COVID19 has put data security under the spotlight like never before. Since the pandemic began, regulators have been relatively light-touch. Now, however, they are starting to push businesses towards operating effectively, meaning securely, in the current “new normal”.
Here is what you need to know in order to store your businesses personal data, safely.
You are responsible for the safety of data collected under track and trace
Even though track and trace is an emergency government program, it still works under standard data-protection laws. This means that you should collect only the required information and keep it, safely, only for as long as it is needed.
Track and trace requirements vary depending on where you are located. They are also subject to change, potentially at very short notice. It’s therefore advisable to check them regularly.
Safe data storage depends on safe data collection
COVID19 appears to have seen a return to collecting people’s details on paper. This makes sense given that businesses needed to implement it quickly and probably on a tight budget. Paper records are legal but they are not ideal for keeping data safe.
A potential compromise is to have customers enter their details on paper, then immediately scan/photograph the paper. Depending on the situation you might then be able to dispose of the original immediately or keep it in a safe place until you can dispose of it.
Keeping paper data safe, even for short periods, requires people having the sense of keeping it away from environmental hazards, out of public sight and under close supervision. Ideally it should be locked away. Basically treat it like cash.
Safe document disposal means cross-cut shredding
This might be one occasion when small businesses could just shred paper themselves. If you’re only collecting a small amount of data on unbound paper, then a small cross-cut shredder might be enough to do the job.
If you’re collecting larger quantities of data and/or using bound paper, then you probably want to use a third-party shredding service. This will not only get the job done but provide you with written proof that the job has been done.
Digital data should be stored encrypted
If you are scanning/photographing documents, it’s advisable to convert the data into regular text form as soon as possible. In fact, it’s ideal if you can do it while the contact is still there. That way you can clear up any handwriting issues. Once this has been done, you can permanently delete the scanned image.
Text files can be stored online, offline or both but they must be stored encrypted. There are plenty of ways to do this and to decrypt the data again if necessary. Encryption is the only way to ensure that data is safe from data theft.
Track and trace data should be deleted as soon as possible
You may want to create one track and trace file per day. This will make it easy to see what needs to be deleted on what date. It may also make it easier to find the right data if you are ever required to produce it.