Tag Archives: Data Protection Policy

Data Protection Policy (M.M.O.) Removing the Means (Part 2)

Morrisons Employee checks out 100,000 staff record in latest insider breach

The Morrisons data leak should have focused all our minds on the dangers posed by the insider to our carefully crafted Data Protection Policy. The ex-employee who contrived to steal personal records relating to around 100,000 co-workers is now detained at Her Majesty’s pleasure. Morrisons are the subject of class actions and action from the ICO having lost personal details for their staff, in many cases the haul included bank details, addresses etc.

Here lies an important lesson in that it isn’t just customer data we need to protect, in fact from May 2018 GDPR requires us to safeguard and properly manage all Personally Identifiable Information. (PII)

Morrisons breach came about when an internal auditor with a grudge against the company, purposely leaked details of some 100,000 staff. Possiblyas an auditor the perpetrator may have had legitimate reason to have access to the areas that data was stolen from.

Putting Information Security by default & design at the centre of your data protection policy and processes

It is a worthwhile exercise to look at how our Data Protection Policy will help us identify areas of risk. Having identified problem areas we can reduce to a minimum the ability of any disaffected individual to cause damage to the company and other employees by abusing access to your network. The good news is much can be done.

Contrary to the Communist Manifesto which talks about putting the means of production into the hands of the workers, I want to remove some of “Means” of production from the hands of the workers, or at least put in place measures to ensure they are not abused.



Your Data Protection Policy will describe when and how Data minimisation, record anonymization, training and encryption will be deployed as they all have roles to play in this context. Also think about reporting and logging and the roles they can play in bringing malpractice to light.

Data minimisation is something we should be thinking about, especially with the advent of General Data Protection Regulation (GDPR) back in May 2018.

Privacy by design and default is a phrase used to describe the approach prescribed under GDPR. When we are looking at the data sets we hold that store personal data it is well to look at the type and quantity of data being collected and ask the question how much of it is truly necessary? The stock unconsidered answer is often all of it. But when you look critically it is often easy to see that not all the data is strictly required to fulfill the order or to complete the task.

By minimising data on individuals to that essential to carry out the task, often we are reducing the risk posed to the organisation and possibly even realising gains in terms of efficiency and storage.

Record anonymization is a strategy for making records anonymous while allowing related data to be processed. As an example of an application of Data Minimisation we will look at how it employed by a business based in Lapland.

The Lapland courier company puts a premium on Privacy

Santa Claus uses these processes extensively as part of the Data Protection Policy employed at the Elf workshops where Christmas toys are prepared. Santa is very conscious of the fact that children are a special category as stipulated under GDPR and so makes sure that data on individuals is not only minimised but where it is necessary to transmit data relating to orders between departments and outside contractors and suppliers, data anonymization is extensively practiced so that the only information that is passed is that needed to create the order.

In our example where a customer (Mr A N Customer : Customer Number 321xms) has asked for a personalised Christmas jumper, the only information passed to production are details of the personalisation and the Customer number 321xms so that the item can be related back to the customer when the item is ready for despatch.

By following this rule Santa has made sure that Personally Identifiable Data (PII) held in his Lapland HQ is not allowed to needlessly be replicated across the organisation and has reduced the risks associated with holding personal data simplifying the task of keeping it secure.

Encryption provides an additional layer of security as it addresses two further issues for Santa Claus, keeping data secure at rest by encrypting data bases and documents that need to be secured and encryption of data in transit when confidential or high risk data such as PII (Personally Identifiable Data) has to be shared or transmitted internally or to third parties.