As a software company that makes consultation tools for government and public bodies, it’s our responsibility to be extra mindful of data security.
We thought it might be useful to share some advice on good habits you can adopt to help improve your everyday data security habits.
1. Remember that sending a regular, unencrypted email is like sending a postcard
Every time you send an unencrypted email, its contents could potentially be intercepted and seen by anyone. If you’re going to say something on an email that you wouldn’t want other people to see, you should reconsider whether email is the most appropriate medium for communicating that information.
For example, when providing a password, always share it over the phone or in person rather than putting it in an email.
2. Password-protect files containing sensitive information
Since the contents of an unencrypted email can be intercepted, that applies to any files attached to the email too. If you plan to send files containing sensitive data – such as a spreadsheet of consultation responses – via email, you should always password protect the file and provide the password separately (again, over the phone or in person).
Similarly, if you’re saving a file containing sensitive information on an internal network that everyone in your organisation has access to, you should again consider password-protecting the file and only sharing the password with team members who require access to the data to carry out their work.
3. Save a clean copy of your response data somewhere secure
When working with and analysing response data outside of Citizen Space, there’s always a risk that someone could end up inadvertently altering the data. It’s good practice to save a “clean”, unchanged copy in a secure place on your system so that you have a master copy to refer back to if you need to. You will always have a clean copy in your Citizen Space site as well if you need to re-export the data.
4. Even filenames can leak sensitive information
If you named a file “20171220 Joe Bloggs consultation response” and sent it via email or saved it on a public network, you would risk revealing Personally Identifiable Information (PII) as the respondent’s name could potentially be seen by those without permission to see it.
5. Delete data when it’s no longer required
It’s worth finding out what your organisation’s policy is on storing data and how long you may need to keep it for. If you’re sure you no longer need to keep a set of data or refer back to it in the future, the safest and best practice approach is to delete it from where it is being stored.
However, only delete consultations in Citizen Space if you’re sure no-one from your organisation needs access to the data any more, as once they’re gone they’re gone.
6. Consider best practice advice when choosing a secure password
+ Resist the temptation to choose one of the ‘usual suspects’ or a variation on them (we’re looking at you, “Password1”)
+ Don’t choose a password that’s the name of the file you’re password protecting or service you’re using
+ Don’t use the same password for more than one log-in
There's a lot of advice around passwords, and some password policies can actually be detrimental to internet security. Constantly requiring passwords to be updated may be a good test of everyone's memory, but in reality means passwords get re-used or changed so slightly as to be meaningless in security terms. The NCSC's* guidance on simplifying the process around password security offers some sound advice and is from a trusted source.
7. Use a reputable “password manager” tool to store your passwords
Never write your passwords down, and especially don’t write passwords down on a post-it note stuck to your computer screen. Using a high-quality password manager to store passwords is a good way of ensuring you can set robust, unique passwords for all your log-ins without also requiring you to have a superhuman memory.
8. Switch off any autofill settings for log-in details
Many Internet browsers try to be helpful by offering to “remember” log-in details for different sites on your behalf. We’d recommend disabling this setting, just in case anyone other than you tries to use your computer/device.
9. Never leave your computer/device logged in and unattended
If you have to move away from your computer, get into the habit of always locking the screen so that no-one can see or gain access to anything they shouldn’t.
10. Discourage team members from sharing log-in details
Log-in details and passwords are there for a reason so if someone needs to use a site or system and isn’t already registered, we'd recommend setting them up with their own log-in profile as soon as possible to minimise the risk of them sharing a colleague’s.
*The NCSC is the UK National Cyber Security Centre, part of the UK Government Communications Headquarters (GCHQ).