During our data walks and when talking with customers, we see a lot of personal data that has been removed from its original system.  This article discusses the benefits of keeping data in it's a original system and the risks that might occur when it is removed.

Currently most organisations keep a lot, if not all, of their data online, the benefits to this are clear:

1. Data integrity and consistency - when data remains in its native system, its integrity and consistency are better preserved.  Moving data between systems can introduce errors, data corruption, compromise of accuracy and reliability of the information. 
2. Reduced duplication - as soon as data is removed or extracted from its original system, the data is duplicated and there can then be some doubt about the true version of a document, for example.
3. Security - keeping data in its original system means that it is more secure because it is protected by the security of the system for which it was intended.  As soon as a list of personal data is printed or copied, it is no longer under that security umbrella and at risk of a data breach or being part of a cyber security attack.
4. Management oversight -Managers and Supervisors do not have oversight of that data once removed from its original system.  The ICO recently reprimanded Dover Harbour Board and Kent Police of over information sharing via social media messaging apps.  
5. Transfer of data - as soon as any personal devices or systems are used, the data has been removed from the organisation's infrastructure and so can easily be shared and forwarded to an individual or group outside of the organisation.

Consider whether you are emailing other staff members about a work-related matter than contains someone else's personal matter - if that information resides in a more secure and appropriate system, that information is better protected there.

The full ICO reprimand can be read here: ICO reprimands Dover Harbour Board and Kent Police over information sharing.  The ICO stated that there are official channels for law enforcement agencies to lawfully share information which should be used by staff, which covers all the points in this article about an organisation's systems being already in place with the appropriate security to protect it. Another key point to take from the reprimand is that an office in Kent Police used a personal mobile phone to take a photo of an individual's identity document and uploaded it to a messaging service that was not a Kent Police official system.

Takeaways from this article:

• Try and keep personal data in its original system so that it is protected by the systems settings.
• Avoid using non-organisation approved systems for messaging/discussing work-related matters especially when it contains personal data.
• Using only an organisation's systems for personal data can help avoid a data breach.

We provide a data protection service that includes help and advice about information management, information and cyber security and general help and guidance about managing data.  Here's an example of the kind of question we might ask about how you manage data in your organisation: