This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.
The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that “even temporary staff should have Data Protection Training”
Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.
Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have. Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.
Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.
Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?