Home > Access Management, Security > An example for the need of Access Control and Governance

An example for the need of Access Control and Governance

There was an article on ZDNet yesterday, saying that the Scottish Borders Council was fined £250,000 for dumped pension records.

So what was happened: The Scottish Borders Council hired a third party to digitize pension records of former employees. (Hopefully) After digitizing those records would have been shredded if everything would have going well. But it didn’t. The records were dumped in an recycle bin like old newspapers. A citizen found those documents and informed the Police, which secured the documents and all contained data (as the article says there were salary and bank account data included within those records).

So in this case there were major faults done by the Scottish Borders Council:

  1. It seems like there were no agreement or part of the contract how the records would kept or shredded after digitizing them. So no one within the Scottish Borders Council was taking care if and how the records were handled or destroyed.
  2. While passing the records to a third party, the Scottish Borders Council still is legally responsible for all contained personal data within those records according to the Data Protection Act. This would have meant that there would have been a tracking of the records handling, digitalization and shredding or handing them back to the Scottish Borders Control Council for an separate process of destroying the records.
    Both issues are showing the lack of Access Control and Governance over those records. There was no check, if those records are still existing or if they are destroyed. With the responsibility according to the Data Protection Act, the Scottish Borders Council would have needed at least a certified proof of the data handling, process of digitalization as well as the process of handing those records back or shredding them in an appropriate way instead of just dumping them into a recycling bin. Within IT systems we would name that an complete Audit Trail, in the best case peppered with access recertification to ensure, that it’s ok that someone has access to somewhat.

So with the potential exposure of personal data to identity fraud £250,000 (currently a bit more that $400,000 or 310,000 €) those faults are pretty expensive in comparison to the minimal impact of avoiding them.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: