IMPORTANT: The slient risk lurking for your community transport services is the way you handle your passenger, driver and journey data.
This is no longer an issue that can be taken lightly anymore, and if you do you could face large fines from the ICO. It is also important to stress that this doesn’t just apply to electronic data but data stored on paper too. There is now just over 1 month before the General Data Protection Regulation (GDPR) comes into effect. If you haven’t heard of this, you need to, and we’re not just saying this to get your attention!
Data protection is something which affects any business or organisation no matter how large or small they are. Recently, and no doubt you’ll have heard, but there has been an increase in incidences of hacking, data breaches and data theft which shows just how more important data security now is. If your organisation handles any personal information (names, addresses, date of births, driver credentials, ID etc) then read on ….
What is the Data Protection Act (DPA)?
The Data Protection Act was developed to give protection and lay down rules about how data about people can be used. The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people. The basic way it works is by: setting up rules that people have to follow. All organisations in the UK must comply with the Data Protection Act (DPA) and any organisation in breach will face a serious penalty.
You Too Could Be in Breach of the DPA
On 12th February 2015, the Information Commissioner (ICO) was informed that a removable hard drive containing personal data had been taken home by a member of staff and that the employee had subsequently failed to return it. This removable hard drive contained a back-up of Community Transport Ltd’s customer database, containing 4,138 individual records. This also included some limited medical data.
The standard procedure at Community Transport Ltd at the time of the incident was for a member of staff to take the back-up tape home each day so that it could be stored offsite. On this occasion, the member of staff tasked with taking the back-up tape home unexpectedly failed to return to work. There’s no explanation as to why they didn’t they just send someone to the house to retrieve it, or if the employee was incapacitated or unavailable, to contact next of kin.
The ICO’s investigation revealed a number of weaknesses in data protection, a policy and training that would covered this type of situation. The ICO also found that Community Transport was retaining data for longer than was necessary for its work and they had no procedure or policy in place to address that, either. Finally, the ICO also found that data stored on portable devices was not being encrypted.
The good news is that a follow up has been completed to provide an assurance that Community Transport Ltd has appropriately addressed the actions agreed in its undertaking signed July 2015.
Whilst we do not know the total fine value or the spefic details, this case highlights the potential risks facing your operations if you don’t take data security seriously and implement the basic recommendations and follow through. It also saves you a lot of hassle if you do it right.
Data Protection Compliance is Not Just Applicable to Electronic Information Storage but Applies to Paper Records Too
Data protection breaches don’t just come from cloud or website attacks. One of the most common breaches comes from paper records either being stolen or lost or being left out in plain sight. Just think how many pieces of paper there are in the average office? How many folders are left out on desks or in unlocked cupboards overnight? Who has access to these paper records? Who takes them home, leaves them in the car or on the train unwatched? All of these are serious concerns for any organisation and in particular for the chief information officer. Even if you leave just one piece of paper out on a desk with the details of a journey being requested by a passenger you are in breach of the Data Protection Act.
Road XS Ensures You Operate in Compliance of the Data Protection Act and GDPR
There are a number of simple steps you can take to avoid risking a fine, and Road XS can ensure you meet data protection act compliance from the outset and meet and exceed the forthcoming GDPR (see below) requirements by securing your data above industry standards. We do this by:
- Enabling Road XS to secure your sensitive and personal data and giving you full control over how long you need to store this data based upon your organisations data protection and information security policies. It also encrypts the data as you use it meaning it can’t be ‘sniffed’.
- Ensuring your data has fail-safe security and full auditing features. The risk of a data breach is removed.
- Ensuring you can operate from a paper less environment meaning you don’t leave sensitive papers lying around.
- Ensuring access to Road XS is only possible via authorised logins with access only to the information they need to perform their roles.
- Ensuring your data is backed up daily in a secure environment
- Road XS offering data collection opt in and consent settings for your passengers and drivers.
- Enabling you to be open and honest about the data which is held about subjects and provide them with any information they request with simple search capability within the Road XS software and profiling functions.
- Ensuring that Road XS only retains the data and information required for you to operate your services.
- Ensuring that you can keep passenger and driver information up to date at all times. This is a key requirement of the Data Protection Act and not something easily manageable with an operation run via paper or spreadsheets.
- Ensuring that all your data is kept and accessed securely in our secure data centres which meet ISO27001 standards. Road XS can also be locked down to specific locations to extend data security.
- That Road XS ensures data protection compliance without you even thinking about it – ie it’s built into the software right from the start.
Times are changing and quickly. Data security can no longer not be taken seriously. With the introduction of the General Data Protection Regulations coming in May 25th 2018, you need to start thinking now about how you handle and operate your services. The GDPR applies to how you handle sensitive information and personal data. Personal data includes addresses, telephone numbers and anything which can identify that individual. Essentially, everything you need to operate your transport services. In May this year, Information Commissioner Elizabeth Denham has told businesses there’s no time to delay in preparing for “the biggest change to data protection law for a generation”. (Find out more here) .
What is the General Data Protection Regulation (GDPR)?
Under the GDPR (Coming May 25th 2018), the new data protection principles set out the main responsibilities for organisations. Despite Britain opting to leave the EU, the GDRP will still apply so sadly it’s not a reason to ignore it.
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data – these are specifically addressed in separate articles (see GDPR Chapter III and Chapter V respectively).
The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. Road XS is the perfect solution to meet these requirements and means your move to handle the new GDRP requirements are hassle free. We recommend download and reading our free guide ‘7 Concerning Challenges Facing Community Transport Providers‘ – in here is much more detail on how the GDPR applies to your services. Click the book cover or link below: