Data Security and Personal Data
In our final piece examining data issues in the online survey industry as we count down to Brexit, we explore data security. Similarly to the apprehension businesses have over data collection issues, security concerns about the systems and processes providers have in place to manage their data evoke similar levels of anxiety.
The biggest worry here is how this relates to personal data, essentially any data that unequivocally identifies an individual person. This could include any number of personal identifiers from a bank account, email address and mobile telephone number to an individual’s date of birth, vehicle licence number and many more examples of personal data. If any one or more of these identifiers were disclosed, it could allow another party to quickly build up a complete picture of that person and potentially cause them harm. As well as hurting an individual victim, this could also have legal compliance implications for both the organisation who originally collected this data and the provider managing it.
Given the ongoing and rapid technology advancements and the myriad of ways in which data is now accessible, data security and how it relates to personal data is only going to grow in importance. And for those operating in heavily regulated industries such as healthcare and finance, dealing with particularly sensitive information, which can include patient records and financial data, the security of personal data is even more critical.
Consequently, for anyone conducting online surveys such issues make it important to identify a quality provider who ensures your data security and compliance. In this short piece we’ll give you a taster of what to look out for in order to identify a best in class provider, who can offer you the highest levels of data security assurances.
As in our previous articles, before we begin it is important to point out that these answers represent the current opinions of our data collection expert and shouldn’t be construed in any way as offering actual legal advice.
a) Are there any industry accreditations I need to be aware of that will give me the assurance that a provider meets a required minimum quality standard?
Yes, there are, and among the best of these are the ISO27001 accreditation, which is the internationally recognised standard for information security management systems (ISMS) and Cyber Essential Plus, developed by the UK Government to prevent the most prevalent forms of cyber-attacks.
ISO27001 requires the systems of a company holding that certification to undergo systematic examination of any risks to information security and have comprehensive policies in place to manage those risks. In order to retain their certification, the accredited company holding it must be continually audited to prove that their client’s information is completely secure, and they are committed to providing an exceptional ongoing service.
Cyber Essentials Plus
Cyber Essentials Plus is another high-level certification standard, which in this instance is concerned with ensuring end-to-end security across systems, networks and data. Certified companies within the scheme need to undergo regular tests by a qualified and independent assessor who simulates basic hacking and phishing attacks.
To retain their accredited status, those holding certification must have robust security controls in place to protect against internet-based attacks in five key areas:
- Boundary firewalls and Internet gateways
- Access controls and administrative privilege management
- Patch management
- Malware protection
- Secure configuration
In addition, if you work in a heavily regulated industry there may be additional standards you need to be aware of and ensure your provider adheres to in order to maximise the security of your data. For example, given the sensitivities of patient data, NHS organisations can only work with other providers that comply with The Data Security and Protection Toolkit, which ensures they have a minimum quality standard of data protection and security in place to meet that industry’s requirements.
b) In addition to industry accreditations, are there any best practice features or processes I can look out for to help me identify a provider able to offer me some of the highest levels of data security assurances?
Yes, there several best practice identifiers to look out for, which will demonstrate how seriously a provider takes your data security.
Best in class providers will typically incorporate higher level security steps to protect your data that include:
- Two-factor authentication: in the unlikely event that one of their devices was stolen, a two-step verification process would add an extra layer of security to their authentication process making it much harder for any attacker to gain access to critical information. Besides a knowledge authentication factor such as a password, additional information either in the form of a possession or an inherence authentication factor would be required.
Possession authentication factors are typically something that an authorised user carries such as an ID card, security token or mobile device, in contrast to inherence authentication factors, which depend on the physical attributes of that authorised user such as their fingerprint, facial or voice recognition.
- IP restrictions: in this scenario, a provider will set trusted IP address restrictions in a user’s profile, so if that specified user, or any other unauthorised user tried to gain access to the corporate network from an untrusted IP address they would be immediately blocked.
- User permission settings: can help boost data security, as only certain job titles or levels of authorised staff will be able to gain access to certain areas of the network or data files containing particularly sensitive data.
- Audit or system logs: by establishing an operational audit trail, companies are better able to monitor data and keep track of and respond to any potential security breaches. This enhances the security of your data and is also good for compliance should the worst happen, as you would be able to provide a detailed audit trail in the event of any regulatory investigation.
c) What about hosting? Should I be concerned about where my provider hosts my data? And if yes, what do I need to be aware of and how can I maximise the security of my data with regards to hosting
The question about where your data is hosted is an important one, yet it is still something far few companies spend enough time thinking about. And what’s crucial to point out, is that while you may be working with a UK based provider, there’s no guarantees that the data they host for you will be based in the UK. Yet, this is crucial as data is hosted in different countries will be subject to different laws, which can have implications for the security of personal data.
Thanks to UK legislation, providers that host your data on UK based servers are required to provide adequate protection for all customer data they collect and store. This includes not transferring data outside of the UK without adequate protection.
This contrasts to working with a provider that hosts your data on servers located outside of the UK, who cannot guarantee you the same level of assurances as they will be subject to different laws applying to that of their host country, some of which provide less protection and allows a government to access it, so if you had particularly sensitive data that you didn’t want a 3rd party to access it would be particularly unwise to partner with a provider that had this data hosting arrangement.
In keeping with all the other data security processes, we have so far discussed, best in class providers will also ensure your data is hosted on UK based servers. In addition, it’s also prudent to ask your provider about any 3rd party data centre infrastructures they may use. Consider a data centre’s Tier level standard and accreditations they may hold. Data centres offering a minimum of Tier 3 standard facilities and holding accreditations that include ISO 27001and PCI DSS certified, can provide you with some of the highest data security assurances.
d) How important is the team dynamics of my provider to the security of my data? Does it really matter where in the world their team may be based?
Similarly, to the data hosting question, the team dynamics of your provider may not seem important at first glance, but it could have implications for your data security, if those teams managing that data were spread widely throughout the world and subject to different rules and ways of working.
For example, a UK company’s British based workforce may have stringent policies in place for securing unattended workstations, but if their software development team based in India, were not following the same policy as their UK based colleagues, this could potentially put your data at risk from their side of the business.
This contrasts with totally UK-based teams where there are no such concerns, as irrespective of the departments people work in, they will all be subject to the same rules concerning data security.
One additional issue to point out however concerns potential security issues that may arise as a result of any outsourced teams your UK based provider might be working with. For example, in a scenario where a support ticket was raised in the UK to explore an issue, even though your data may be hosted on UK servers, the issue may need to be resolved by a support team outside the EU, resulting in your data temporarily being transferred outside the EU and under a different jurisdiction. Therefore, it makes good business sense to find out as much as possible about your provider’s team dynamics including any outsourced providers they are working with.
As with our earlier pieces looking at other data issues including data collection and data protection, data security can be a concern. However, if you know what to look out for and what questions you need to ask your provider, you can help maximise the security of your personal data.
Disclaimer: This article post does not constitute legal advice, professional advice, technical advice nor does it guarantee compliance with any legislation including GDPR. It is only intended as background information to supplement your knowledge and awareness. We recommend you obtain the advice of a suitably qualified individual for guidance and ensuring compliance.