When emails attack


It’s a simple error which most of us will have encountered, and usually it is more of an irritation than anything else. But last week’s data breach at NHS Greater Glasgow impacted on a highly sensitive area of healthcare.

A clinic flyer was sent out to 86 NHS service users by email. However, their email addresses were entered in the “To:” field rather than the “BCC:” (Blind Carbon Copy) field and therefore visible to all recipients. And the service users in question were patients of a transgender clinic. http://www.bbc.co.uk/news/uk-scotland-glasgow-west-29804901

Given the nature of email addresses, in many cases names and year of birth were identifiable in addition to the contact email. And this is a group of service users where simply being identified with that specific clinical service area constitutes highly sensitive sexual and health personal data under the DPA. Coupled with this is the specific prohibition on disclosure under s22 of the Gender Recognition Act 2004 for those individuals who have applied for a gender recognition certificate. The impact on individuals is real and the reputational damage to the NHSGG&C considerable.

The Health Board cites “human error” in this instance, and most will be thinking “There but for the grace…”

But this area of risk can be mitigated. Look at your own organisation and ask:

· Is there a clear policy on how group emails are managed and who is authorised to send them?

· Are relevant staff trained or given guidance on how to appropriately manage group communications?

· Has the organisation assessed the risk to identify particularly sensitive business areas of groups of service-users (such as in this case) where additional controls may be necessary?

· Have alternative tools been explored and, where appropriate, provided to staff and mandated for use? This could be a specific email marketing tool (such as Mailchimp) or simply requiring staff to use a mail-merge function to send out multiple individually-addressed emails with the same content.

· Are appropriate controls in place? At the simplest level, this could be setting system limits on the number of recipients permitted in an email, or more sophisticated tools to conditionally monitor outgoing emails and automatically challenge non-compliant communications.

Author Frank Rankin is a consultant and speaker who recently joined the Act Now team. He’s based in Scotland and has over 20 years experience as an information governance practitioner. A former chair of the NHS Scotland FOI forum and member of the Scottish Records Advisory Council, Frank has designed and delivered pragmatic training in FOI, Privacy and Records Management across a range of sectors.

Post Script. This isn’t the only case where major organisations have managed to pass hundreds or thousands of personal email addresses to hundreds or thousands of strangers. A Police and Crime Commissioner in northern England, A large council in Essex bizarrely informing its suppliers that they were required to pass data about them to the National Fraud initiative and a cheap and cheerful airline telling all its frequent flyers the email addresses of all their frequent flyers. Do you know when you haven’t been BCC’d? Do you remember when you didn’t BCC? Let us know.

Click here to see a full schedule of Frank Rankin’s courses in Scotland.

Image Credit. knowhacking.wordpress.com

Brunei or Bust


In January 2015 the Act Now team will be flying out to Brunei to deliver data protection audit training to staff working for the Government of Brunei.

Negara Brunei Darussalam, to give Brunei its full name, is a small country located in Southeast Asia. It is surrounded by Malaysia and has two parts physically separated by Malaysia. Here is the BBC’s guide to the country.

This is phase 2 of our Brunei consultancy project. Phase 1 involved developing a Data Protection Audit Manual based on the Data Protection Policy released by the Brunei Government. This included guidance on DP audit planning, preparation and the use of DP audit templates.

Ibrahim Hasan and Paul Gibbons, well known experts and trainers in this field, will lead the Brunei training project. Ibrahim said:

“I am looking forward to going out there to showcase our training expertise to an international audience. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills.”

This is one of many recent consultancy projects. Last year Act Now won a tender to deliver information rights consultancy services to The Rural Payments Agency. We were tasked with reviewing the RPA’s information rights handling policies and procedures in the light of best practice and legislative developments.

This latest project enhances our reputation as one of the UK’s leading providers of in-house training and consultancy in information law and information management. We pride ourselves on having the most well known experts who have all worked in the public sector for many years. We particularly specialise in:

  • Conducting information management audits
  • Writing policies, procedures and protocols
  • Conducting information risk assessments
  • Providing best practice advice on handling requests for information
  • Writing reports for senior managers and decision makers

Please take a moment to browse our in-house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.

Scottish Information Commissioner’s Annual Report


In September the Scottish Information Commissioner, Rosemary Agnew, published her annual report for 2013/14.  Ms Agnew enforces the Freedom of Information (Scotland) Act 2002 (FOISA). In her own words, “The report documents our achievements and challenges across the year, while also providing a snapshot of the wider picture of FOI in Scotland.”

Key facts are as follows:

  • Appeals to the Commissioner fell slightly during 2013/14, with 578 appeals received compared to 594 in 2012/13.  The slight fall appears to be due to a fall in the number of appeals made because an authority had failed to respond within the statutory time limits.
  • The Commissioner received the highest number of enquiries to date, at 2,008.  This was an 11% rise on last year.
  • 62% of appeals were from members of the public.
  • In 67% of decisions the Commissioner found wholly or partly in favour of the requester.
  • Public awareness of FOISA in Scotland is at 78%.
  • Scottish public authorities reported that they received over 60,000 FOISA requests in 2013/14.
  • 75% of appeals took less than 4 months to resolve.
  • There were no appeals to the Court of Session against decisions issued by the Commissioner in 2013/14.
  • The Commissioner launched a new programme of regional “roadshows” , which saw the Commissioner and her staff deliver FOISA training to over 200 participants from a range of backgrounds.

In an excellent example of Open Data, the Commissioner has also published detailed information on the appeals received since 2005, broken down by public authority, region and sector, in Excel spreadsheets on her website.

The Commissioner is currently working on a Special Report on the scope of FOISA and whether all the right organisations are covered. The report will be laid in the Scottish Parliament in early 2015, to coincide with the 10th anniversary of the Act coming into force.

If you are new to FOI in Scotland or want to boost your career through gaining a qualification, our FOISA Practitioner Certificate  is ideal for you. The four day course is endorsed by the Centre for FOI , based at Dundee University.

If you’re considering enrolling on the course, what can you expect? Read what the tutor has to say and have a go at the FOISA test.

%d bloggers like this: