularly error prone.
Those responsible for information management in the public sector need to appreciate this and ensure that wherever possible, risk is removed from employees in such roles – through automation, monitoring and appropriate access controls, for example.
This should form part of an integrated, well-resourced approach to information management that is actively endorsed by senior leadership.
And there’s more.
Employees need the time, and the skills and the support to be able to treat information properly. They need clear guidance and policies they understand and engage with. They need to work within a culture of respect and accountability for information, and this needs to come from the very top of the organisation.
Time is running out for organisations to get their house in order. With stricter data protection legislation just around the corner and the challenge of growing data volumes and new digital processes combined with a vast legacy archive of paper records, the time to act is now. We all have a role to play in making it happen. Download Iron Mountain’s research report titled The Public Sector – managing information through the challenge of change.
