Security of client data in an ever-changing NGO environment
Data privacy and NGO’s responsibility to uphold client’s information in confidence are key topics in recent times. In Australia, data breach notifications laws have become mandatory this year and in Europe, new General Data Protection Regulation (GDPR) has come into effect. Software providers and Community Sector organisations must undertake educational and technical actions to ensure they understand and comply with their legal responsibilities.
Under the new regulations entitled the Notifiable Breaches Scheme of the Commonwealth being introduced by the Commonwealth Government, organisations with a turnover of more than $3 million will need to report all breaches of security of this kind to the regulator, the Australian Information Commissioner.
NGOs are facing particular challenges due to the sensitive nature of the services they provide to vulnerable customers and the community as a whole. While recording relevant service information is paramount to service delivery, the methods used to record, share and secure the information must be reviewed and updated to ensure practices meet regulations and all measures are taken to protect individuals.
There are many unusual data management practices operating in the NGO environment. Some of the most common concerning practices seen are:
- Shared word documents with personal client information with no adequate security features
- Storing confidential client data in systems never designed from a permissions perspective to store such data e.g. document management systems
- Sending across email networks within and beyond the host organisation, excel spreadsheets with client data stored on these spreadsheets
From a client confidentiality point of view, the old file cabinet systems were probably as secure as some of these arrangements. In fact, many organisations find themselves in a halfway house of client confidentiality using partial systems that don’t talk to each other and in desperation start sending excel spreadsheets to each other to get their work done without thinking about the confidentiality risks.
To mitigate these risks, organisations must undertake strong initiatives that include:
- Review current practices and assess the gap between existing and compliant processes
- Educate all workers to uphold approved practices
- Evaluate all systems used to store and share confidential data
- Conduct robust and timely incident management process
Organisations must also ensure their client relationship management systems are configured with strong data access security, role-based permissions and are supported by compliant providers who can guide them and assist them to achieve compliance with regulations.