I came into work earlier this week and was struck by the state of the desks. Each workstation resembled one of those fake rooms you see in Ikea or MFI except the computers were not made of cardboard – there was not a scrap of paper to be seen.
Why so? It wasn’t so I could write a blog with a particularly corny title but as a result of our clear desk policy, which has been in force for some time. The whole issue of data security is at the fore again as a result of HSBC getting heavily fined by the FSA for breaches in data security.
The posting out of unencrypted member data was a pretty dumb thing to do (but we’ve all done dumb things). However, what struck us most was the comment from the FSA “Confidential information about customers was also found left on open shelves or in unlocked cabinets …”.
Historically, the pensions industry has never been a tree’s best friend (let’s face it an industry with overarching legal governance and an obligation to communicate to individuals, often with accompanying statutory disclosures, is going to mean lots (and lots) of paper).
This, coupled with the questionably slow adoption of IT processes (which we have covered in other blog posts), means the desks of all but the most disciplined pensions professionals are encumbered to some degree by paper.
People are unlikely to put something away of an evening if they only have to get it out again the next morning. This isn’t a wilful and deliberate attempt to breach data security. It’s simply human nature.
Accepting this, the paper we surround ourselves with will, potentially, somewhere contain information that might be considered ‘personal’ and, however, unlikely it is that the cleaner, the water delivery man or the photocopier engineer will rifle your desk for names and national insurance numbers, we are potentially failing in our obligations under the Data Protection Act.
The fining of HSBC has helped demonstrate to our staff that our clear desk policy is not so bureaucratic, nor just something cooked up to cause them a little bit of extra grief at the start and end of the day, and that we daily handle sensitive personal information with real consequences, for both the individual and us as a firm, should unauthorised disclosure occur.
We have re-emphasised to staff the need to think carefully about the data handling aspects of their job and the importance of complying with Company policy in this regard. I suspect we are not alone. We must not become blasé about our responsibilities.
We have also instigated a review to ensure our practices continue to be of the highest standard. I am certain we are not alone!
As a result of a more serious misdemeanour, HSBC got pulled up but I suggest that if the FSA were to walk into the offices of any consultancy they could find similar evidence of this type of unsecure personal data.
This creates a major management problem (particularly for compliance officers!). If they look round an office and are faced with a sea of paper, how can they be sure that somewhere in that sea there isn’t some personal information that should be safely under lock and key?
Answer is, of course, they can’t. The implementation of a genuine clear desk policy is the only way.
Spence & Partners have already taken a strategic corporate decision to go ‘paperless’. We are significantly investing in the development of a document management system and associated processes such that, all document creation and storage will be electronic. We believe that this will result in even greater security for the data we hold.
Information security and disaster recovery were key drivers in our decision to proceed with our electronic document management project. Given the size of the fine levied on HSBC it looks like money well spent.
There can be no such thing as absolute security. Anyone with sufficient knowledge who wished to make a dedicated effort to breach our, or, indeed, the Pentagon’s security, would probably succeed eventually. All we can do is make it as difficult as possible for them.
Accidental disclosure is a different matter and we all need to be taking the necessary steps to manage this particular risk.