3 Data Protection Tips for Public Institutions
The prevalent use of information and communication technologies such as databases, internet services and mobile devices have made all sectors vulnerable to data breaches. Public institutions are no exception. As massive data aggregators of highly sensitive information with often outdated systems unequipped to deal with current threats, they make a very attractive target for cyberattacks.
In a now notorious 2015 incident, the United States Office of Personnel Management (OPM), the agency that manages the US government’s civilian workforce, discovered that the personal information of more than 21 million of its employees and contractors had been compromised in a cyberattack. The data included extremely sensitive information required during background checks for government security clearance. More recently, in March 2019, the Federal Emergency Management Agency (FEMA) unwittingly exposed the personal data of 2.3 million survivors of several natural disasters.
Public institutions, while sometimes governed by distinct legislation from the private sector and benefitting from certain exemptions, are still subject to data protection laws and are liable to fines under legislation such as the EU’s General Data Protection Regulation (GDPR). Several public institutions across Europe have, in fact, already been fined by national Data Protection Agencies (DPAs). In October 2019 for example, the Norwegian DPA imposed an administrative fine of €120,000 on the Municipality of Oslo for poor security of processing in a mobile app.
How can public institutions therefore protect the data they collect, guard against malicious attacks and ensure compliance with data protection laws? Here are our tips!
1. Clear the backlog
Public organizations collect vast amounts of data, but often neglect to clear their backlog once the information has outlived the purpose for which it was collected. This means that they accumulate data and overload their databases and filing systems with unnecessary information. This however is in direct violation with many of the most recent data protection regulations like the GDPR that requires that personal data only be retained for the duration it is needed to fulfil the purpose for which it was processed.
Long term data retention also comes with the added problem of legacy systems which are often out of date and cannot meet new data protection requirements. It is therefore crucial for public institutions to identify their data collection and retention practices and purge their systems of any superfluous data that no longer serves a purpose.
2. Data protection by design
One of the fundamental pillars of the new wave of data protection laws is the concept of data protection by design and by default which implies that cybersecurity must be a key consideration in the development of IT products, services and policies, but also be at the forefront of employees’ minds while they perform their duties.
For a long time cybersecurity has been an afterthought in the development of institutional networks, but it must now become a top priority to protect against potential security incidents and to ensure compliance with data protection legislation. Data protection by design requires institutions to raise awareness of cybersecurity threats and data protection best practices and educate employees at all levels about them.
A better understanding of data protection needs will help senior officials craft more effective policies and support employees who have day to day contact with collected personal information to perform their tasks more securely.
3. Consider both internal and external threats
The biggest focus of cybersecurity frameworks tend to be external attacks. And while they are the biggest threat data faces, they are the root cause of only 51% of data breaches according to the 2019 Cost of a Data Breach Report released by the Ponemon Institute and IBM Security. 24% of the rest of the data breaches are caused by human error.
It is important for public institutions to educate its employees on data protection best practices, but also to ensure that access to data is restricted to those employees that need it in the discharging of their duties.
Data Loss Prevention (DLP) tools can also help organizations to monitor the flow of personal information and control it when needed. They can block the transfer of sensitive information outside an institution’s network and ensure data is removed when found on unauthorized computers. DLP solutions act as an added layer of security, guarding against unintentional carelessness or negligence on the part of employees.