How To: Deal with breaches of information security

1. Introduction

2. What is Information Security?

3. What are Breaches of Information Security?

4. Data Protection Act (DPA)

5. Specific Cases

6. Unauthorised access and browsing of personal/customer records

7. Level of Misconduct

8. Mitigation

9. Understanding the consequences of breaching information security policies

10. Information Security Scenario Matrix

11. Line Manager Action

Annex – Myth busting and useful links

Introduction

1.DWP employees handle sensitive Information on a daily basis. All employees have security responsibilities and the Department expects everyone to conform to its policies on information security. These are detailed in:

  • the Standards of Behaviour policy,
  • the Electronic Media policy,
  • the Data Handling policy and within
  • the Information Security Portal;

Every employee must:

  • Take time to read, understand and rigidly stick to the Department’s policies and procedures on information security;
  • Protect personal or other sensitive information and make sure it is held securely;
  • Not use the Department’s information for any purpose other than for which it is intended, irrespective of whether it is security marked or not, or of a sensitive nature;
  • Not disclose the Department’s information to any person who does not have a legitimate business interest without authority;
  • Have a legitimate business reason and authorisation for looking at personal information on DWP systems;
  • Not contravene the rules for the official and personal use of the Department’s IT systems and
  • Protect passwords and smartcards and keep them separate

Ignorance does not normally amount to a reasonable defence and disciplinary action may be taken if these requirements are not followed. This guide does not replace the need to seek advice or refer to the Discipline policy and procedure.

2.What is Information Security?

Information security is ensuring that sensitive data is accessed only by those with the relevant authority and used only for legitimate business reasons. We must always.

  • Follow the rules for handling, accessing and processing customer and employee personal data, or the Departments information;
  • Adhere to the processes and protocols for using Departmental computer systems, e-mail and internet and;
  • Ensure we know how to keep information safe and secure

3.What are Breaches of Information Security?

Breaches of information security include but are not restricted to:

  • Browsing your own computer or paper records without appropriate authorisation and a legitimate business reason
  • Browsing computer or paper records of friends, colleagues or customers without appropriate authorisation and a legitimate business reason
  • Data lost or compromised
  • Loss or theft of equipment containing Departmental data
  • Repeated incidents of lost smartcards
  • Using unencrypted memory sticks
  • Using customer or employee personal data or information without appropriate authorisation and a legitimate business reason
  • Disclosing customer or employee personal data or information without appropriate authorisation and a legitimate business reason
  • Disclosing computer passwords
  • Sending the Departments information insecurely outside the Department email security policy
  • Failing to keep information secure
  • Sending data or information to the wrong person or customer
  • Failure to password protect employee data sent electronically
  • Leaving smartcards unattended

4.Data Protection Act (DPA)

Under the DPA the Department (as data controller) is responsible for determining the purposes for which and the manner in which any personal data held for DWP purposes are to be processed. This means that the Department’s security and DPA policies must be applied rigorously to all customer/staff personal information which is being used for any DWP purposes.

If an employee acts in a personal capacity by deciding to process their own (legitimately accessed) personal information for their own purposes in their own time (albeit using DWP equipment) then the Department’s obligations under the DPA no longer apply to those actions. The employee is personally responsible for any privacy risks associated with using insecure networks and the Department accepts no liability.

Examples of such circumstances include:

  • A member of staff may choose to email a copy of their payslip outside of GSI - it is their own data. But a member of staff must not email some else’s payslip outside of GSI.
  • A member of staff may choose to provide their own personal data over the internet (by email or on websites) to purchase goods or for other reasons.

5.Specific Cases

Misuse of the Internet, Intranet or E-mail Misuse

If a manager suspects that a member of staff is in breach of the Electronic Media Policy in their use of the Department’s email or internet access, and it is a case which is so serious the manager cannot deal with it themselves, they can make a request to Internal Investigations for an Electronic Investigation.

6.Unauthorised access and browsing of personal/customer records

Employees must not access or browse their own information, or those of friends, family or celebrities on the Department’s corporate systems e.g. CIS, LMS, JSAPS. The Department runs regular and effective scans to detect unauthorised access and the results are acted upon.

Unauthorised access and browsing of personal/customer records is a breach of Departmental policy and is treated as no less than serious or gross misconduct. Managers should take disciplinary action against employees who access records and information without a legitimate business reason and appropriate authorisation for doing so.

There is further information in the Information Security – Myth-Busting guide in the Annex .

7.Level of Misconduct

The level of the misconduct to apply for breaches of information security will depend on the full circumstances of the case.

Where information has been put at risk, disciplinary action must still be considered even if the breach was a simple mistake or lack of judgement. This is due to the potential consequences for the data owner and the Department’s reputation.

Minor misconduct action may be appropriate and proportionate where the following principles apply:

  • The incident does not constitute a criminal act (breach of the Data Protection Act alone does not constitute a criminal act);
  • The act is clearly a genuine error and completely accidental;
  • There is no malicious or suspicious intent;
  • There is no known harm or distress caused to any party;
  • There has been no reputational damage;
  • This is not a linking offence – the employee does not already have a live warning in place at the time this offence is identified that would warrant action under a higher level of misconduct

Examples of where misconduct may occur are contained in the Information Security Scenario Matrix below.

8.Mitigation

Mitigating circumstances are the events or factors beyond an individual’s wilful control that have some bearing on the offence. Mitigation should help explain or show that the individual had reason to act or behave in a particular way. Although mitigation can never undo the misconduct, it can be used to reduce the penalty. See How to assess the level of misconduct and decide a discipline penalty for further advice.

9.Understanding the consequences of breaching information security policies

Information security is important and breaches can result in dismissal. This table outlines a number of scenarios that represent the most common types of breaches within the business. It is not designed to cover every possible incident and should only be used as a guide to help support the thought process of decision making. Please note this tool does not replace the need to seek advice or to refer to relevant security policies and notices.

The DWP Discipline policy and procedures must be followed when taking disciplinary action. Before deciding on disciplinary action it is important to consider the circumstances of the case as a whole and any mitigation. Advice must always be sought from the Civil Service HR Casework team on disciplinary cases involving breaches of information security. The penalties mentioned here are for guidance only and you should refer to the disciplinary policy for a fuller indication of mitigation and what action to take. General advice can also be found in How to assess the level of misconduct and decide a discipline penalty.

10. Information Security Scenario Matrix

1. Browsing and unauthorised access to records
1.1 An employee has authorisation to access personal data or information as part of their normal duties. They access records without legitimate business reasons and appropriate authorisation and use this information themselves (or on behalf of a third party) for personal gain, or to falsify claims for benefits. / Gross misconduct / Possible outcome
Dismissal – would be the appropriate penalty in all cases where access to the data was used for inappropriate reasons. The only exception to this may be where an employee was acting under extreme duress – violence or threat of violence.
1.2 An employee accesses or browses through multiple customer records which may also include multiple accesses to their own record, or those of their family, friends or celebrities without a legitimate business reason or appropriate authorisation. The access, browsing or searches may happen on the same day or over a period of time. / Gross misconduct
When determining the appropriate level of penalty, the manager will consider the motive of the employee in accessing the records, the amount of records accessed and any resulting impacts / Possible outcome
Dismissal – This will be appropriate if the manager believes the actions to be suspicious or malicious and / or the employee can provide no legitimate reason or reasonable justification for accessing the records
Final Written Warning - This may be appropriate if the employee can provide some reasonable explanation as to why they may have accessed the records or some other relevant mitigation
1.3 An employee accesses or browses through customer data and records without legitimate business reasons or appropriate authorisation. This may also include accessing their own record, or those of their family, friends or celebrities.
Unlike scenario 1.2, which involved multiple records, under this scenario the employee accessed only one record and there is no evidence or suspicion of misuse. / Serious misconduct
The manager will consider the intention of the employee in accessing the record and any mitigation presented to determine the most appropriate penalty / Possible outcome
Final Written Warning – this would normally be appropriate if the employee has no legitimate reason or reasonable justification for accessing the record.
First Written Warning – This may be appropriate if the employee can provide some reasonable explanation as to why they may have accessed the record or some other relevant mitigation
1.4 An employee is given an incorrect NINO by accident by a customer during a telephone conversation. The employee inadvertently accesses the wrong record. / Not appropriate
The employee was acting on the information provided to them by the customer. There was no intent to browse or access another customer’s records. / No further action
2. Sending E-mails
2.1 An employee sends sensitive Departmental information to a recipient who is NOT a DWP Customer/Claimant or approved third party organisation. The recipient has no legitimate business need for the information and should not have access to it.
DWP Policy does not allow this. / Gross misconduct
When determining the appropriate level of penalty, the manager will consider the motive of the employee when sending the data, the amount and nature of data that was sent, and any resulting impacts or potential impacts such as loss or harm to the data owner, complaints or embarrassment caused / Possible outcomes
Dismissal – this would normally be appropriate only if the manager has good reason to believe that the employee’s intention to send the data was potentially suspicious / malicious or the amount of data that was put at risk is particularly high or sensitive and / or has caused harm or significant embarrassment or a serious complaint
Final Written Warning – this lower penalty would normally be appropriate if the manager had good reason to believe that, whilst disclosure to an unauthorised party resulted, the employee’s intention to send the data was for genuine business reasons and the impacts would not be significant.
2.2
1) Unlike in 2.1 above, the recipient of the information IS a DWP customer/claimant or an approved third party organisation. They nevertheless DO NOT have legitimate business need for the information and should not have access to it or the nature or amount of information sent is outside of what is allowed in the Security policy.
2) Cases where sensitive DWP information is intentionally sent to the employee’s own personal / home email, possibly to work on at home – i.e. even though the employee is sending the data or document to themselves, there is no policy in place to allow this type of data to be sent over the Internet without encryption. / Serious misconduct
The manager will consider the intention of the employee when sending the email, the amount and nature of data disclosed and any resulting impacts from the disclosure to determine what level of penalty would be most appropriate. / Possible outcome
Final Written Warning - this would normally be appropriate where it was clear that the employee intended to send the data to a recipient that either had no legitimate reason to have that information or the information that was sent was outside of the policy provision
For example
  • the employee is clearly aware there is attached data and makes reference to it or had to add the data to the email themselves and / or
  • the data that was sent was outside of the policy provision i.e. may have contained bank details or held more data records than allowed, and / or
  • the email is clearly addressed in the body of the email to an inappropriate recipient; or
  • the employee sent the document/data to their personal email address for the purpose of working on it at home.
If the manager believes there is any malicious or suspicious intent in any of the above, they will need to consider the act under Gross Misconduct.
First Written Warning – the manager would consider a First Written Warning only where they accept some other mitigation that may have impacted on the employee’s decision to send the data, for example it is clear that they genuinely mis-addressed the email and sent it in error to the wrong recipient, or if the nature or level of data disclosed was particularly low.
2.3 An employee legitimately receives or has access to Departmental documents containing sensitive information and/or data.
The employee sends these to a colleague or friend in DWP without authorisation. The recipient has no legitimate business interest in the information and should not have had access to it. The fact that the data has not been sent outside GSI does not negate the fact that information has been inappropriately and deliberately disclosed without authorisation. / Serious misconduct
The manager will consider the motive of the employee when sending the data, the nature and amount of the data that was sent and any other mitigation the employee presents when determining the level of misconduct. / Possible outcomes
Final Written Warning – This would normally be appropriate if the manager believes that the employee had no legitimate reason for sending the information.
First Written Warning – this would be appropriate only if the employee had a plausible (albeit possibly tenuous) reason for sending the information or the manager accepts some other mitigating circumstances
2.4 An employee is genuinely unaware that their email or attachment contains personal or sensitive data, outside of what the security policy allows them to send, including where they reply to an e-mail from an external provider without noticing that the provider had embedded sensitive customer data within the e-mail. They therefore inadvertently send the unencrypted data outside GSI and there is no security policy in place to allow the email transmission.
The disclosure has caused no significant harm, distress or reputational damage and it is not a linking offence. The act of sending the data was a genuine error / Minor misconduct
In order to consider minor misconduct the manager will need to decide whether it is reasonable to accept that the employee did not know that there was data included in the email.
If the data was easily visible in the email or attachment and therefore it is clear that the employee took no real precautions to check the email before sending it, then the manager should consider the act as Serious misconduct in line with example 2.2. / Possible outcome
First Written Warning – this would apply in most cases and is the minimum level of penalty when a security breach has occurred. Therefore this would be appropriate where the manager believes it is reasonable to accept that the employee did not know that inappropriate data was included on the email they sent. For example where the data was in a separate tab or hidden column, or was embedded in an additional attachment or at the bottom of a very long email chain.
2.5 An employee is unaware that their email or the attachment contains personal or sensitive information. Because they work in a part of DWP which requires use of the ‘emailblock’ tag in email signatures, when they press ‘send’, they receive the standard warning message that their e-mail has been blocked.