Data security in the workplace


An added concern for union members in the context of the growth of information technology is the risk of accidental data loss by, for example, loss of memory sticks or laptops, or accidental emailing of sensitive information to incorrect recipients. In some cases this has led to staff being disciplined. 


According to a 2015 report by privacy campaign group Big Brother Watch, in a three-year period between 2011 and 2014, there were 4,236 data breaches in local councils, including at least: 401 instances of data loss or theft; 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes; 5,293 letters being sent to the wrong address or containing personal information not intended for the recipient (in some cases breaches involving more than one person were treated as a single breach) and; 197 mobile phones, computers, tablets and USBs which were either lost or stolen.


The portability of devices, their potential to carry vast amounts of data and the breakdown between the boundaries of home and work, all contribute to this growing problem. Behind every accidental loss or theft is an individual whose momentary lapse of focus will place his/her job, and perhaps those of colleagues, at risk. 


There have been a number of reported cases of individuals being sacked for losing data. This has occurred, for example, where equipment has been stolen from the individuals concerned, or where the employer believes the individual has not taken sufficient care to prevent accidental loss. But responsibility for implementing adequate security policies, such as proper use of encryption, ought to rest ultimately with the employer, rather than being left to individuals. 


The Big Brother Watch report gives a number of examples of notable incidents. These include a social worker in the London borough of Lewisham accidentally leaving a bundle of papers on the train. The bundle included personal/sensitive data relating to 10 children and including information in relation to sex offenders as well as police reports and child protection reports. The social worker resigned during disciplinary procedures. 


The report also gives a number of examples of local authorities’ employees being dismissed. These include: someone dismissed in Cardiff for storing documents at home; an individual dismissed in Glasgow for unauthorised use of an encrypted memory stick and; a number of individuals in different local authority areas dismissed for passing on confidential information to a third party or for accessing confidential information for own personal use. 


In terms of data being deliberately accessed, one rep in our survey reported an incident where an employee at a government department accessed data relating to his own family, and was subject to a disciplinary after this was revealed by a security audit. 


Reps can help members reduce their risk of making a mistake and exposing themselves to disciplinary proceedings by:


• highlighting the importance of privacy and information protection procedures; 


• campaigning for adequate training and resources to be provided by the employer; and


• encouraging consultation on appropriate levels of encryption. 


A good starting point for this kind of campaign is the ICO’s simple “Think Privacy” campaign with a downloadable toolkit: https://ico.org.uk/media/for-organisations/think-privacy/2693/ico-think-privacy-toolkit.pdf.