In July 2015, the controversial infidelity dating website Ashley Madison suffered a serious data breach that resulted in the leaking of the details of its entire customer base. There were plenty of red faces for those exposed by the breach, but just as embarrassing was how obvious many of the passwords turned out to be.
One security analyst found that among the 4,000 passwords that were the easiest to crack, "123456" and "password" were the most commonly used passwords on the site. Due to a coding error, over 11 million passwords were eventually cracked. This is a serious problem regardless of any embarrassment as too many people use the same password across different websites. If hackers know your username and password for one site, it's likely they'd be able to hack into other sites you might use.
Individuals and organisations can guard against these problems and more by adhering to best practice in information governance.
Information governance, information security and data protection often sit under 'mandatory training'. Unfortunately, this is usually a byword for something you'll only get around to when you're sent the fifth and final reminder by the HR team.
Yet if high profile cases such as Ashley Madison can teach us anything, it's that information governance is increasingly important for our own security, our organisations and for patients.
Information governance refers to the management of information at an organisational level. It includes the following main items:
The Data Protection Act 1998 set out a standard to manage the processing of information which went beyond patient information to include data such as personnel information from organisations and suppliers. Although the focus has been on electronic information in recent years, the act also applies to all forms of media including images and any scribbled medical notes.
In health care, the outcomes from the act include staff ensuring patient confidentiality and keeping accurate/ jargon free case notes.
By contrast, the Freedom of Information Act 2000 allows the public access to information held by public authorities. Public authorities include the police, healthcare organisations like the NHS and local authorities. The Act covers any recorded information that is held by a public authority in the UK (with slightly different laws for Scotland).
Information Governance statement of knowledge:
Think you know your information governance? Have a quick scan through the questions below and see how many statements you can honestly agree with:
How did you do? If you already know your Caldicott principles, then well done! You're probably in the minority of the general public however.
On a personal level, ignoring information governance best practice could lead to embarrassment, or financial consequences as your could be shared by hackers across the world.
On an organisation level, the Information Commissioner’s Office (ICO) can audit for compliance of information governance procedures. Failure to adhere to a stringent procedure could impact your organisation's reputation and recognition of ability.
Regardless of your organisation's size, it is therefore important that all staff apply the principles of information governance in their role. This may be as complex as ensuring data encryption or as simple as ensuring that confidential work information is not discussed on social media.
To search for up to date Elearning on Information Governance via the Skills Platform click here.