Not everyone needs access: The Key to Protecting Sensitive Data
Sensitive data requires a higher level of security under UK GDPR because of its potential to cause significant harm to individuals if it is lost, stolen or misused. A recent case of a teacher losing their job after accessing a safeguarding report and transcribing it to her personal computer highlights the both the importance for least privilege access and continual review of access.
🔒Use Role Based Access Control.
🔒Regularly review access rights.
🔒Train staff on data protection and cyber security regularly.
🔒Have clear policies for data protection and acceptable use.
In the recent case of the Nottingham teacher, the teacher was no longer teaching that particular child in question, but continued to have access to the data, even though the child had been removed from their class due to safeguarding concerns.
Do your staff only have access to the data they need for their job?
Do you regularly review who has access to what data?
BBC Report: Teacher loses dismissal case over trans pupil row
NottinghamshireLive Report: Nottinghamshire teacher who accessed trans pupil's private data not unfairly sacked, tribunal rules
Review our Access Control Guidance in our Cyber Security Best Practice Library, which includes a short video about access control and user permissions:
Review your Acceptable Use Policy our customers can review our Acceptable Use Best Practice Area.
What is Sensitive Data?
Sensitive data under the UK GDPR is defined as 'special categories of personal data:- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for
unique identification, e.g., fingerprints for access) - Data concerning health (e.g., medical records, disabilities, mental health information)
- Data concerning a person's sex life or sexual orientation
Control Who Can See What (Access Controls)
🔒Give people access only to the data they need for their job - a 'need-to-know' basis.🔒Use Role Based Access Control.
🔒Regularly review access rights.
🔒Train staff on data protection and cyber security regularly.
🔒Have clear policies for data protection and acceptable use.
In the recent case of the Nottingham teacher, the teacher was no longer teaching that particular child in question, but continued to have access to the data, even though the child had been removed from their class due to safeguarding concerns.
Do your staff only have access to the data they need for their job?
Do you regularly review who has access to what data?
BBC Report: Teacher loses dismissal case over trans pupil row
NottinghamshireLive Report: Nottinghamshire teacher who accessed trans pupil's private data not unfairly sacked, tribunal rules
Review our Access Control Guidance in our Cyber Security Best Practice Library, which includes a short video about access control and user permissions:
Review your Acceptable Use Policy our customers can review our Acceptable Use Best Practice Area.