Improving safety and security in digital communications: Jeugdzorg Nederland joins forces with Zivver
It is important that you always send personal data securely. That awareness is increasingly present on the work floor. Nevertheless, ZIVVER directors Rick and Wouter still hear numerous irrational arguments for not applying this rule. Which of these 'security excuses' do they hear most frequently? Wouter discusses them one by one.
Security excuse 1: Such a small file does not need security
The size of the data is often decisive. The larger the requested file, the greater the chance that the data will be sent securely. In itself this is logical enough, based on a quick assessment of the consequences of a possible data breach. In the experience of the sender, the risk increases with the amount of data.
The law sees this differently, however: a data breach is a data breach, even if only one person is involved. Furthermore, the new General Data Protection Regulation introduces the possibility that interest groups can approach other concerned parties in order to bring a joint lawsuit. If things go wrong for one patient, the chances are that other patients - without knowing it - also risk becoming a victim.
In addition to a possible claim for damages, reputation damage is already inevitable. Conclusion: anyone who sends personal data insecurely because it only involves a small quantity of data is assuming a false argument with potentially significant consequences.
Security excuse 2: The recipient requested the information him or herself
My mother asked her hospital for a copy of the treatment report from her ophthalmologist. This was promptly sent to her by email, including her name, full address, patient number, insurance number, BSN (citizen service number) and the full treatment report. There was a warning at the bottom of the referral letter: 'Please note, this report may contain a citizen service number.' Anyone who intercepts that email will suddenly know a lot about my mother. The question is also what the function of the warning was at the bottom of the referral letter. Can you ignore it if a recipient has herself requested data?
We also encounter similar situations with notaries and lawyers. At the request of the customer, they often send a copy of a will, a prenuptial contract or purchase deed by email. If the client or patient has asked for it, security is apparently not important. Or maybe we think that the risk of a data breach is borne by the customer if he or she has requested information him or herself? That sounds easy enough. Until the information falls into the wrong hands, of course.
Security excuse 3: You do not need security for colleagues
If you send a colleague an email, you often do not immediately think of security. After all, the risk that sensitive information will end up in the public domain is smaller when using internal email. Unfortunately, this is not a criterion for the law: an email with sensitive information must always be sent securely, even if it remains inside the organisation. As soon as personal data comes to the attention of someone who did not have permission or a need for this, a data breach has occurred.
Moreover, there are enough painful scenarios imaginable involving leaked internal information. No employer would like to see information about salaries, reorganisations, treatment plans or test results, for example, reach the wrong employee. Prevention is better than cure. We know of cases involving an internal leak about salary data. The managers involved had to sign several confidentiality declarations and prove that the data had not been stored anywhere. The first is annoying, but think how complicated it would be to prove that you did not do something ...
Security excuse 4: The recipient does ensure good security
Municipalities and other parties must regularly share information with the police. This takes place remarkably often by unsecured email. An important motivation is the conviction that 'the police have undoubtedly got their security in order'. The same idea applies to other parties with regard to which you as sender assume that their security is sound. This is misguided logic - even apart from the question of whether you are certain that everything is really in order. Even if you send an email to an extremely secure recipient, someone can intercept that information along the way. With all the undesirable consequences that entails. And if you accidentally send the email to the wrong recipient (who does not work for the police), then you are really looking at a data breach.
Security excuse 5: The recipient probably doesn't want all that extra hassle
Healthcare professionals, civil servants and lawyers often find it difficult to burden their clients with 'extra hassle'. You often see them making an estimate: how many clients or patients will be irritated by this, or will not open this email because they have to take an extra step? That estimate is irrational. If one out of one hundred recipients has complained in the past, many people wrongly project this experience on the 99 other recipients that did not make a fuss. In fact, you are then selling very short the many recipients who appreciate the secure handling of their sensitive data!
And as with the previous considerations, the law, journalists, customers and chain partners have little understanding for this. Anyone sending personal data must always know the risks and take measures him or herself. Excuses never help limit reputational damage, or help avoid a high fine.
This blog gives you an idea of what is involved in secure emailing. It is an important part of the GDPR. Our checklist contains all the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.