Data Handling

This course will provide an overview of how data should be handled according to industry best
practices.

Introduction

Every organisation should have a clearly defined policy on how data and information is handled.

Having a confirmed and well-documented approach helps organisations and their employees to
ensure that all information is handled appropriately and securely.

It is important that you understand your company's data handling policy so as to reduce the risk of
the unauthorised disclosure of sensitive information.

Data Classification

Before implementing a data handling policy, data and information first needs to be categorised based
on its sensitivity. An example data classification scheme adopted by many organisations is as follows:

Public - e.g. publicly posted press release

Internal - e.g. work instructions, policies and procedures

Confidential - e.g. employee payroll information and customer records

Regulatory - e.g. payment card and health care data

These classifications enable organisations to provide guidance to their employees and business
partners on how information should be securely handled. It also helps to reduce the risk of
unauthorised disclosure.

Data Handling

Any information should be handled and stored in accordance with its data classification.

For example, confidential paper based records should be handled with care when inside the
organisation or when travelling. In this case, that means ensuring that they are not left in a
communal office area or left in a public place such as on a train. If the records are electronic, then
they should again be handled with care, but this may instead mean that they can only be handled
when in an encrypted state, and should only be sent to internal colleagues with a business ‘need to
know,’ such as the Finance Team.

Less stringent measures need to be taken with documents given a public data classification, such as a
press release, as this information is already in the public eye and therefore does not need the same
level of protection.

Data Storage

The correct storage of confidential paper based records or electronic information is also important to
reduce the risk of unauthorised access. Secure storage could include storing paper based records in a
locked cabinet or secure offsite storage facility.

Secure storage for electronic records could be achieved by an access controlled computer application
with strong data encryption in place.
Any approach adopted should ensure that the information is appropriately secured and only
accessible by individuals or teams with a business ‘need to know.’

Data Exchange

When exchanging information, whether this be internally, with third party partners or with
customers, it is important to ensure that you are transferring it securely, and this should be based
upon the classification of the information as defined by your organisation.

Always think before exchanging information!

For example, information that is classified as confidential or regulatory should not be shared via
social media or a non-secure email system.

If in doubt, speak with your manager or the ‘data owner.’

Data Retention

If your Organisation holds personal data, it is good practice to establish standard retention periods
for different categories of information, again this can be defined within a Data Retention Policy.

This should take account of any regulatory requirements that may apply, such as Healthcare and
Finance related Acts which can dictate the requirements for data retention periods for specific
records.

For personal data that falls outside of any regulatory requirements, organisations should also refer to
the UK Data Protection Act, and if any records are not being used, you should consider whether they
need be retained.

Data Disposal

When data is no longer required by an organisation, it needs to be disposed of securely to reduce the
risk of the unauthorised disclosure of sensitive information.

Confidential paper documents, for example, can be disposed of using a secure disposal service. This
is where locked ‘confidential waste’ bins are provided to an office or building and, when full,
collected and disposed of securely. This is usually performed by a secure shredding vehicle, and
afterwards, certificates of destruction can be provided as evidence that the waste was securely
destroyed.

If in electronic form, such as a computer hard drive, confidential information can be permanently
erased by using specialist software, or physically destroyed using a secure disposal service. In both
cases, certificates of destruction can be provided to organisations to evidence that the confidential
information was securely destroyed.

Conclusion

This module will hopefully have taught you about the importance of handling information
appropriately to reduce the risk of unauthorised disclosure.

It is important to understand your organisation's approach to handling information, whether this is in

relation to exchanging, storing, retention or disposal.
Remember, if in doubt – ask your Manager!

Having a confirmed and well-documented approach helps organisations and their employees to
ensure that all information is handled appropriately and securely. True or false?

True

Correct.

False

A well documented policy will help in this area.

Before you can create a data handling policy., what factor should you categorise your data on?

Sensitivity

This enables organisations to provide guidance to their employees and business partners on how
information should be securely handled.

Volume

Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.

Density

Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.

Integrity

Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.

What step can you take with electronic data to ensure it cannot be compromised when being
handled?

Keep the data on a portable hard drive

Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.

Encrypt the data while handling

Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.

Run a virus scan on the data before handling

Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.

Carry in a secure bag or case

Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.

What should happen to data when it is no longer needed by the organisation?

Kept on the shared network if electronic

Disposing of the data securely will reduce the risk of the unauthorised disclosure of sensitive
information.

Store it in a secure cabinet on a portable drive

Disposing of the data securely will reduce the risk of the unauthorised disclosure of sensitive
information.

It should be disposed of securely

This will reduce the risk of the unauthorised disclosure of sensitive information.

Dispose of through standard waste channel

Disposing of the data securely will reduce the risk of the unauthorised disclosure of sensitive
information.

Healthcare and Finance related acts have the potential to impact the time you should retain data.
True or false?

True

Due to the sensitivity of the data and the potential need for it in the future, yes it can.

False

Due to the sensitivity of the data and the potential need for it in the future, yes it can.