How to Protect Sensitive Personal Information

The National Cyber Security Centre (NCSC) has published new guidance to help businesses identify and protect against the risks of holding sensitive personal information.

The guidance can help you to understand what sensitive personal information is and identify any that your business holds. It also provides some principles that, if applied, can reduce risks from holding that data.

Here’s a brief review of the guidance.

What is Sensitive Personal Information?

NCSC explains that there is no formal definition of what sensitive personal information (SPI) is. They explain that it’s necessary to consider possible risks that are associated with sensitivities in information you hold about individuals. For instance, would a compromise of that information increase the risk of harm, harassment or prejudice to the individual.

Examples might include an individual’s profession, their personal life characteristic, or their status.

Assessing the Risks

The guidance advises that the severity of the impact that could arise from misuse of the data should be used to determine how strong your data protections will be. NCSC cover a few questions that can help you in making your assessment.

Nine Principles

NCSC provide nine principles that can help protect SPI as well as some example measures you can use. The principles are:

1. Understand what data you have and the risks to it.
2. Ensure only appropriate access to sensitive data.
3. Ensure you know who is accessing data which contains SPI.
4. Make sure access to sensitive data cannot be misused.
5. Avoid putting too much sensitive data together.
6. When merging data, check if SPI becomes exposed.
7. When sharing data, check if SPI becomes exposed.
8. Ensure that the records of individuals with SPI do not appear to be stored, processed or handled differently to those without such sensitive data.
9. Keep access controls to SPI separate from routine data access controls.

Final Thoughts

Cyberattacks seem to be on the increase and a data breach can have serious consequences to a business. This may particularly be the case if the business is holding sensitive personal information about individuals.

Besides fines and penalties from the Information Commissioner’s Office, there is also loss of customer trust, disruption to your business operations, costs of recovery and potential legal claims from customers or clients whose data was compromised.

If you hold sensitive personal information in your business, reviewing NCSC’s new guidance could be well worth your time.

See: https://www.ncsc.gov.uk/collection/security-principles-protecting-most-sensitive-personal-information-in-datasets