The security of data is of critical importance. For data to remain safe, effective and accessible, we need to revisit our attitudes towards data security and reinforce why it is important to control and label that data, rather than it becoming impotent.
The recent changes to the UK Government Protective Marking Scheme (GPMS) have caused confusion and malaise within parts of public sector, with feedback a mix of “No, we don’t need to label because everything is now considered ’Official’” to “We’re waiting to see how things pan out before committing”.
This has highlighted a need for vendors and partners to change the message when discussing why data classification is essential. Organisations need to see data classification as part of their strategic information management framework, not just a compliance requirement.
This attitude could be justified if the risk these organisations faced was purely a compliance issue, but it’s not that simple. Last week, a public sector organisation hit the headlines for a data breach that could have been prevented by the use of a data classification tool. We’d argue that data classification should be seen as part of their strategic information management framework, not just a matter of ticking a box for compliance. This breach involved Basingstoke and Deane Borough Council, which leaked personal details of housing benefit claimants, including their dates of birth and national insurance details, in response to a Freedom of Information (FOI) request. Basingstoke and Deane sent letters of apology to 1,900 people, warning them their details had been disclosed. The borough said that it had informed the police and Information Commissioner. It has also set up a helpline and offered to pay to monitor loans taken out in the name of the affected people.
The cost for managing this data breach (along with any fine which may or may not be levied by the ICO) will eventually come out of the public purse or – more sadly – result in cuts that arise from overspending the council’s budget.
- Having a manual data classification policy in place may have stopped this from happening.
- Educating staff on the need to understand the value of the data they handle is always the way forward, in conjunction with continual re-assessment of the policy.
But let’s be honest and realistic: human error is the cause and if you don’t choose to deploy a user-driven data classification solution at the desktop where access controls and rules are in place then breaches will occur. Server-side controls rely too heavily on heuristic values and can be so top-heavy that the solution becomes cumbersome. The mix of human intervention and technology can far better manage how quickly information is disseminated.
Boldon James Classifier offers a solution that balances these two elements that can help you stop your data reaching those it should not.