With such low investment, the threat of a cyber attack is very much a real prospect for food and drink manufacturers. This article will cover the cyber security threats to manufacturers – including why cyber security is so important, outline the cyber security clauses in the BRCGS standards Issue 8, and suggest how manufacturers might avoid any potential risks.

This article covers the following:

• What are the Cyber Security Threats to Food & Drink Manufacturers?
  • Malware including viruses, worms, Trojans and ransomware
  • Phishing
  • Identity Theft
  • Denial of Service (DoS), Man-in-the-Middle (MitM), Structured Query Language Injection (SQL Injection), Cross-Site Scripting (XXS)
• Why is Cyber Security Important for Food Businesses?
  • Examples of Security Breaches
• BRCGS Cyber Security Standards
• How Do I Meet the BRCGS Standards in Manufacturing?

Use the links above if you’d like to jump to a certain section of the article.

What are the Cyber Security Threats to Food & Drink Manufacturers?

The most common cyber security threats and different types of security risks to an organisation are:

Malware

There are four main types of malware: viruses, worms, Trojans and ransomware. Each of these cyber security threats attack your device in a different way.

The attacker can install the malware onto your device using a variety of methods. All of which rely on downloading software.

Viruses prevent the computer from running efficiently and can result in corrupted files. In some cases, viruses allow the criminals access to your computer by creating a ‘back door’.

Worms can duplicate themselves like clones and can deplete the system resource. Worms can also allow attackers to steal data by creating a ‘back door’ into your computer.

Trojans are hidden in seemingly legitimate software, such as a screensaver or an app, so that people are misled into downloading the malware. Once the Trojan has been downloaded, the malware provides the attacker with access to your device. The attackers will then have access to your computer and will be able to copy your files, delete information, monitor what you are doing, and spread other malware.

Ransomware is malware which makes your files inaccessible until payment is given for their release or decryption. In 2017, the NHS were the victim of a ransomware attack which caused widespread disruption to the service nationwide. The ransomware attack was not targeted and affected organisations globally.

Back to the top

Phishing

Phishing is the most common type of cyber attack in the UK. Phishing refers to any attempt made by criminals to obtain personal details or information which can then be exploited. Phishing emails appear to be from a trustworthy company or person and deceive people into sharing their confidential information.

Phishing is a social engineering tactic because it exploits human weakness by manipulating people. It is used by cyber attackers because it’s an easy way of targeting large groups of people, with a high success rate.

Social engineering is using human interaction to carry out a cyber attack. It uses psychological manipulation to deceive individuals into making security mistakes or handing over sensitive information. Social engineering tactics often have multiple steps to the attack, using identity theft or impersonation to retrieve the confidential information.

Spear phishing is a type of phishing attack that is directed at specific organisations or individuals. The content of the email is personalised to make it appear as though it is from someone you know and trust.

In 2020, there was a coordinated cyber hack of several Twitter accounts of well known public figures including Barack Obama, Elon Musk, Joe Biden and Jeff Bezos. The attackers gained access to internal systems and, by extension, the accounts through social engineering tactics targeted at internal employees.

Back to the top

Identity Theft

Identity theft is defined as the theft of your personal details. Identity theft becomes identity fraud when stolen details are used to commit fraud. Criminals may use your identity details to open bank accounts or credit cards, apply for loans or to gain control of your existing accounts.

Back to the top

Other less well known cyber security threats are:

Back to the top

Why is Cyber Security Important for Food Businesses?

The food sector has not yet been the target of a high profile cyber attack; however, this has resulted in the sector becoming complacent.

Smaller food business operators, for example, believe that they are at less risk of a cyber attack even though they receive the same number of malicious emails.

Breaches in cyber security have the potential to affect any part of the supply chain as businesses accelerate digital operations. Attacks aim to disrupt operations and threaten the safety, profitability and reputation of organisations. Ransomware has the potential to halt entire food supply chains with no guarantee of files becoming accessible on payment.

Several other methods of cyber attacks could be used to gain access to systems and steal customer data. This would compromise customer trust and open your customers up to identity fraud.

Criminals wanting to tamper with the food product could access systems in place to control CCPs (Critical Control Points) resulting in harm to human health. If this occurs without detection, it would result in additional costs to the food business operator through product recalls.

Smaller businesses with legacy systems such as Windows XP pose greater security risks as the code is longer being maintained with security updates. An ‘if it’s not broken, don’t fix it’ approach could end up costing food business operators more in the long run in trust and monetary value.

An IT department is often responsible for the cyber security measures of a business however all employees should be responsible and have an awareness of cyber security.

Back to the top

Examples of Security Breaches

JJ Foodservice have recently increased their online security by requiring a unique purchase order ID and pin code following a case of identity fraud. ASDA, Iceland and Brakes were also affected by impersonation. 

In 2016, the American food chain Wendy’s reported a cyber attack in which over 1,000 customer’s card details were stolen. The cyber criminals used malware to gain access to their internal systems.

Need a Course?

Take a look at our business skills course library where you can find Cyber Security, Data Protection and GDPR Training to learn more about security threats.

Back to the top

BRCGS Cyber Security Standards

Issue 8 of the BRCGS Food Safety Standard introduced cyber security requirements as part of food defence. The introduction of these requirements in 2018 may have required food business operators to implement additional measures and controls in order to fulfil the standards. 

For more information on who the BRCGS are and what they do, read ‘Our Guide to Understanding BRCGS’.

The clauses which require cyber security controls are:

3.2.1. Document Control & 3.3.1. Record Completion and Maintenance 

Documents stored electronically must be stored securely with authorised access, control of amendments or password protection. Files should also be backed up to prevent loss.

3.11.1 Management of Incidents, Product Withdrawal and Product Recall

Procedures must be in place to report and manage situations which impact food safety, legality or quality including cyber security failures and attacks.

6.1.2. Control of Operations

Where possible, controls should be password protected or otherwise restricted for controls critical to food safety.

Back to the top

How Do I Meet the BRCGS Standards in Manufacturing?

Cyber security falls under TACCP (Threat Analysis Critical Control Point) or is sometimes categorised on its own as CHACCP (Cyber Hazard Analysis Critical Control Point). A risk assessment into the threats of food safety looks into those with the intent to harm.

It could also be considered to be part of VACCP (Vulnerability Analysis Critical Control Point) for cyber attacks without the intent to harm but could cause harm if production is halted. A total food safety culture includes cyber security. TACCP and VACCP assessments often encompass more areas and individuals than a HACCP (Hazard Analysis Critical Control Point) plan as it also covers cyber security in manufacturing and employees.

Cyber security threats can be risk assessed and managed through awareness and a cyber security culture within a business, not just left to the IT department. Employees with access to internal systems should be aware of:

• Clicking on an unsafe link or attachment in an email and unknowingly downloading malware.
• Clicking on links on a website which then downloads malware when you click on it.
• Malware in fake copies of normal software, for example, pirated copies of Microsoft Office.
• Ensuring the Wi-Fi is secure when working away from the office or using a VPN when using an unsecured public Wi-Fi network.
• Frequently changing passwords and using strong (not easy to guess) passwords. 
• Not leaving a computer or laptop unattended, especially when unlocked.
• Updating software to the latest version, ensuring the computer has the latest security patches.

To ensure cyber security in manufacturing, make sure all documents are stored securely, backed up and password protected where possible.

To meet standard 3.11.1, implement a whistleblowing policy and a policy to report cyber security attacks which could impact the safety of food. You should also review the cyber security measures on CCP equipment and ensure it is password protected where possible.

Back to the top

Complete a risk assessment of your current cyber security measures and implement a continuous improvement approach instead of an ‘if it’s not broken, don’t fix it’ mindset. Cyber security threats should be managed by every employee, consider training staff on safe practices and the consequences of not being cyber security aware.

Further Resources:

• Introduction to Cyber Security Course
• TACCP Quiz
• Our Guide to Understanding BRCGS
• What Does the BRCGS Grading System Mean?
• What are the Most Common Types of Cyber Attack?
• Food Supply Chain: Importance & Management Strategies

The post Cyber Security in Food & Drink Manufacturing: BRCGS Standards appeared first on The Hub | High Speed Training.

The Data Protection Act is designed to protect the privacy of individuals. It requires any personal information about an individual to be processed securely and confidentially.

In a school setting, this includes information relating to both staff and pupils. If you must obtain, store, share, or use their personal data, it’s crucial that you so so securely, as personal data is sensitive and private. Everyone, adults and children alike, has the right to know how the information held about them is used and to feel confident that your school is protecting it.

Data Protection Guide

This guide provides you with an overview of everyone’s responsibilities under the Data Protection Act if you work in education. It is vital for you to understand your legal responsibilities under data protection law, as everyone working in the education sector has a duty to ensure their school complies.

The contents of this guide are:

• • What is Personal Information?
  • Registering with the ICO
  • Fair Processing and Privacy Notices
  • The Key Data Protection Principles
  • Information Security Measures
  • Student Subject Access Requests
  • Sharing Personal Information
  • Special Category Data
  • Holding Data and Keeping it Up to Date

• Publishing Exam Results
• Taking Photos in Schools
• Data Protection Policies and Training
• Preventing Data Security Breaches in Schools
• People Responsible for Data Protection in Schools
• Data Processors and Data Controllers

Use the above links to help you navigate to a specific section in the guide.

What is Personal Information?

Personal information is anything relating to a person that identifies them. This includes both physical records and digital records.

In a school, examples of personal information include:

• Names of staff and pupils.
• Dates of birth.
• Photographs of staff and pupils that are clearly linked to their identity or other personal information about them.
• Addresses.
• National insurance numbers.
• Financial information, such as bank details and tax status.
• Recruitment data.
• Attendance and behavioural information.
• Safeguarding information, including SEN assessments and data.
• School work and marks.
• Medical information, such as medical conditions and GP names.
• Exam results.
• Staff development reviews.

Back to Top

Registering with the ICO

Under the Data Protection Act, all data controllers must notify the Information Commissioner’s Office (ICO) about how they process personal information. Each individual school is a data controller and so must register with the ICO. Failure to do so is a criminal offence.

Registration is done via a simple online form. It must be signed and sent to the ICO along with the annual fee. To access the registration form, go to the ICO’s website.

During the registration process, and annually from then on, schools must notify the ICO of:

• The purpose for which it holds personal data.
• What data it holds.
• The source of said data.
• To whom they intend to disclose the data.
• To which countries they intend to transfer the data.

Once you’ve registered, the ICO publishes certain details in the register of data controllers, which are available to the public.

Back to Top

Fair Processing and Privacy Notices

When you collect information about a child, parent or staff member, you must be clear and transparent about how you intend to use it.

Schools need to explain in clear language how and why they will process personal data of everyone in the school (both staff and students). For example, to facilitate education or to arrange school trips.

In order to do this and comply with the Data Protection Act Principles, schools must have privacy notices in place. The aim of a privacy notice is to summarise what information the school needs, why they are collecting it, and which third parties they may pass it onto. The person whom the information is about must give their explicit consent in order for you to hold it.

Different schools, such as primary versus secondary, will inevitably have different data requirements. Therefore, each school will need to create an individual privacy notice that covers the processing activities specific to their school.

However, all privacy notices should cover these key areas:

• Your identity and, if you are not based in the UK, the identity of your nominated UK representative.
• The purpose or purposes for which you intend to process the information.
• Information on how you will collect personal data.
• Details of how you will keep data up-to-date.
• Details of what to do with confidential waste.
• Information on what your school expects from staff who work with personal data.
• Details on the use of security systems, such as computer passwords and firewalls.
• Where necessary, how personal data is encrypted when held electronically.
• Who is a ‘trusted’ third party.
• Procedures for what to do if personal data is lost or stolen.
• The rules for sharing or transferring data outside of the organisation.
• Any extra information you need to give individuals in the circumstances to enable you to process the information fairly.

Your school should include the notice in any enrolment documentation and on the bottom of any forms used to collect personal information. It should also be readily accessible on the school’s website. To emphasise transparency and build trust early on, you could also consider sending out a copy of your privacy notice to students and their parents at the start of each school year.

To help you write a privacy notice, take a look at the ICO’s website.

Back to Top

The Key Data Protection Principles

In order to protect data subjects’ personal information, data protection law (as amended by GDPR) requires all data controllers to follow several key principles:

The information provided throughout this guide helps you comply with all of these principles.

Back to Top

Information Security Measures

Once your school acquires personal information about students, parents and teachers, it must keep this data secure. Unauthorised access or loss of information can cause serious harm to people. The ICO can issue fines if they learn that appropriate safety precautions are not being taken, and the maximum fine a business may face for non-compliance is up to £17 million or 4% of their global turnover (whichever is higher).

Both manual and digital records need to be secure. The level of security should reflect the potential harm that could result from the loss or misuse of the data. Furthermore, procedures should be in place to respond to any security breaches.

Not all security measures need to be complicated: sometimes just a simple check-in and check-out system can help reduce risks.

Possible security measures for data protection include:

• Shredding all confidential waste.
• Using strong passwords.
• Installing a firewall and virus checker on your computers.
• Encrypting any personal information held electronically.
• Disabling any ‘auto-complete’ settings.
• Holding telephone calls in private areas.
• Limiting access, i.e. only those who absolutely need to access the data should be able to do so.
• Checking the security of storage systems.
• Keeping devices under lock and key when not in use.
• Not leaving papers and devices lying around.

Memory sticks in particular need serious consideration as they are very easy to lose. You should either avoid the use of memory sticks completely or ensure they are password protected and fully encrypted. Furthermore, you must ensure that hard drives are erased securely if you are physically disposing of them. Your school may need to seek technical support as simply erasing the data or formatting the drive might prove insufficient.

Back to Top

Student Subject Access Requests

A student, or someone acting on their behalf, has the right to make a request to see any personal data their school holds about them and why.

Parents are only entitled to access the personal information held about their child if the child is unable to act on their own behalf, or if the child has given consent to their parent. Even if the child is young, the personal data being held is still their personal data. It doesn’t belong to anyone else, including their parents or guardian.

Before responding to an access request for information, you need to consider whether the child is mature enough to understand their rights. If they are, then your response to the request should go to the child, not their parent.

Parents, however, do have the right to see their child’s educational records. A subject access request needs to be made in writing, whether it’s a letter, email or social media message. You may wish to consider creating a standard form for people to fill in.

You can learn more about subject access requests on the ICO’s website.

Back to Top

Sharing Personal Information

There are occasions where sharing personal data with local authorities, other schools, different departments or social services cannot be avoided. It may be that without sharing the data, actions cannot be completed.

For example, you may need to pass on details about a child showing signs of harm to social services, or another school may need to know which pupils will be present at their sports day event.

You must consider all the legal implications and ensure that you have the ability to share the specified data. For example, what is the intention behind sharing? Who requires the data, which data is needed and what will it be used for?

Consent must be given by the individual before their personal information can be shared. This is usually part of the privacy notice issued when the data is first collected. This applies whether you are sharing data between people or online, such as photographs on the school’s Facebook page.

Letters sent from schools to parents should have a data protection statement at the bottom where relevant. For example, if a reply slip is included and requires providing personal data.

Data should only be transferred to other countries if they have suitable or equivalent security measures.

Your school should obtain explicit consent from the individual if personal data needs to be processed outside of the UK. If the school cannot establish a safe system of data protection with another country, they should not even consider sharing the personal data.

Back to Top

Special category data

This refers to information about more sensitive topics. For example, a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.

There are greater legal restrictions on special category data than regular personal data. Most schools will hold some form of sensitive data about pupils and staff, so processing this requires extra care.

Back to Top

Holding Data and Keeping it Up to Date

During the time when you hold data about a person, and for as long as it is being used, it must be monitored for accuracy. It’s essential that you ensure it remains relevant and accurate.

Carry out an information audit at least annually.

To carry out an audit, you should:

• Write a letter at the start of each school year asking parents and students to check that their details are correct. This also helps prevent emergency risks, e.g. if an old address or phone number is on record.
• Check that ‘live’ files are accurate and up to date.
• Any time you become aware that information needs amending, do so immediately
• Any personal data that is out of date or no longer needed should be ‘destroyed’. This may involve shredding documents or deleting computer files securely so that they cannot be retrieved.
• Schools must follow the disposal of records schedule. This schedule states how long certain types of personal data can be held for until it must be destroyed. Some stipulations are legal obligations while others are best practice.

You are violating the Data Protection Act if you keep any data for longer than it is needed.

Schools must not acquire data and process it in any manner that doesn’t relate to the intended purpose. For example: data acquired about students for assessments can’t then be used on the school’s website.

Determining what may be excessive includes looking at forms and deciding what information is absolutely critical for the intended purpose. Anything else may be considered excessive and irrelevant, and must not be collected.

Need Data Protection Training?

Our Data Protection training course explains what your responsibilities are under data protection law so that you understand how to collect data legally, obtain consent where required, process data in accordance with the law and ensure data security.

Back to Top

Publishing Exam Results

The Data Protection Act does not stop schools from publishing exam results online or in the local press. However, if you intend to do so, you must act fairly. For example, will the results be published in alphabetical order or in grade order? The latter can be quite controversial. You must inform students first that their results will be published and how the information will be displayed, so they have the opportunity to voice any concerns and withdraw their result from the list if desired.

Students also have the right to make a subject access request to see a breakdown of their marks and the markers’ comments . These should be provided if called upon. However, information comprising of the answers written by a candidate during an exam cannot be provided. This means a subject access request cannot be used to obtain a copy of the student’s completed exam script.

Learn more about publishing exam results on the ICO’s website.

Back to Top

Taking Photos in Schools

When is consent needed or not needed for photos?

• Personal use: parents photographing and/or videoing the school play. Consent is not needed.
• Official school use: photos or videos taken for use in the school prospectus and on the website. Consent is needed from the person being videoed or photographed.
• Media use: photos taken for a newspaper article. Consent is needed from the person being videoed or photographed.

If an image of a student is used, their name must not accompany it and vice versa.

The ICO provides further guidance on taking photos at school.

Back to Top

Data Protection Policies and Training

The aim of a data protection policy is to help staff understand how to safely and fairly process personal information.

The policy should include practical guidance on what can and cannot be done with data. Furthermore, it should be communicated to employees regularly. It’s important that all staff receive guidance on the confidentiality of personal information.

The policy will stipulate how individuals can use the internet and email for private communications securely. It should also cover issues of security when the school’s intranet is accessed from outside of the school grounds via a phone or tablet etc.

A use policy should cover the following:

• • Email. Is homework or other personal data shared between students and staff via email? Can it be done securely? Can you avoid emailing parents sensitive data? When sending bulk emails, are staff using the BCC function to protect potentially hundreds of parents’ emails?
  • Chat rooms. Students should only have access to chat rooms that are educational in nature and closely moderated. As part of e-safety education, students should understand the importance of never giving out personal data that would identify them or others over chat.
  • Mobile technology. The use policy should explain how people can use mobiles securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
  • School websites. Your website should have a clear, detailed privacy statement that states how your school intends to use the information they acquire about data subjects and how they’ll process it securely.

Back to Top

Preventing Data Security Breaches in Schools

Schools must prevent breaches of data through the internet, intranet, and email systems.

Therefore, your school should consider the following: 

• Does the school have a Data Protection Policy in place?
• Does the school have a Use Policy in place?
• Is the use of the internet, email, and/or chat rooms monitored and regulated in some way?
• Are filtering systems used to prevent access to inappropriate materials and sites on the internet and network?
• Is there a reporting procedure in place for accidental access to inappropriate materials or sites?
• Is internet safety taught as part of the curriculum?
• Does the school follow safe practices when publishing images and names of students on their website?
• Is information sent to parents via email?

Indicators of inadequate data protection practices include a lack of e-safety education across the curriculum, no internet filtering or monitoring, and students being unaware of how to report problems.

Back to Top

People Responsible for Data Protection in Schools

Ultimately, everyone has a responsibility in ensuring data is processed securely in a school. Staff and even students who handle personal data need to prevent it from coming into possession of anyone who hasn’t been given permission to view or process it. However, your school should have designated individuals who are educated on data protection and who implement and uphold systems and policies.

More specifically, your school must have a designated Data Protection Officer (DPO). All public authorities are required to appoint a DPO by law, but even private schools should have one in place.

Data Protection Officers

The Data Protection Officer in your school is responsible for monitoring internal compliance and helping to establish policies and procedures. They should understand common information risks and the school’s strategies for combating said risks.

More specifically, DPOs can help businesses to:

• Know what personal information your school holds and for what purpose.
• Develop the school’s data protection policy.
• Arrange training for and offer advice to staff.
• Be aware of and monitor who has access to personal data and why.
• Establish best practice guidance for data processors and anyone in the school that handles data.
• Maintain a log of access requests made to the school.
• Process and respond to all requests for information, correction or erasure.
• Monitor the use of removable media, i.e. USB and external hard drives.
• Fulfil any duties that the ICO requires of the school, such as renewing your data protection licence.
• Establish and oversee physical and digital security measures.
• Ensure that everyone processes data securely, including when they must destroy it.
• Ensure that third parties have appropriate data protection measures.

Back to Top

Data Processors and Data Controllers

Data Processors and Data Controllers must liaise.

The school may give some degree of responsibility to an individual or third party for data protection. This individual is known as the data processor. A written contract should be made, which requires the processor to implement appropriate security measures for protecting any personal data processed.

However, the data controller is still responsible under the Data Protection Act for data protection. The data processor is purely acting on their behalf. This is why data controllers must have methods for ensuring that the data processor is consistently complying. For example: requesting regular written updates about security measures or carrying out full audits (e.g. visiting the premises).

Back to Top

What to Read Next:

• How to Apply for a Data Protection Licence
• Quick Guide to Selecting Suitable Data Protection Methods
• Data Protection in Schools: How to Comply With The Data Protection Act 2018
• GDPR Online Training

The post Data Protection in Schools – Guidance for the Education Sector appeared first on The Hub | High Speed Training.

Who needs a Data Protection Licence?

The Data Protection Act 2018 requires all data controllers to register with the Information Commissioner’s Office (ICO). They must apply for a data protection licence and renew their registration annually.

A data controller is any individual or organisation that processes personal information, including sole traders, limited companies, and MPs. If this definition applies to you, you’ll need to register.

Not sure if you need a DPA licence? The ICO website has a self-assessment tool that you can use.

Notification to the ICO

Notification is a statutory requirement. Every individual or organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence.

To notify the ICO, you must provide them with details about how and why you process personal information. The ICO then publishes certain details in the register of data controllers, which is available to the public for inspection.

You can search the data protection licence register online here.

How Do I Get a Data Protection Licence?

You can complete your Data Protection Act registration via a simple online form, which you must fully complete. This involves providing details on your organisation, the types of data that you process, the number of employees in your business, and your turnover. You might need to add details of your Data Protection Officer during this process too.

Make sure you have your payment details ready to pay the annual data protection fee.

Need a Course?

Our Data Protection Training Course is designed to help businesses and individuals comply with the essential principles of the UK’s Data Protection Act and the EU’s General Data Protection Regulation (GDPR).

You may also be interested in: Key Principles of the Data Protection Act 2018

Data Protection Licence Fee

The fee for registration depends on the size and turnover of your business. The ICO will determine which of three payment tiers you fit into, which were introduced as part of GDPR. The tiers range from £40 to £2,900, but most organisations will only need to pay £40 or £60.

The three tiers of data protection fees are: 

• Tier 1: micro organisations. This tier applies to business with a maximum turnover of £632,000 for the financial year or no more than 10 employees. If this tier applies to you, you must pay £40.
• Tier 2: small and medium organisations. This tier applies to business with a maximum turnover of £36 million for their financial year or no more than 250 employees. If this tier applies to you, you must pay £60.
• Tier 3: large organisations. This tier applies to any businesses that do not meet the criteria for the first two tiers. They must pay £2,900 for the licence fee.

There is no VAT required for a DPA licence. Furthermore, charities and small occupational pension schemes will only need to pay £40, regardless of their size and turnover.

If you’re unsure about which tier you fit into, you can take the ICO’s assessment online.

Data Protection Licence Renewal

You must renew your data protection licence annually. To do this, you’ll need your order and registration reference, and payment details to repay the fee to the ICO. Your business will receive a reminder six weeks before the renewal fee is due.

Be sure to not ignore this reminder, as renewal is absolutely crucial for ensuring you carry out data handling activities legally and securely.

What to Read Next:

• Data Protection Act Summary
• Online Data Protection Training Course

The post How to Apply for a Data Protection Licence appeared first on The Hub | High Speed Training.

You must know how to help your school fulfil these data protection requirements, so everyone’s personal information is acquired and held securely at all times. This guide will help you understand what duties you should fulfil to uphold data protection in your school.

The contents of this guide are:

• Summary of the Data Protection Act in schools
• The key data protection principles
• Categories of personal data
• Preventing data security breaches in schools
• Data protection use policy for schools
• Who is responsible for data protection in schools?

Use the above links to help you navigate to a specific section in the guide.

Summary of The Data Protection Act in Schools

Schools are often filled with hundreds of people. This means your school will likely process a significant amount of personal data about both students and staff, and may regularly share this information with third parties. As a result, data protection in schools can prove especially difficult. However, the Act’s guidance is clear-cut for data controllers and you must adhere to it.

The Act requires schools to: 

• Keep personal information safe and secure.
• Protect personal information from misuse.
• Process data securely and confidentially.
• Ensure that all the information they hold about data subjects is accurate.
• Only collect and hold data for its intended purpose.
• Give data subjects control over the use of their personal data.
• Ensure that third parties with whom they share data also process data securely.

Personal information refers to both facts and opinions about a person, whether your school collects it automatically online, holds it electronically on computers, or has hard copies of data in folders and filing cabinets.

Processing data refers to anything you do with a person’s data, including collecting, storing, editing, retrieving, using, disclosing, archiving, and destroying it.

Any data controllers that breach the Data Protection Act, including schools, could receive a significant fine and may suffer other consequences, such as a damaged reputation. The maximum fine a business may face for non-compliance is up to £17 million or 4% of their global turnover (whichever is higher).

Your school can easily avoid these negative legal consequences by having sufficient procedures in place and ensuring everyone fulfils their duties. These are set out in the Act’s key data protection principles.

Need a Course?

Our Data Protection for Schools Course explains what your responsibilities are under the UK data protection law and the EU GDPR, and will help you understand the steps you should take to ensure that your school’s data processing activities are secure and legally compliant.

Back to Top

The Key Data Protection Principles

In order to protect data subjects’ personal information, data protection law (as amended by GDPR) requires all data controllers to follow these key principles:

• Fair, lawful, and transparent processing.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Data retention periods.
• Data security.
• Accountability.

Let’s examine how each of these apply to school settings:

1. Fair, lawful, and transparent processing. 

Under this principle, schools must explain how they plan to process any personal data that they acquire from individuals. This refers to data about both staff and students, and anyone else whose personal information your school processes.

Your school must have a data privacy notice or policy and terms and conditions that clearly explain how it’ll use any data they receive about a person. This information must be clearly visible to a person at the point when you’re acquiring their data.

For example, if you share a consent form with a student and their parents about a school trip, you should have a statement on it about what their personal information is needed for, what the school intends to use it for, and whom it may be shared with.

Children over 13 should have the opportunity to give consent regarding data protection, but should receive parental input where needed.

2. Purpose limitation.

Schools must not acquire, hold, or process data in any manner that doesn’t relate to its original intended purpose. For example, you can’t take the data you acquired about students for assessments and then use it on your website. Furthermore, you can’t gather data about people on a ‘just in case’ basis. You must have a legitimate reason for obtaining and processing it, and be able to show evidence of this.

3. Data minimisation.

Your school must minimise the amount of personal data it holds, which connects closely to the previous principle. Data must be adequate, relevant, and limited to what is necessary. This means you must decide what information is absolutely critical for the intended purpose and not collect any further data.

When the data you’ve collected has fulfilled its purpose and you no longer need it, you must securely destroy it. The only exception to this is if you must hold it for legal purposes, such as bookkeeping records.

4. Accuracy.

Your school should carry out regular audits of the personal data it holds to ensure it always remains up to date. This is essential for ensuring the school doesn’t process data that does not accurately represent the data subject. It also helps to prevent emergency risks. For example, if an out-of-date address or phone number is on record, this can delay emergency actions.

Furthermore, if a member of staff or a student (or their representative) notifies you of a change relating to their personal data, you must update it as soon as possible. This requirement also applies to any third parties with whom you share personal data, such as payroll companies or external exam bodies. Your school must have a system in place for ensuring these third parties can easily correct data where necessary.

5. Data retention periods.

Your school must not hold onto data for longer than is necessary. Once you no longer need it, you must securely destroy it. The disposal of records schedule published by the Department of Education can offer useful guidelines for when you should destroy certain records. Some stipulations are legal obligations while others are best practice, so you should familiarise yourself with them. However, it is still down to your school’s discretion, based on the purpose for which you acquired the data, to decide how long you need to hold onto it.

You should also be aware that data subjects have the right to erasure, also known as the right to be forgotten. This requires you to destroy any personal data you have about the person, unless you have a good reason not to. If you do not have a legitimate reason to deny this request, you must erase all the data you hold about them as soon as possible.

For example, a legitimate reason for not fulfilling an erasure request is needing information about a student so they can sit an exam. Another example is holding information about a member of staff to process their salary.

6. Data security.

This refers to securely holding the data you have about people. You must protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage. To do so, your school should use appropriate technical or organisational measures. For example, password protection on digital folders, encryption of files, and physical locks on filing cabinets.

Data security also applies to other forms of processing, including disposal. For example, shredding, incinerating, and securely erasing HDDs. When erasing hard drives, your school may require technical support, as simply erasing the data or formatting the drive can often prove insufficient.

Data security applies to both physical and digital data and to internal and external threats. People must not be able to access data without proper authorisation. For example, by physically accessing a room that holds student records or digitally acquiring them through cyber-attacks.

Your school must have security measures in place to prevent this, such as limiting access, using security software, and using secure storage facilities.

7. Accountability.

Accountability is a new addition to the Data Protection Act in accordance with GDPR. It requires all data controllers to have processes in place that prove their data protection measures are sufficient. This means that your school should keep accurate records of processing activities and update its policies where relevant.

As part of protecting personal data, all schools must also notify the Information Commissioner’s Office (ICO) annually. Failure to do so is a criminal offence. This is not a new requirement, but is an important part of accountability as it enables you to transparently show what data you’re processing and how.

Schools must notify the ICO of:

• The purpose for which it holds personal data.
• What data it holds.
• The source of said data.
• To whom they intend to disclose the data.
• To which countries they intend to transfer the data.

Back to Top

Categories of Personal Data

In order to fulfil these principles, you and everyone in your school must understand what exactly defines personal data. Under data protection law, there are two main types of personal data: personal data and information, and special category data.

Personal Data and Information

This refers to any data about an identifiable living individual that you process in your school, including any records and personal information about staff and students.

For example:

• Names of staff and pupils.
• Dates of birth.
• Photographs of staff and pupils that are clearly linked to their identity or other personal information about them.
• Addresses.
• National insurance numbers.
• Financial information, such as bank details and tax status.
• Recruitment data.
• Attendance and behavioural information.
• Safeguarding information, including SEN assessments and data.
• School work and marks.
• Medical information, such as medical conditions and GP names.
• Exam results.
• Staff development reviews.

This is not an exhaustive list, but it provides common examples of personal data that your school may process.

Special Category Data

Previously known as sensitive personal information, special category data refers to information about more sensitive topics. For example, a person’s race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality, and criminal offences.

The main difference between processing personal data and special category data is that your school must apply greater care when processing the latter

Back to Top

Preventing Data Security Breaches in Schools

It is crucial for your school to have security measures that prevent data protection breaches to both physical and digital data. Following the principles discussed above will help you do so, but another important aspect to consider is students’ and staffs’ access to the internet and data.

Schools must consider how they can prevent breaches that may accidentally or deliberately occur when students and staff use the internet, intranet, and email systems.

Therefore, you must consider the following:

• Does your school monitor or regulate the use of the internet, email, and/or chat rooms?
• Do you use filtering systems to prevent students and staff from accessing inappropriate materials and sites on the internet or network?
• Is there a reporting procedure in place for accidental access to inappropriate materials or sites?
• Is internet safety a part of the curriculum?
• Does your school follow safe practices when publishing images and names of students on their website?
• Does everyone know how to send emails securely?

To combat the issues that these activities may present, your school should have a use policy in place.

Back to Top

Data Protection Use Policy for Schools

A use policy explains what practices students and staff should follow to securely use the internet and email for private communications. It should also cover issues of security when people need to access the school’s intranet off the school grounds via a phone or tablet.

A use policy should cover the following:

• Email. Is homework or other personal data shared between students and staff via email? Can it be done securely? Can you avoid emailing parents sensitive data? When sending bulk emails, are staff using the BCC function to protect potentially hundreds of parents’ emails?
• Chat rooms. Students should only have access to chat rooms that are educational in nature and closely moderated. As part of e-safety education, students should understand the importance of never giving out personal data that would identify them or others over chat.
• Mobile technology. The use policy should explain how people can use mobiles securely and safely and what restrictions apply where needed. Aspects to consider include video messaging, mobile access to the internet, entertainment services (e.g. streaming), and information-based services.
• School websites. You must protect students’ identities. Therefore, if you need to publish an image of a student, for example, their name must not accompany it and vice versa. You should also always acquire parental permission where relevant. Furthermore, your website should have a clear, detailed privacy statement that states how your school intends to use the information they acquire about data subjects and how they’ll process it securely.

Back to Top

Who is Responsible For Data Protection in Schools?

Ultimately, everyone has a responsibility to ensure the school securely processes data. Staff and even students who handle personal data need to be careful that it does not come into possession of anyone who doesn’t have permission to view or process it. For example, if a teacher has a USB containing information about their students’ assessment submissions, they are responsible for keeping this data secure.

However, your school should have designated individuals who have the necessary knowledge, experience, and training to implement and uphold systems and policies. More specifically, your school must have a designated Data Protection Officer (DPO). All public authorities are required to appoint a DPO by law, but even private schools should have one in place.

Data Protection Officers

The Data Protection Officer in your school is responsible for monitoring internal compliance and helping to establish policies and procedures. They should understand common information risks and the school’s strategies for combating them.

More specifically, DPOs can help businesses to:

• Know what personal information your school holds and for what purpose.
• Develop the school’s data protection policy.
• Arrange training for and offer advice to staff.
• Be aware of and monitor who has access to personal data and why.
• Establish best practice guidance for data processors and anyone in the school that handles data.
• Process and respond to all requests for information, correction or erasure.
• Establish and oversee physical and digital security measures.
• Ensure that everyone processes data securely, including when they must destroy it.
• Ensure that third parties have appropriate data protection measures.

Your school must have a written contract with third parties who process data that includes information about data protection duties. The contract should oblige them to implement appropriate security measures for protecting any personal data they process. However, the data controller (your school) still has the main responsibilities under the Data Protection Act: third parties are simply acting on your school’s behalf.

Therefore, your school must ensure that all third parties are consistently complying. To do this, your school could request written updates about security measures or carry out full audits (such as by visiting the third party’s premises).

Back to Top

It’s crucial for your school to follow the key data protection principles and put in place systems and strategies that facilitate data protection. By doing so, your school will comply with the Data Protection Act, protect staff and students’ confidentiality, and deliver education in a secure environment.

What to Read Next:

• Data Protection for Schools Training 
• Data Protection Quiz

The post Data Protection in Schools: How to Comply With The Data Protection Act 2018 appeared first on The Hub | High Speed Training.

Although the Data Protection Act has received various amendments, it still contains a set of key principles that all data-handling businesses must follow. The Act has updated its previous principles to reflect those put into place by GDPR, which instructs businesses on how to protect people’s personal data.

The principles give you an overview of what data protection law requires from all data controllers. They exist to protect the data you process about data subjects and apply to everything that you do with people’s personal data. Therefore, it’s essential that you understand them.

Need a Course?

Our Data Protection Training Course is designed to help businesses and individuals comply with the essential principles of the UK’s Data Protection Act and the EU’s General Data Protection Regulation (GDPR).

The Data Protection Act Key Principles:

Fair, lawful, and transparent processing

GDPR states that personal data must be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’. This means that all data controllers must only process data for the purpose they acquired it and with consideration of the data subject’s rights. You must have a legitimate reason for processing their data and never hold onto it for other purposes.

Furthermore, you must tell the person exactly what you’ll use their data for and receive explicit consent. When you are acquiring their data, you must offer a clear statement about how you plan to use it before they agree. Keep in mind that you can only provide opt in options, not opt out. You must also include information in your privacy policy about why you may need people’s personal data.

Purpose limitation

The principle of purpose limitation states that data must only be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. The only exception to this is purposes relating to public interest and scientific or historical research. However, the controller must have authorisation to do so.

Purpose limitation supports the previous principle: you cannot use data for any purpose other than the one you collected it for. For example, let’s say you are acquiring data to complete a transaction with a customer. Without explicit consent, you cannot use that same data for marketing purposes.

It’s also important to know that most businesses must notify the Information Commissioner’s Office (ICO) of how and why they plan to acquire data. Some organisations are exempt, such as if you only process personal data for payroll or for maintaining a public register. If you are unsure about whether you need to notify the ICO, you should contact them directly and ask.

Data minimisation

The data minimisation principle refers to the importance of only holding as much data about a person as is necessary. Data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. For example, if you are collecting data to post a catalogue, you only need the person’s name and address. You don’t need their date of birth or gender, as it’s not relevant. Furthermore, when you no longer need data to fulfil its original purpose, you must securely delete or destroy it.

In accordance with this principle, you cannot collect data on a ‘just in case’ basis. You must carefully consider the purpose for which you’re acquiring data before you gather it. If you think you’ll eventually need to use a person’s data for something else, you’ll have to recollect it with new consent nearer the time. You cannot collect it in advance for future purposes.

Fulfilling the principle of minimisation is crucial for reducing risks, such as if a data breach occurs. It also ensures that data is not subject to misuse.

You may also be interested in our following guides: How to Apply for a Data Protection Licence and How to Select Suitable Data Protection Methods

Accuracy

The principle of accuracy states that the data you collect must be ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’. To fulfil this principle, you must update data if a customer notifies you of a change. You must also erase the data if it’s no longer necessary. Under the regulations, data subjects have the right to rectification and you must fulfil this request within one month.

Accuracy also applies to outsourced processes, such as using an external payroll company. You must have a system in place for ensuring they can easily correct any personal data they hold. Primary data controllers are responsible for ensuring this occurs. Therefore, you must make sure you’re aware of all the third parties that process any data you hold about people.

Data retention periods

To comply with the principle of data retention periods, data you hold must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. You may store it for longer for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

The duration for which you can lawfully hold data varies depending on the purpose you acquired it for. It is up to each individual business to determine this themselves. In some cases, the law may enforce a retention period. For example, you must keep P60s and P45s as part of HR records for 6 years. You should also be aware that data subjects have the right to erasure. This is also known as the right to be forgotten. If you receive a request for erasure, you must respond within a month to notify them of your intended actions.

If you no longer need data for its original purpose, or a person asks for you to erase it, you must securely delete or destroy it.

Another requirement regarding data retention is keeping internal records of data processing activities. This is a new requirement under GDPR. It applies to all businesses if their data processing could risk an individual’s rights or freedoms. Businesses with more than 250 employees must keep more detailed records, which the Data Protection Officer should oversee.

Data security

This is a crucial principle, as it refers to the processes you must follow to securely handle personal data. Under the regulations, it’s essential that the data you hold is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’. Data security requirements also apply to any third parties that process data you collected. It’s your responsibility to ensure they comply.

Data security applies to both physical and digital data, and to internal and external threats. People must not be able to access data without proper authorisation. For example, by physically accessing a room that holds records or digitally acquiring them through cyber-attacks. Your business must have procedures in place to mitigate these risks, and it’s up to you to determine what is proportionate and necessary to achieve an adequate level of security.

Examples of cyber security measures include: installing security software (such as antivirus), enforcing security policies, providing information, instruction, and training to staff, and only granting access to people who actually need to use the data.

Accountability

Accountability is a new addition to the Data Protection Act in accordance with GDPR. To comply with it, data controllers must be able to prove that their data protection measures are sufficient. They must have appropriate technical and organisational procedures, which include suitable privacy policies and keeping sufficient records of their processing activities.

Not only is accountability crucial for complying with data protection law, but it also reflects positively on your business. Customers, clients, and employees will recognise that you handle their private information securely, meaning they’re more willing to give you their trust and do business with you.

What to Read Next

• GDPR & Third Party Data Processors
• Data Protection Quiz
• Data Protection in Schools: How to Comply With The Data Protection Act 2018
• Online Data Protection Training Course

The post Key Principles of the Data Protection Act 2018 appeared first on The Hub | High Speed Training.

Hackers who steal your personal information may use it to commit identity theft or hold it for ransom, which is damaging for anyone. The consequences can take years to rectify and have severe emotional and financial impacts on individuals and businesses alike. Therefore, it’s crucial that you understand the most common cyber attacks and how to avoid them.

What is a Cyber Attack?

Cyber attacks are an attempt to disrupt or gain access to an individual’s, or a business’s, system or data. Hackers carry out cyber attacks by using malicious programs, deceptive files, and fake web pages to infiltrate systems and online accounts.

There are three common motives behind cyber attacks:

1. Financial gain

This is the most common motive. If a hacker acquires your passwords and other personal information, or successfully installs malware on your computer, they can commit identity theft to access your money. They may also use it to commit further crimes. For example, money laundering, selling your information to other cyber criminals, or blocking it until you pay a ransom.

A recent example is the ransomware attack on the NHS in 2017, which encrypted data on infected computers across the NHS. The malware stated that the user would lose access to the files forever unless they paid a ransom fee. Fortunately, the cyber attack did not succeed in stealing patient data and the NHS did not pay any ransom, but the attack led to major disruptions that cost valuable time and money.

Hackers might also use your profiles to post spam and attack other accounts for further financial gain. Additionally, they may attack on a larger scale to commit fraud, such as sending invoices to businesses that look like they are from a legitimate supplier

2. Political or social agenda

Many hackers carry out cyber attacks to access and leak data that helps push their own political or social agendas, or, more commonly, to damage those of others.

These ‘hacktivists’ often look for data that harms their target’s reputation or campaign. Their targets may be a public business, government, other political body, or a single individual. However, not all of these types of attacks seek data. Some aim to temporarily or indefinitely shut down networks or systems. These types of cyber attacks are known as Denial of Service (DoS) attacks, and commonly target governments and political bodies.

Hacktivists can stand anywhere on the political spectrum, from far left to far right, and everywhere in between. For example, some hacktivists focus on bringing down terrorist websites, while others may be members of a terrorist group themselves.

3. Intellectual challenge

Some hackers carry out cyber attacks purely for the challenge and seek no criminal gain. These types of hackers often take on the role of a ‘white hat’, or ‘ethical’, hacker, by helping companies implement and test data security measures to prevent cyber attacks.

For example, following the cyber attack on the NHS, NHS Digital employed ethical hackers to test and improve their cyber defences. Reportedly, the person who helped the NHS recover from the attack was also a white hat hacker.

Whatever the motivation, cyber attacks are damaging and dangerous, even those that ethical hackers commit. Many of them go on to sell the software they created while hacking for sport, allowing other hackers to commit serious cyber crimes.

The Most Common Categories of Cyber Attacks

Over time, hackers have developed various types of cyber attacks to achieve different aims. These are the six most common categories:

1. Malware

Malware (i.e. ‘malicious software’) is one of the most common and oldest forms of cyber attacks. It refers to harmful programmes and software, such as Trojans, viruses, and worms. These allow a hacker to access or destroy data on the infected system.

Hackers often spread malware by disguising it as a downloadable file, such as a Word document, PDF, .exe file, etc. They usually attach them to emails or have download links on websites in a form that looks legitimate.

In order to infect your system, malware requires you to click and allow the download. It can only access your computer with your approval. Therefore, you can easily avoid it by only downloading files from trustworthy sites or senders.

Once malware is on your system, the hacker can access your data in numerous ways. For example, some can monitor keystrokes, activate webcams, or remotely take control of your machine. Ransomware is also a common form of malware, which locks your data and demands payment.

2. Phishing

Similar to malware, phishing involves tricking the user into clicking false links. The hacker may send you an email that states your account requires urgent attention and directs you to a fake login page. The fake site captures any personal data you enter, which the hacker can then use to log into your actual account.

Phishing can also happen over social media, where hacked accounts share links via a status update or private message. This type of phishing is often effective, as users are likely to trust links sent by people they know.

Whatever platform hackers use, phishing messages usually incite curiosity or panic to bait vulnerable users. You can avoid phishing attacks by being wary of such messages. Always keep in mind that your bank will never contact you for personal information. Furthermore, Google accounts shouldn’t ask you to re-enter your login details if you’re already logged in.

3. Denial of Service (DoS)

A denial of service attack involves the hacker flooding a website with more traffic than the server can handle, which causes it to overload and shut down. They do this by sending a high amount of connection requests to the site from their own computer, or from several that they hacked remotely. If they use more than one, it is known as a Distributed Denial of Service (DDoS) attack.

Hackers usually carry out DoS attacks for political or social motives, rather than financial, as they cause disruption and confusion for the site owners.

Need a Course?

Our Introduction to Cyber Security Course raises your awareness of the risks to information security, such as cyber attacks. It will help you to understand what measures you can take to help prevent unauthorised access to confidential information in the workplace.

4. Password attacks

Password attacks involve the hacker running a program on their system that tries to systematically guess users’ passwords. The two most common types of password attacks are dictionary attacks and brute force attacks. Dictionary attacks try common ‘dictionary’ words and letter combinations, whereas brute force attacks attempt every letter and number combination possible.

Password attacks differ from malware and phishing because they don’t require you to do anything, except have an easy-to-crack password. After a certain amount of trial and error, a dictionary attack may land on your password and access your account if it’s simple enough. If you use a unique combination of words and numbers, it will struggle to hack it. However, a brute force attack will eventually get your password no matter what, although it will take a long time to guess longer, unique passwords (for example, not 123456).

Therefore, it’s important that you follow password security guidance to come up with passwords that are difficult to hack.

5. Drive-By Downloads

This type of attack requires users to visit websites with vulnerabilities that hackers have exploited. For example, those in programmes like Java and Adobe. By visiting the site, the user unknowingly allows a hacker’s harmful code to download onto their system. This code enables the hacker to then send further downloads to hack your data.

To avoid this, make sure you only visit secure sites and keep your software up to date. Avoid downloading browser add-ons and plugins.

6. Man in the middle (MITM)

Hackers carry out MITM attacks by exploiting non-encrypted wireless connections. If you connect to a public WiFi network and then log in to pages or communicate with a service, a hacker may be able to intercept this connection by impersonating the users and manipulating both to divulge personal data.

The simplest way to prevent this type of attack is to avoid using non-encrypted wireless connections, particularly if you plan to log into a site or share personal information. For example, if you log in to your email or use a customer service live chat. Although it’s tempting to use the free data available on trains and buses, stick to using your mobile data or avoid these types of activities altogether until you’re on a safe connection, e.g. your home internet.

Knowing that all these various types of cyber attacks exist can feel intimidating. However, you will now know what to look out for, meaning you can navigate the internet and set up your accounts securely. Good cyber security helps you, and your business, stay safe from identity theft and the other complications that cyber attacks can cause.

What to Read Next:

• Guide to Selecting Suitable Data Protection Methods
• Cyber Security in Food & Drink Manufacturing: BRCGS Standards
• Data Protection Online Training
• Cyber Security Online Training

The post What are the Most Common Types of Cyber Attack? appeared first on The Hub | High Speed Training.

Why is Password Security Important?

Repeatedly using the same passwords or using ‘weak’ passwords can leave you vulnerable to hackers. If a hacker cracks your passwords, they could gain access to your social media accounts, bank accounts, emails and other sensitive accounts that hold your confidential, personal data. If someone obtains access to this information, you could become the victim of identity theft. Therefore, creating a strong password is vital.

Password hacking is often carried out in one of the following ways:

1. Brute force attacks. A hacker uses automated software to guess your username and password combination. The software tries every possible character combination and will try the most commonly used passwords first, so weak or common passwords can be relatively simple for a brute force attack to crack. While this method will eventually crack your password by cycling through every possibility until it matches your character combination, you can make it take a very long time by using a complex password.
2. Dictionary. With this method of hacking, a hacker will run a defined ‘dictionary’ against your passwords. This dictionary also includes the most common password combinations, therefore it is a relatively easy and quick way of hacking into weakly protected accounts. By using a single-use, strong password for each account, you should be able to protect yourself from a dictionary hack.
3. Phishing and social engineering. Accessing someone’s password using a phishing or social engineering attack is not technically a type of hack, but it provides the ‘hacker’ with access to your passwords and confidential information. This in turn allows them to access your accounts. Phishing occurs when a hacker targets you with spoofed emails that look like they come from legitimate organisations, while social engineering is real world phishing (i.e. over the phone).

The repercussions of identity theft can be long lasting and they are not only limited to financial problems. The victim could also face a range of emotional implications, including stress and anxiety. Therefore, it’s important that you take measures to protect yourself from the burdens of having an account hacked.

Need a Course?

Our Introduction to Cyber Security Course raises your awareness of the risks to information security, such as cyber attacks. It will help you to understand what measures you can take to help prevent unauthorised access to confidential information in the workplace.

Password Security Tips

If you want to keep your accounts and personal information safe, it’s vital that you understand how to create a strong password. Are you guilty of using ‘1234’, ‘admin’ or ‘password’? If you are, it’s time for you to work on your password security. Below we have compiled a list of helpful tips so you can be sure that your accounts are secure.

To create a secure password you should never :

• Use your name, family member’s names, important dates such as anniversaries and birthdays, special places, the word ‘password’ or sequential lists of numbers or letters. All of these are far too easy to crack, and you should avoid them at all costs.
• Use dictionary words. When hackers attempt to access your accounts, they run various dictionaries against your passwords in an attempt to crack them. This includes both English and foreign words and phonetic patterns. So while you might think that opening a dictionary and picking a word at random is safe, it’s not. Hackers are also able to scan for common substitutions, so substituting ‘@’ for ‘a’ or ‘!’ for ‘l’ doesn’t help. Under a brute force attack, a random word with common substitutions and numbers or symbols added onto the end would only take around 3 days to crack.
• Write your password down. If you write down your passwords and leave them somewhere accessible, especially near your computer, it makes it easier for people to access your accounts. Instead memorise your passwords and keep them private.
• Enter a password over an insecure Wi-Fi connection. Everywhere you go there is the opportunity to connect to an insecure Wi-Fi account, including cafes, book stores, restaurants and shopping centres. It might seem okay to connect to these and enter your passwords to social media and email accounts, but hackers can easily intercept your private information.

Instead, it’s important that you:

• Set different passwords for each account. Consider your current password situation. Do you use the same password for Facebook, online banking, Amazon, etc.? Would cracking one password allow a hacker to enter multiple secure accounts? You should always set a different secure password for each of your accounts to ensure maximum security.
• Use long passwords. The longer the password the more secure it is. Ideally, you should aim for a password that’s 12 characters or longer but, if you want to go shorter, ensure it’s not less than 6 characters.
• Mix letters, numbers and symbols. Additionally, you should use a mix of lowercase and uppercase letters to help create the most secure password possible.
• Use a string of words, such as ‘allotmentcarrothumaneats’. By using four separate words that you find easy to remember, you will make it much harder for automated hacking software to guess. This method could increase the time taken to guess your password from a few days to over one hundred years.
• Change automatically generated passwords. When you sign up to some companies, you receive an automatically generated password. You should change this to your own as soon as possible.
• Make use of the password analysers some companies use. Are you told your password is ‘weak’ when you enter it? If you are, you should take note of this and make some changes.

Your passwords will never be 100% hack-proof, but by using the tips outlined in this article you will be able to ensure a high level of protection for your accounts. 

What to Read Next:

• Data Protection Online Training
• Cyber Security Online Training
• Money Laundering Red Flag Indicators: Recognising Suspicious Behaviours
• What are the Most Common Types of Cyber Attack?

The post Password Security Guidance appeared first on The Hub | High Speed Training.

Some of the terminology may feel a little overwhelming and confusing if you’ve never encountered them before, so we’ve created this GDPR glossary of key terms to help.

Accountability – the data controller is responsible for compliance with the data protection principles. They must be able to demonstrate the steps the business takes to ensure compliance.

Binding Corporate Rules (BCRs) – a set of rules that allow multinational organisations to transfer personal data from the EU to their affiliates outside of the EU.

Consent – consent is defined as receiving a data subject’s agreement to process their data. Agreement must be freely given, informed, specific and unambiguous. This consent could be given several ways, such as via a written statement (including by electronic means) or an oral statement. Gaining consent must be clear and unambiguous. The data subject must understand implicitly what they are providing their data for, how it will be processed, who will process it and how long it will be stored.

Data Breach – any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of a subject’s data.

Data Controller – ‘controller’ means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Data Erasure– (also known as the Right to be Forgotten) this entitles the data subject to request that the data controller erase their personal.

Data Minimisation – this means that you can only collect personal data if it’s needed to achieve the intended purpose. Personal data should be adequate, relevant and limited to what is necessary. Where appropriate, such data should also be kept up to date.

Data Processor – ‘processing’ means any operation, or set of operations, which is performed on personal data or on sets of personal data. It is considered processing whether these operations occur by automated or manual means. Processing includes the following activities: collecting, recording, organising, using, structuring, storing, adapting, retrieving, consulting, destroying and more. The data processor can be an organisation or third-party provider who manages and processes personal data on behalf of the controller. Data processors have specific legal obligations, such as maintaining personal records, and are liable in the event of a data breach.

Data Protection Authority – the national authority who protects data privacy.

Data Protection Officer – an appointed individual who works to ensure you implement and comply with the policies and procedures set by GDPR.

Data Subject – someone whose personal data is processed by a controller or processor.

Encrypted Data – personal data which has been translated into another form or code so that only people with specific access can read it.

Need a Course?

Our GDPR Training Course  is suitable for anyone who has responsibility for implementing the changes brought about by the GDPR.

EU-US Privacy Shield – this refers to a new set of GDPR standards that allow for the legal transfer of personal data between the EU and US for commercial reasons.

Fairness Principle – this is a principle that states the data subject should have the right to:
1. Access the data.
2. Rectify the data.
3. Request that the data be erased.
4. Restrict processing.
5. Data portability.
6. Object to the processing of data.
7. Not to be subject to a decision based solely on automated processing.

Integrity & Confidentiality Principle – personal data must be processed using appropriate technical, organisational and security measures.

Legality Principle – for any personal data processed, the organisation must be able to specify that it has been processed on one of the legal grounds specified by GDPR. These grounds are:
1. Individuals consent.
2. Contract with the individual.
3. Complying with an existing obligation.
4. Complying with an existing obligation.
5. Necessary for a task in public interest or authority.
6. Necessary in the legitimate interest of an organisation or third party.

Personal Data – any direct or indirect information relating to an identified person that could be used as a means of identifying them. This includes their name, ID number, location data or an online identifier.

Privacy Impact Assessment – a tool used to identify the privacy risks.

Profiling – the automated processing of personal data.

Processing –  this refers to any activity relating to personal data, from initial collection through to the final destruction. It includes the organising, altering, consulting, using, disclosing, combining and holding of data, either electronically or manually.

Pseudonymisation – processing data so it can no longer be attributed to a data subject without the use of additional data.

Purpose Limitation Principle –  this refers to using information only for the specified, explicit and legitimate purposes for which the data was collected and not for any other purpose.

Sensitive Personal Data – other factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. This can include genetic data, biometric data, and criminal convictions and offences that, when processed, can uniquely identify a person.

Third Party – a legal body or authority other than the data subject, controller or processor who is authorised to process personal data under authority of the data controller or processor.

The terminology used when describing GDPR can be confusing, but it’s important that you understand them all. Knowing what responsibilities GDPR places on different individuals and what policies and procedures you must comply with is important if you want to avoid severe legal fines and a lost reputation. Use the information contained in this article to ensure you understand what is expected of you.

What to Read Next:

• GDPR Consent Requirements
• GDPR Quiz
• GDPR Online Training

The post GDPR Glossary of Key Terms appeared first on The Hub | High Speed Training.

• Max out your bank or credit card funds.
• Leave you liable for debts you didn’t accrue.
• Use your identity to commit non-financial crimes.
• Severely damage your credit score so you are unable to take out loans or mortgages.

Though it might be possible for you to clear your name or regain lost funds, the emotional toll and financial worries can linger for a long time. Therefore, it’s important that you are aware of the common types of identity theft and how criminals steal information so you can protect yourself.

Common Types of Identity Theft

Identity thieves are always finding new ways to steal and use personal and confidential information. Below are some examples of how a criminal might commit identity fraud.

• Driver’s license fraud. Driver’s license fraud occurs when a criminal has a driver’s license issued to themselves under another person’s identity. They might use the license to commit traffic violations that end up on your record and you could lose your license.
• Financial identity theft. Criminals are able to use your stolen personal information to take over your financial accounts or create their own, which can be very serious and stressful. It can take you months or years to rectify the effects of financial identity theft and it could result in large volumes of debt and a poor credit score.
• Child identity theft. Child identity theft is usually committed by a relative who will take out loans and credit cards in the child’s name. As children have no reason to check or monitor their credit reports, they will usually remain unaware of the fraudulent activity until they come of age and require loans. This type of fraud can take years to sort out and could stop you from being able to buy a house or car. It’s also likely to increase the interest rates on any loans you might be offered.
• Change of address fraud. A fraudster could change your mailing address, diverting it to themselves instead. This allows them to look through all your mail and find out bank details, credit card details and other personal information.
• Employment identity theft. Criminals, illegal immigrants and the jobless use stolen identification and personal details to obtain employment. By using stolen identification, they are able to conceal their real personal history from their employers.

Need a Course?

Our Introduction to Cyber Security Training Course raises your awareness of the risks to information security, such as cyber attacks. It will help you to understand what measures you can take to help prevent unauthorised access to confidential information in the workplace.

How does Identity Theft Happen?

Identity theft can happen to anyone. Because of this, it’s important that you understand how criminals steal data so you know how to protect yourself. Below we have outlined the most common ways criminals can gain your personal details to use them against you.

Theft

Theft of your personal belongings, such as a purse or wallet, or of credit card or bank statements can provide criminals with your sensitive information. Criminals might even go rooting through your rubbish in search of discarded bank statements, so be cautious and shred them or block out sensitive information like your name, address and account numbers. Alternatively, they might attempt to steal new statements or cards directly from your mailbox. You should inform your local post office immediately if you notice your mailbox has been tampered with.

Phishing

Phishing is a type of email scam. The sender might pose as a real company, organisation or agency and prompt you to enter your personal information. If an email asks you for a large amount of personal data, such as your name, address, card details or bank account numbers, do not click on any links and register the email as spam. Additionally, if the email contains poor spelling or grammar, claims you won contests you didn’t enter, has offers that are too good to be true or makes unrealistic threats, it’s probably spam.

Cold Calling

Cold calling is when a criminal calls you, pretending to be a real company, organisation or agency, and coerces you into providing them with your personal information. You should always ignore unsolicited phone calls and assume they have bad intentions. Never give them any of your personal details.

Hacking

From banks to retail chains, criminals can hack into computer systems and steal personal credit card and bank information. Organisations will have systems in place to warn you in the event of a security breach, but before reacting to a message check with the company that your data has actually been compromised. Once you know the alert is legitimate, takes steps to close down any affected cards if necessary.

Identity fraud can be costly, both emotionally and financially. However, by understanding the ways criminals go about committing identity fraud and taking measures to stop people getting hold of your personal information, you can reduce the risks of being the victim of identity theft.

What to Read Next:

• Data Protection Online Training
• Guide to Selecting Suitable Data Protection Methods
• What are the Most Common Types of Cyber Attack?
• Cyber Security Online Training

The post What are the Most Common Types of Identity Theft? appeared first on The Hub | High Speed Training.

Who Are Third Party Data Processors?

A third party data processor is defined under GDPR as, “a natural or legal person or organisation which processes personal data on behalf of a controller.” This essentially means any third party who processes personal data on your behalf. This could include cloud services, mailing houses, hosting companies and any other organisation whereby you share personal data as part of your business operations or as part of any projects you may be running.

What Should I Do If I Use Third Party Data Processors?

Data controllers are responsible for actions taken by data processors. Therefore, you must identify all processors you use, have a clear understanding of the data you store and process with them, and understand how well each processor secures that data.

By completing an assessment of all third party processors you use, you’ll be able to gauge their awareness of GDPR. You should also be able to assess whether they have appropriate measures in place to comply with the regulations.

You should review their privacy policies and terms of use and look for GDPR statements your data processors may have prepared. This will give you clear guidance on their readiness. You may also consider asking your data processors a series of questions to assess their preparations for the new GDPR legislation.

Need a Course?

Our GDPR Training Course is suitable for anyone who has responsibility for implementing the changes brought about by the GDPR. It will outline your main responsibilities and help you to start making the necessary changes.

What Should I Ask Third Party Data Processors?

Good questions to ask include:

• Where is the data stored?
• Do you have a data protection officer?
• Do you inform me when you transfer data?
• What controls do you have in place to reduce risk? /What are your risk management processes?
• Who can access the data?
• Do you have security breach notifications in place?
• Do you adhere to Binding Corporate Rules (BCRs)?
• What measures are in place for you to be compliant with GDPR by May 2018?

A useful exercise is to map your data pathways. To understand how data is captured, what data is captured and what data is transferred between you and your data processor. This will give you a clearer understanding of your data management and where you may need to make improvements to your procedures to ensure compliance.

Review Your Data Processor Contracts

The GDPR also makes written contracts between controllers and processors a requirement. This means that you will need to ensure contracts are in place when:

• You directly employ a data processor
• When a processor employs another processor

Therefore, before the 25th May 2018, you need to check your existing contracts. If they don’t meet the requirements, you will need to draft and sign new contracts.

Both your organisation and your third party data processors need to have policies in place to support GDPR. Having a clear picture about how data is transferred will improve your knowledge about the data you control. You should also ensure that the data you collect is the minimum required for the necessary service/product.

Although it can seem like a challenging mountain to climb, in reality, GDPR offers businesses the opportunity to improve their data practices and their customer relationships. It helps you gain a deeper understanding of your data management, improve your knowledge about your customers and how they interact with you, strengthen databases, and open up new lines of communication.

What to Read Next:

• GDPR Consent Requirements
• GDPR Quiz
• GDPR Online Training

The post GDPR & Third Party Data Processors appeared first on The Hub | High Speed Training.