Site iconSite icon IFSEC Insider | Security and Fire News and Resources

The BSIA Briefing: June 2009

Following on from the personal medical records of tens of thousands of people going astray, the national media has reported heavily on the Information Commissioner’s urgent review of data security within the National Health Service (NHS).

The Department of Health has confirmed that a total of 140 security breaches were reported across the NHS between January and April this year. Those breaches included computers containing medical records being left in skips or being stolen, and passwords being taped to encrypted disks containing sensitive information.

The importance of ensuring secure document protection and destruction highlights the urgency for key security procedures to be put into place by end user organisations. In particular, this is most required during a time of economic downturn characterised by increasing amounts of cyber crime and the rise of threats such as identity theft.

Urgent review of data security

Over the last six months, Information Commissioner Richard Thomas has been forced to take action against 14 NHS bodies for breaching data regulations and subsequently ordered an urgent review of data security in the NHS, writing to the Department of Health to demand immediate improvements in the seemingly lax treatment of personal data.

The Data Protection Act imposes legal obligations on any organisation that processes personal information, essentially advising client organisations on what types of information they may hold and how it must be safeguarded. The Act also extends to covering the way in which data must be disposed of by the host company.

Confidential data must be securely destroyed by a professional information destruction service. BSIA members work to ensure that partner organisations meet their legal obligations by assuring good practice.

This entails operating to the British Standard 8470 for the collection, transportation and destruction of confidential material, as well as the quality management standard ISO 9001:2000. The aim must be to provide a fully-tracked service from collection at source to point of destruction.

Explosion of identity theft crimes

Speaking about the NHS data losses, Mike Gorrill the assistant Information Commissioner – commented: “A person’s medical history represents very sensitive personal data. Harm or distress to the person concerned is likely to be the end result if that data should fall into the wrong hands.”

Gorrill cited a reported security breach in the NHS involving a computer with the unencrypted medical notes of 2,500 primary care trust patients in an area of London being left beside a skip.

The unlawful use of such information has contributed to an explosion of identity theft crimes that are now estimated to cost almost GB pound 2 billion every year. Identity theft allows criminals to obtain goods, credit or services in someone else’s name. Within the health sector, it can include the use of stolen identities to fraudulently obtain prescription medicines and State benefits alike.

Thankfully, British Security Industry Association (BSIA) members have published a Security Waste Audit to help advise potential users on how to address their specific risks and requirements.

For more information on the work of the BSIA’s Information Destruction Section, to find a company who can assist you or to download this document visit the dedicated web link provided on the right hand panel of this page

Reflections on IFSEC 2009

As usual, the BSIA’s stand at IFSEC – the premier global security exhibition and conference programme held in May at the Birmingham NEC – was a hive of activity, with members networking, buyers looking for BSIA members’ product information and potential members keen to obtain information on the work of the Association milling around.

The BSIA’s International Visitors Lounge once again played host to overseas guests who were invited not only to participate in the hugely successful Meet The Buyers event, but also afforded the opportunity to establish links with buyers and providers of security solutions. The International Visitors Lounge also offered them a networking and communication point at the show.

Speaking of Meet The Buyers, this time around the event was even more significant given the presence of His Royal Highness Prince Michael of Kent in his capacity as Patron of the BSIA’s Export Council. His Royal Highness attended to gain an insight into the work of the Export Council, as well as meet with some of the BSIA’s members and overseas buyers.

This year also saw the first running of a new BSIA event aimed at potential members which showcased the work of the Association and the many benefits associated with membership. The event, which followed the launch of a new potential members’ Newsletter, provided a unique opportunity for attendees to network. BSIA members of staff were on hand to answer any questions.

In addition, the BSIA’s chief executive delivered a short presentation to all those involved.

The Big Issue (by Chris Pinder)

During times of recession, much is made of the potential for an increase in crime. One area in which the potential risk is high focuses on internal theft and fraud.

The end of May saw a high profile example of the threat of internal corruption in the form of a Royal chauffeur allegedly accepting a GB pound 1,000 bribe to show two undercover reporters around Buckingham Palace.

The chauffeur was accused of allowing the journalists – who posed as wealthy Middle-Eastern businessmen – inside without security checks, and showing them cars used by senior Royals. The chauffeur is said to have stood by as the reporters took photos of the vehicles and their number plates. The reporters claimed they were left alone with the fleet long enough to plant a bomb.

While this is an extreme example of employee dishonesty, all businesses should be considering the threat of internal theft and fraud as part of their risk assessments. Such a risk assessment should recognise that theft is often easier for employees to commit, as familiarity with administrative and security procedures can help to find and exploit loopholes.

Measures to address staff dishonesty

Many security managers believe that collusion between staff and customers poses a substantial risk because it reduces the risks of detection associated with ‘normal’ staff theft or shoplifting. The wide-ranging potential for staff dishonesty clearly needs to be addressed by comprehensive measures.

Staff vetting is important. At the pre-employment stage, follow up on references (particularly in relation to any unexplained gaps or sudden terminations of past employment). A sound and well understood disciplinary policy to deal with theft and fraud is essential.

Use common sense measures to reduce the opportunities – and temptations – for dishonesty. For example, make sure that at least two people lock up the premises at night, and ensure that any keys held by employees are marked ‘Do Not Duplicate.’

Be alert to warning signs. Common factors are frequently present in cases of staff theft, including employees who habitually violate rules or feel aggrieved towards the employer. Consider deterring theft by initiating a random search procedure for packages and bags when members of staff are leaving the premises.

Be clear on thorough investigations

In addition, make it clear that all incidents of theft will be thoroughly investigated, and include the possibility of covert surveillance.

Of course, the majority of staff are honest and would never dream of stealing from or defrauding their employer. However, for the minority of dishonest staff, these basic requirements make dishonesty more difficult, more risky and easier to investigate.

Together with a clear policy, that leaves employees in no doubt about what will happen if anyone is caught stealing. They protect the interests of employers and staff alike.

Chris Pinder is the BSIA’s Southern Regional General Manager

Exit mobile version