Quick tips for ensuring confidentiality in the use of technology

Technology 03/05/2019

Practitioners will be very aware of the current emphasis on privacy and security in communications and data arising, in part, from implementation of the GDPR. Here are a set of outline and basic issues to be kept in mind to protect client data and communications and to promote best practice in these areas. They are not intended as conclusive or comprehensive guidance, and practitioners should continue to keep themselves informed of emerging best practices in these areas.

Access controls

Access controls are the rules that govern an individual user’s access to, or access within, document-management systems and email systems. Practitioners should consider implementing the following access controls in relation to sensitive data in ‘highly-confidential’ files.

Access to files:

  • Should be siloed,
  • Should only be granted on a need-to-know basis, with appropriate approval, and
  • Should be managed by a nominated senior member of staff.

Where possible, periodic access-control audits should be performed on a frequent basis (monthly/quarterly) to confirm that only authorised employees have access to these restricted files.

Protection/encryption

Sensitive and confidential documents are often included as attachments to emails. One of the highest risks of data security breaches is emails being accidentally sent to the wrong individual. Auto-filling email addresses heightens this risk, and extra care is required when this feature is activated on your email server.

To mitigate the risks, all attachments should be encrypted, meaning the recipient would need a password to access them. Passwords must be sent in an out-of-bounds form (such as phone call, text message, or separate email).

Email

In addition, to avoid data breaches, extra security precautions need to be taken in relation to the content of emails:

  • Internal correspondence should be encrypted through use of ‘transport layer security' (TLS). TLS provides cryptographic protocols that provide communications security over a computer network. TLS email encryption is an industry standard. For email to be secure, both ends (the sender and recipient/client) require TLS to be set up. Practitioners should ensure all clients have TLS set up and configured.
  • A practitioner should check with all existing and prospective clients to ensure they have TLS configured on their email servers.
  • External correspondence with attachments should have ‘highly confidential’ in the subject line.

Online file sharing

Online file-sharing services may not be secure enough for sensitive and confidential communications. All large files or data sets should be sent using applications that provide a number of security features, including:

  • Encryption,
  • Link-expiry settings,
  • Number of allowed downloads, and
  • Password protection.

(See also the Technology Committee practice note, ‘Free public file-sharing sites – not recommended,’ published in the Aug/Sept 2016 Gazette).

Outside the office

Data breaches may also occur when electronic devices (laptops and mobile phones) and removable storage devices (USBs) are lost or stolen.

It is recommended that practitioners implement a security policy for electronic devices. At a minimum, devices should be password protected and locked at all times when not in use. Practitioners should also consider multi-factor authentication.

It is also recommended denying the use of USBs by disabling USB ports.

‘Follow-you printing’

‘Follow-you printing’ ensures that physical print jobs are protected. Follow-you printing works by holding documents in a secure print server until the user authenticates themselves at a printer of their choice. This mitigates the risk of data loss, theft, and unauthorised disclosure, as print jobs can only be collected from the printer by the user who sent them.

Local administration access

Within firms, users should be required to use IT assistance to install new software on their devices. This is necessary, as it prevents unauthorised or malicious software being installed on computers and will stop any potential malware from running with administrator rights.

Desktop encryption

Data encryption is necessary to ensure information confidentiality and integrity. This is accomplished by removing access to data without a private key.

All mobile devices – including laptops, removable storage devices, mobile phones, etc – should be encrypted to ensure all data that is stored locally on desktop computers is secured from unauthorised disclosure.