12 October 2017 • by Paul Bierling, Marjon Gielisse and Bas Schrijver
Safety Week – How can you prevent data breaches?
Duty to report data breaches
Since 1 January 2016, a duty to report data breaches has been in force in the Netherlands. This duty to report means that organisations, such as The Hague University of Applied Sciences, must immediately submit a report to the Dutch Personal Data Authority (AP) if a serious data breach occurs.
The government introduced the duty to report data breaches because with this it hopes to minimise the consequences of data breaches for anyone concerned. The government also hopes that this will “make a contribution towards retaining and restoring trust in the handling of personal data”.
In the event of a data breach, the person responsible not only has to report the breach to the AP, but also inform anyone concerned. If a data breach is not reported when this is required under to the guidelines, this may be punished with an administrative fine.
Naturally, not every data breach needs to be reported to the AP. To determine which breaches should be reported and which should not, THUAS has set up an internal reporting centre. This reporting centre will then also make the actual report if necessary. The point of contact at the reporting centre is the Privacy Officer at The Hague University of Applied Sciences, who can be reached on +31 (0)6 86 80 89 95 or at ISO@hhs.nl.
What are data breaches?
When we talk about data breaches, we are referring to the access to or destruction, alteration or disclosure of personal data at an organisation, where this was not intended by the organisation. Therefore data breaches do not only include the disclosure (leaking) of data, but also the unlawful processing of data.
Well-known forms of data breaches are a lost USB memory stick containing personal data, a stolen laptop or when a hacker infiltrates a data file. However, there is also an increased risk of data breaches in the following situations.
- Sending an email containing personal data to the wrong fellow student or lecturer. Something that happens fairly frequently at THUAS for instance, is that an email intended for a co-worker is sent to a student with the same name, and vice versa.
- Leaving personal data in an unsafe place. Someone may leave documents lying around in a classroom, on a printer or desk or even in a public area.
- Not locking rooms where work is being carried out with personal data. This also applies to locking your own laptop/desktop when you leave your classroom or another work area, even if you are just popping out to the toilet or to get a cup of coffee.
- Vulnerability or virus infection in software by not regularly installing updates and not changing passwords on all of your personal devices.
What is THUAS doing to prevent data breaches?
THUAS is investing in among other things information security, namely protecting all information sources belonging to the university of applied sciences against unwanted access and misuse. We do this to comply with the legal requirements, but naturally to ensure in particular that the value of our diplomas is beyond any doubt. In addition to the ISO27001 basis and the best practices in ISO27002, we have the IT regulations for students (part of the Students’ Charter) for this purpose. It is important that you stay up to date with these regulations.
How can you prevent data breaches?
- The following applies as a general rule: take extra care when working with personal data.
- Pay particular attention when you send emails that contain personal data. The email addresses of students are clearly recognisable within the organisation. You should also pay attention when automatically filling in email addresses after typing the first few letters.
- Think carefully whether the personal data should leave THUAS. Who is asking for the data? Is this party able to request and obtain this data? Be aware that email or Dropbox are also the least secure methods for exchanging data. A safer alternative within THUAS is to use Sharepoint.
- Most people are familiar with the term ‘clean desk policy’. You should add ‘clean printers’ and ‘clean rooms’ to this and ensure that your PC is not left open when it is out of your sight.
- Always make sure that you install the latest updates on time for the software that you use and regularly change your passwords. Also, you should never share your password with other people.
- Secure your mobile device (tablets and smartphones) with BitLocker and/or an access code. Are you protected against crooks? https://www.maakhetzeniettemakkelijk.nl/boefproof
- Have you come across information that you or others should not see? Avoid the chance of this reoccurring and contact the internal reporting centre for data breaches and/or the Privacy Officer. All reports will be handled with care.
- Are you leaving your workplace for a moment? Take your mobile phone with you and lock your computer with the Windows logo key + L or just lock the classroom door.
- Are you sending emails to a large group of people? Do not cram it with email addresses. Put your email address in the “To field” and all of the other addressees in the “BCC field” (Blind Carbon Copy).
- Would you like to test your cybersecurity skills? You can do this here: https://www.alertonline.nl/cyberskillstest#/. You will also find many handy tips.
Week 41 is National Safety Week. Safety in all its aspects is also an important theme at The Hague University of Applied Sciences, which is why we are focusing on a different safety aspect at THUAS every day this week. Want to learn more? See the intranet under Safety and Crisis Management.