Categories
Blog

The Importance of Effective Policies and Training in Data Protection: Lessons from a Scottish Hospital Breach

I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.

Background

According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.

WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients.  The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.

ICO Holding

The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally,  there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.

Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:

  1. Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
  2. Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
  3. Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
  4. Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
  5. Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.

Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”

Discussion

This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.

While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.

As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.

The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.

The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.

Categories
Daily Compliance News

Daily Compliance News: September 5, 2023 – The Pig-Butchering Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • US sanctions Russian company for selling rockets to North Korea. (WSJ)
  • Pig-butchering and crypto. (WSJ)
  • Using AI to improve workplace safety. (WSJ)
  • Do you need to know? (WSJ)
Categories
Corruption, Crime and Compliance

SEC Adopts Robust New Cybersecurity Disclosure Rules

In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices. 

You’ll hear him discuss:

  • The SEC’s adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
  • One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality. 
  • This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
  • Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
  • Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
  • The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.

 

KEY QUOTES:

“You can’t just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” – Michael Volkov

 

“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” – Michael Vokov

 

“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Sunday Book Review

Sunday Book Review: September 3, 2023 – The Books for Labor Day Edition

In the Sunday Book Review, I consider books that would interest the compliance professional, the business executive or anyone who might be curious. It could be books about business, compliance, history, leadership, current events or anything else that might interest me. In today’s edition of the Sunday Book Review, I continue my summer exploration of books on crime. Today, look at some of the top books on auditing, both for the audit professional and the compliance professional.

·      A History of America in 10 Strikes by Erik Loomis

·      From the Folks Who Brought You This Weekend by Priscilla Murolo and A.B. Chitty

·      Stayin’Alive by Jefferson Cowie

·      Working by Studs Terkel

Categories
Kerrville Weekly News Roundup

Kerrville Weekly News Roundup: September 2, 2023

Welcome to the Kerrville Weekly News Roundup. Each week, veteran podcaster Tom Fox and his colleagues Andrew Gay and Gilbert Paiz get together to go over a couple of their favorite stories from the past week from Kerrville and the greater Hill Country. Sit back, enjoy a cup of morning coffee and listen in to get a wrap up of the Kerrville Weekly News. We each consider two of our favorite stories and talk about the upcoming weekend’s events which will enjoy or participate in this weekend.

In this episode, Tom, Gilbert and Andrew discuss the following stories which caught their attention over the past week.

·      Tom discusses the resignation of Kerrville Tax Assessor Collector as head of Kerr County elections due to Kerr Country moving to hand counting of ballots and the lack of a country budget vote by County Commissioners. Tom talks about the Labor Day Walk for the Kerrville Nature Center. Andrew shouts out to the upcoming Sept. 11 Stairmasters Challenge to honor those who died on 9/11.

·      Andrew discusses the Kerr County Area Youth Leadership Academy and time is short for apply and the Texas Hill Country Astronomers upcoming meeting.

·      Gilbert about difficulties in county water rationing. He also the state of Texas site to reclaim lost or unused property.  He talks about the Saturday swap event at the Youth Center.

Resources

Tom Fox on LinkedIn

Gilbert Paiz on LinkedIn

Andrew Gay on LinkedIn

Texas Hill Country Podcast Network

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending September 2, 2023

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

·       280K Euros seized from MEP son’s apartment. (TVP World)

·       Businesses need Chinese predictability. (NYT)

·       Gensler unleased regulatory blitz. (FT)

·       Goldman Sanctioned for ephemeral messaging compliance failures. (WSJ)

·       China crackdowns rips through health care industry corruption. (FT)

·       Switzerland unveils money-laundering crackdown. (FT)

·       3M settles FCPA action. (WSJ)

·       Imprisoned Kazakh tycoon may be released. (RFE/RL)

·       Do you really need incentives to operate safely? (Reuters)

You can check out the Daily Compliance News for four curated compliance and ethics related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Career Can D0

Mind Over Matter: Brain Health and Well-Being in Modern Workspaces with Lisa Marree

 

 

In today’s fast-paced world, where work-life balance often feels like an elusive dream, mindfulness emerges as a beacon of hope. In this episode of Career Can Do, Mary Ann Faremouth welcomes guest Lisa Marree to discover the transformative power of mindfulness, especially in the context of the modern work environment. An author, researcher, and health visionary, Lisa has dedicated her life to helping corporate leaders, heart-centered entrepreneurs, and professionals harness their potential by developing a fortified mindset. Lisa and Mary Ann explore the nuanced relationship between brain health and mental well-being, and why it’s crucial to focus on the former to achieve the latter.

Lisa shares her incredible journey of resilience and inspiration. As an abused child, her innate curiosity about the human brain’s capacity for change drove her from Western medicine to holistic health and neuroscience. This transition underscores the deep interconnection between physical and mental well-being and highlights the potential within us all to reinvent ourselves. 

 

The brain, our biological supercomputer, is central to our mental well-being. Focusing on brain health is not just about discussing mental health and illness, Lisa points out. Instead, it’s about understanding how our mind functions and the steps we can take to nourish it. By optimizing our brain’s health, we inadvertently boost our mental resilience and overall happiness. 

 

In a world inundated with information and digital distractions, it is more important than ever to be mindful. Lisa discusses how basic techniques such as breath work and gratitude can help us avoid digital dementia and information overload. If we integrate these practices into our workplaces, we can improve communication, foster collaboration, and develop better leadership skills. The new world of work requires more than just professional expertise. Lisa emphasizes the value of self-reflection, setting tangible goals, and cultivating a spirit of curiosity. These traits, combined with a mindful approach, can help us find a harmonious balance between our personal and professional lives, leading to unprecedented levels of success and fulfillment.

 

Resources

Lisa Marree on the Web | LinkedIn

Faremouth.com

Categories
Hill Country Artists Podcast

Hill Country Artists Podcast: Holly White-Gehrt – From Observing Nature to Teaching Classical Realism

Delve into the heart of the Texas Hill Country with “Hill Country Canvas,” a podcast that paints the vibrant tapestry of art rooted in this iconic region. From the sun-drenched limestone cliffs to the serene Guadalupe River, the Hill Country has been a muse for countless artists, providing a unique backdrop for creativity to flourish. In each episode, we uncover the stories behind the area’s most captivating artworks, converse with local artists about their inspirations, and explore the fusion of Texan traditions with contemporary artistic expressions.

Welcome to this episode of the Hill Country Artists Podcast, hosted by Tom Fox. In this episode, we had the pleasure of chatting with the talented artist Holly White-Gehrt. Holly’s passion for nature and observation shines through her representational and observational art. Today, we delve into her artistic journey, her love for teaching, and the unique experience offered by the Hill Country Atelier. So grab a cup of coffee and join us as we explore the world of art and nature!

One of the highlights of our conversation with Holly was her involvement with the Hill Country Atelier. This workshop and art studio aims to reintroduce certain skills, such as drawing, that have been overlooked in modern art education. Holly teaches classical realism at the Atelier, attracting students from Kerrville, San Antonio, Fredericksburg, Medina, and even ConCan. It’s incredible to see the passion for art spreading across the Hill Country!

In a world where modernism has often overshadowed traditional art skills, atelier training offers a refreshing approach. Holly, through the Hill Country Atelier, not only imparts technical skills but also emphasizes the importance of truly seeing and having a passion for art. This comprehensive training equips students with skills that are not typically taught in colleges and universities, such as the art of drawing. Holly shares a personal story about starting over and spending for four years at the Georgetown and the Aristides Ateliers in Seattle. It’s a testament to the dedication and commitment required to master these timeless skills. Her primary subject is the figure, meaning people and portraits. She also does still life.

Holly shared some exciting news about the expansion of the Atelier program and its move into a new space in downtown Kerrville. Situated near the water, this serene and beautiful environment is sure to inspire creativity and provide an ideal setting for artistic exploration. We can’t wait to see the incredible art that will emerge from this new space!

Kerrville and the Hill Country boast a vibrant art scene, with many talented artists showcasing their work. Holly, along with some of her students, has held shows at the local arts foundation. This thriving community offers a platform for artists of all backgrounds to express their creativity and share their passion with the world. It’s truly inspiring to witness the artistic energy that flows through these picturesque landscapes.

Holly’s journey from studying anthropology to obtaining an art degree from the Pacific Northwest College of Art in Portland is a testament to her unwavering passion for art. After working at Intel, Holly decided to pursue her artistic endeavors full-time. Her love for nature and observation shines through her representational art, capturing the beauty and intricacies of the world around us. With her studio located in Kerrville, Holly creates art that moves her and occasionally takes commissions.

During our conversation, Holly emphasized the importance of art for young children and teenagers. Encouraging young children to explore art allows them to tap into their creativity and develop a love for self-expression. As teenagers, they can delve deeper into more disciplined art forms, honing their skills and discovering their artistic voice. Art is a powerful tool for personal growth and development, and Holly’s passion for teaching shines through as she shares this invaluable advice.

Our conversation with Holly White-Gehrt was truly enlightening, showcasing her passion for art and nature. Through the Hill Country Atelier, Holly and her students are reviving traditional art skills and creating a thriving art scene in Kerrville and the Hill Country. Whether you’re a seasoned artist or just starting your artistic journey, the intersection of art and nature offers endless possibilities for self-expression and growth. So go out there, explore, and let your creativity flow!

Always remember that art requires not just the mind, but also the heart and soul. Embrace your passion, embrace the beauty of nature, and let your art tell your story.

Resources

Holly White-Gehrt

Hill Country Atelier

Holly White-Gehrt on LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 12 – Speaking Up is Awesome Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of compliance topics, including a visit by a Florida man.

In the world of business, compliance and investigation protocols play a crucial role in ensuring fairness, consistency, and institutional justice. Organizations need to establish robust frameworks to handle incidents effectively and mitigate risks. In this episode of 2 Gurus Talk Compliance, we discuss several key factors impacting the enhancement of compliance and investigation protocols for organizations, including the need for standardization and rigor in investigation protocols, a perspective rooted in his belief in the importance of a culture of compliance within organizations. Kristy takes the lead in highlighting the value of consistency and standards in investigation protocols for ensuring institutional justice and fairness. Join them as they delve deeper into this topic on this episode of the 2 Gurus Talk Compliance podcast.

 Highlights Include:

  1. ISO standards for internal investigations. (FCPA Blog)
  2. Tom releases a new book. (Amazon)
  3. The Spanish Kiss. (ESPN)
  4. How to develop a culture of compliance. (Compliance and Enforcement Blog)
  5. The first 100 days. (CCI)
  6. Has China outlawed due diligence? (FCPA Blog)
  7. 3M Settles U.S. Probe Over Tourist Trips for China Officials (FCPA Blog)
  8. You Can Now Make ChatGPT Work Specifically for Your Company. Here’s How (Inc.)
  9. You’ve Heard of Quiet Quitting. Now Companies are Quiet Cutting (WSJ)
  10. Fentanyl found in cookie jar during a traffic stop in Florida, man arrested (WFLA Florida)

 Resources 

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI – Jonathan Armstrong on Unleashing Generative AI: Privacy, Copyright, and Compliance

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These questions are but three of the many questions we will explore in this exciting new podcast series, Compliance and AI. Hosted by Tom Fox, the award-winning Voice of Compliance, this podcast will look at how AI will impact compliance programs into the next decade and beyond. If you want to find out why the future is now, join Tom Fox on this journey to the frontiers of AI.

Welcome back to another exciting episode of our podcast, where we delve into the fascinating world of compliance and artificial intelligence (AI). Today I am joined by Jonathan Armstrong from Cordery Compliance to discuss how regulators in the EU are looking at AI.

Regulators in the EU are taking action to address the use of artificial intelligence (AI) and generative AI. A recent case involving Google’s AI tool, Bard, being temporarily suspended in the EU highlights the need for regulation and compliance in this rapidly evolving field. Concerns are raised about data and privacy, as generative AI uses large amounts of data, potentially infringing copyright and processing individuals’ data without consent. It is crucial for organizations to conduct data protection impact assessments and consider GDPR obligations. Transparency and consent are also key, with Zoom’s data practices being questioned in terms of transparency and obtaining user consent. The conversation emphasizes the potential legal and financial consequences organizations face for non-compliance.

Remember, compliance professionals are the co-pilots of our businesses, guiding us through the complexities of the AI revolution. Let’s not wait too long between podcasts and continue this journey together!

Key Highlights

·      Concerns with Bard

·      Regulators’ Actions on AI

·      Concerns over Data and Privacy in Generative AI

·      Transparency and Consent in Zoom’s Data Practices

 Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance, News Section. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn