The recent news O2/IBM has misplaced a data tape containing unencrypted personal data just emphasises to me the need to have a secure chain of custody for our data and records. This means ensuring that when records are passed from one custodian to another across an end-to-end process, we have secure hand-offs and an audit trail that captures critical characteristics of each hand-off. Whilst this provides no guarantees that records will not be lost, I think it puts more focus on the hand-offs and as a result improves the robustness of the overall process.
Of course, the other aspect of this story is why unencrypted data tapes are being used for personal data. So, why don’t we take a look at our own records management chain of custody? Are there appropriate security mechanisms in place? When you hand over data tapes to your off-site provider, what security processes are in place at hand-over, during transit, and at the storage location? Is there compliance with pertinent data security standards, for example ISo 27001 ‘Information Security Management’. And have you considered the need for data encryption before hand-off to a third party?