Safeguarding the data of donors and users

All organisations have to ensure the data they collect is secure, but charities often deal with particularly sensitive information. Mathew Little looks at how they can protect themselves

IT security
IT security

In May, the importance of data security for charities was starkly illustrated. The Information Commissioner's Office publicly rebuked two charities - Asperger's Children and Carers Together, which is based in Sheffield, and the Nottingham-based Wheelbase Motor Project - for breaching the Data Protection Act.

In both cases, laptops containing personal information about young clients had been stolen. The information had not been encrypted and turned into unintelligible code. Both charities signed agreements with the watchdog to ensure that in future personal data would be encrypted.

Like all other organisations, charities have to comply with the Data Protection Act. This means they should collect information for a specific reason only, keep it secure and destroy it when it is no longer needed. They must also allow the subject of that information to see it if they ask to.

There are usually two types of data that charities have to keep secure. The first is personal details about beneficiaries. In the case of Asperger's Children and Carers Together, personal information about 80 children, including their addresses, dates of birth and the medication they took, was lost when a laptop was stolen from the home of an employee.

The other kind is the credit or debit card details of donors. One method of donating - electronically through a charity's website - has grown exponentially in the past decade.

"The details of people who are supporting your charity with donations are perhaps the most precious data for any organisation," says Martyn Croft, chief information officer at the Salvation Army.

The ways in which data can leak out are myriad, and often maddeningly simple. The ICO warns that data can go astray because email software often suggests addresses when an email address is being typed in, so the wrong one can easily be selected by mistake.

"People don't realise that if you send information by email then it's like you are writing it on the back of a postcard and chucking it out into the street," says Croft.

Laptops can be lost or stolen; data can be copied onto USB sticks, which are then mislaid. Charity websites can also become victims of hackers seeking credit and debit card information. Banks have tightened up web security, so there are fears that fraudsters are now targeting charities instead.

"The people who want to hack credit details on sites aren't going to stand back because you are a charity," says Brian Shorten, risk and security manager at Cancer Research UK. "And as banks increase their security, hackers are going to go for the next easiest targets - charities."

How can charities protect themselves? One obvious way is by raising awareness among employees of the importance of preserving data confidentiality. "A lot of incidents can be attributed to well-meaning users doing the wrong things through habit or misunderstanding," says David Roberts, director of finance and corporate services at the NSPCC. "Cultural change is a massive part of improving this."

There are also simple ways to safeguard information. Encrypting is one and is, in any case, demanded by the ICO. It means that, if a laptop is lost or stolen, the chance of data being lost is dramatically reduced. And email scanning systems can prevent data being sent out of the organisation.

But some charities have concluded that cultural change is not sufficient. At the Salvation Army, data now resides in only one central server. PCs and laptops for staff have been replaced by 'thin-client' devices that give users a Windows desktop, but no personal data to store. Nothing can be saved on the device, not even Word documents. CRUK, similarly, has replaced desktop PCs with thin-client devices. The charity is also issuing fewer laptops, which can store personal data, to staff.

"The trick for me is that you have to make it easy to do the right thing," says Croft. "If you make it difficult for people to copy data onto a laptop, then you've increased your security."

The security of donor payment details on charity websites is another concern. Websites need to be secure, even if they receive only five debit card donations a year. Shorten, who is responsible for the security of CRUK's websites, recommends that charities carry out vulnerability tests of their websites.

He says that the coding for websites - the process used to construct them - should be written by a person experienced and competent enough to create a secure site.

For small charities, data security might be one responsibility among many others for a single individual in the organisation. The Charities Security Forum - co-founded by Shorten and Croft - has set up a mentoring scheme to increase awareness of data security in an often over-burdened sector. Members are able to ask for advice and assistance from others in the sector. So far, 125 charities have joined.

Croft says it is vital that charities make sure data does not wander, no matter how tricky that task is. "It's like herding cats - you have to be pretty sure how you keep them all together," he says.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus