Professional Documents
Culture Documents
This course will provide an overview of how data should be handled according to industry best
practices.
Introduction
Every organisation should have a clearly defined policy on how data and information is handled.
Having a confirmed and well-documented approach helps organisations and their employees to
ensure that all information is handled appropriately and securely.
It is important that you understand your company's data handling policy so as to reduce the risk of
the unauthorised disclosure of sensitive information.
Data Classification
Before implementing a data handling policy, data and information first needs to be categorised based
on its sensitivity. An example data classification scheme adopted by many organisations is as follows:
These classifications enable organisations to provide guidance to their employees and business
partners on how information should be securely handled. It also helps to reduce the risk of
unauthorised disclosure.
Data Handling
Any information should be handled and stored in accordance with its data classification.
For example, confidential paper based records should be handled with care when inside the
organisation or when travelling. In this case, that means ensuring that they are not left in a
communal office area or left in a public place such as on a train. If the records are electronic, then
they should again be handled with care, but this may instead mean that they can only be handled
when in an encrypted state, and should only be sent to internal colleagues with a business ‘need to
know,’ such as the Finance Team.
Less stringent measures need to be taken with documents given a public data classification, such as a
press release, as this information is already in the public eye and therefore does not need the same
level of protection.
Data Storage
The correct storage of confidential paper based records or electronic information is also important to
reduce the risk of unauthorised access. Secure storage could include storing paper based records in a
locked cabinet or secure offsite storage facility.
Secure storage for electronic records could be achieved by an access controlled computer application
with strong data encryption in place.
Any approach adopted should ensure that the information is appropriately secured and only
accessible by individuals or teams with a business ‘need to know.’
Data Exchange
When exchanging information, whether this be internally, with third party partners or with
customers, it is important to ensure that you are transferring it securely, and this should be based
upon the classification of the information as defined by your organisation.
For example, information that is classified as confidential or regulatory should not be shared via
social media or a non-secure email system.
Data Retention
If your Organisation holds personal data, it is good practice to establish standard retention periods
for different categories of information, again this can be defined within a Data Retention Policy.
This should take account of any regulatory requirements that may apply, such as Healthcare and
Finance related Acts which can dictate the requirements for data retention periods for specific
records.
For personal data that falls outside of any regulatory requirements, organisations should also refer to
the UK Data Protection Act, and if any records are not being used, you should consider whether they
need be retained.
Data Disposal
When data is no longer required by an organisation, it needs to be disposed of securely to reduce the
risk of the unauthorised disclosure of sensitive information.
Confidential paper documents, for example, can be disposed of using a secure disposal service. This
is where locked ‘confidential waste’ bins are provided to an office or building and, when full,
collected and disposed of securely. This is usually performed by a secure shredding vehicle, and
afterwards, certificates of destruction can be provided as evidence that the waste was securely
destroyed.
If in electronic form, such as a computer hard drive, confidential information can be permanently
erased by using specialist software, or physically destroyed using a secure disposal service. In both
cases, certificates of destruction can be provided to organisations to evidence that the confidential
information was securely destroyed.
Conclusion
This module will hopefully have taught you about the importance of handling information
appropriately to reduce the risk of unauthorised disclosure.
Having a confirmed and well-documented approach helps organisations and their employees to
ensure that all information is handled appropriately and securely. True or false?
True
Correct.
False
Before you can create a data handling policy., what factor should you categorise your data on?
Sensitivity
This enables organisations to provide guidance to their employees and business partners on how
information should be securely handled.
Volume
Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.
Density
Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.
Integrity
Sensitivity. This enables organisations to provide guidance to their employees and business partners
on how information should be securely handled.
What step can you take with electronic data to ensure it cannot be compromised when being
handled?
Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.
Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.
Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.
Encrypting the data will ensure that even if it falls into the wrong hands it cannot be read.
Disposing of the data securely will reduce the risk of the unauthorised disclosure of sensitive
information.
This will reduce the risk of the unauthorised disclosure of sensitive information.
Disposing of the data securely will reduce the risk of the unauthorised disclosure of sensitive
information.
Healthcare and Finance related acts have the potential to impact the time you should retain data.
True or false?
True
Due to the sensitivity of the data and the potential need for it in the future, yes it can.
False
Due to the sensitivity of the data and the potential need for it in the future, yes it can.