After the blog about a social worker being admonished for losing a USB stick (http://www.communitycare.co.uk/carespace/blogs/socialworkblog/archive/2010/02/02/social-worker-admonished-for-taking-work-documents-from-office.aspx) I though the following might be helpful:
Many, many Social Workers take home confidential documents on personal USB memory sticks.
During my time as a Social Worker and with the increased use of electronic record keeping, nearly everyone works with a personal USB stick.
Photocopiers now have facilities to copy direct to insecure USB sticks, email (insecure) sharing of confidential sensitive data is common place, such as sending client papers to agency worker Independent Review Officers via the likes of hotmail.co.uk accounts.
Employers offer no real guidance on the risks associated with the use of USB sticks or sharing sensitive data via email, or even the use of shared laptop computers.
As this case shows, responsibility is likely to be seen as primarily the Social Workers.
I deploy the following to secure my clients data and my reputation:
1) Only sending files to external email accounts, after I have placed them inside ZIP folder that is password protected. (encrypted) and sharing the password with the recipient over the phone or in person.
2) For USB sticks, after some trial and error, I now use a secure USB drive. All data on the drive is always encrypted, passwords are processed within the drive and after six incorrect passwords the data is erased.
After some searching I found the Integral Crypto Drive (£20) to be the cheapest, others like IronKey go for a whopping £100+
As these drives can be expensive and don't work with USB enabled photocopiers. A free option can be to create a secure container on an existing USB stick, the following links may help with this:
Rohos Mini Drive Encrypts Your USB Drive Files
http://lifehacker.com/5044260/rohos-mini-drive-encrypts-your-usb-drive-files
Encrypting a USB drive using TrueCrypthttp://www.ucl.ac.uk/cert/EncryptingUSBTrueCrypt.html
Don't expect your IT department to help.
I very rarely take work home with me and I am quite strict about that as I got into the habit in a previous job and nearly had a nervous breakdown, I only ever do it when I know I havn't completed work that is either A) in my view very last minute, absolutely vital for tomorrow and can't possibly wait without very detrimental affect to the service user or B) as before but I could have managed it in office time but got distracted by the very chatty 'non-social work' colleague next to me who is the kind of person you don't want to fall out with because they are best mates with the admin staff who will do all your photocopying/faxing/typing asap as and when you want it but only if they like you.
That aside, the way I get around it is by using the encryption service offered by my LA that allows you to type the name of our encryption service in the subject box of an email before you send and it will automatically send an email to the intended recipient, from which they access another site via a link to set up an account that will allow them and only them to access the encrypted email. This is annoying if you are a first and only time user (i.e. the occassional service user/ family member that requests information to be sent to them via email) but if you are a regular user and not within our LA's 'secure list' i.e. charitable organisation, local voluntary agency/ do-gooder then it works quite well. I use it to send confidental information to my home email address which I can then use or edit at home within the encryption service programme and send it straight back to my secure office email address when I have finished. I don't exactly broadcast it widely in front of The People In Charge that this is what I do but if I am ever going to be caught out for working at home I would rather have done it this way and have it recognised that I have done everything possible to ensure security than not to have bothered at all.
I may take work home but it is ALWAYS stored in line with the Data Protection Act.
I don't take work home. I used to but now if it doesn't get done during work hours, it doesn't get done - with all that entails. We can though, apply through the Trust for encrypted USBs but I usually use them for transferring AMHP reports from hospitals back to base. I suppose they've come home with me on occasion. I think being actually issued with encrypted USB sticks is the way to go if employers are happy with people taking work home (and I understand it's common and some people can work at home - we aren't allowed to - which is irritating sometimes when you see other people doing it and know you could get more done but I suppose in the long run, the strict divide between home and work isn't a bad thing!).
I work on my laptop and have remote access to our ICS. I email stuff to third parties only after I send a test email and they confirm they have received it. Some experts have personal emails and not corporate emails - again I expect to have some degree of conversation before I send anything out. Only very rarely and if the network is down or something and I absolutely have to send something to my personal compute I email myself on yahoo the documents as yahoo has a large capacity and after I received them I delete them from my inbox and trash. If I need to work offline I save the stuff on my desktop. It is not safe as the info is lost if the computer is damaged, but it is protected by 2 sets of passwords so it cannot be broken into.
I've just got in touch with the Information Commissioner and they have agreed to answer some questions on handling data and some of the rules you need to follow. If you have any questions please let me know.
CareSpace support
Frederick:GeneralPig, What do you mean under the "Data Protection Act", if you transport any sensitive electronic data from your work place do you ensure that it is encrypted? particularly if you use a USB stick/laptop? If you use your own computer at home what happens to any of the data you may have saved onto it, should the computer be lost or stolen? How many people have access to your home computer? For instance, simply deleting a file on a computer only means the index to it has been removed, it is very easy to recover the file be fully in tact. PC's also have a System Restore feature that allows files to be recovered from an earlier restore point date. All I am seeking to highlight is that many social work employers directions on secure use and transport of sensitive data is very weak and social workers may not be aware of the risks they expose such data to, by transporting and using data in very insecure ways. Hatgirl's local authority seems to have a good system for transporting data to external agencies and no doubt such a system shifts the some of the burden of responsibility for any consequent data breaches/leaks to the recipients. Even if the sending agency uses a secure system and IT equipment, this does not mean this system will not breakdown when accessed at home from a computer that is susceptible to viruses or malware. Some employers are giving home-workers 'secure' full disk encrypted laptops, for work purposes only and enabling direct virtual encrypted access to the employers system to do all work from and within, of course I don't recommend putting the passwords on a post-it-note attached to your computer or memory stick.
I use an encrypted laptop provided by my employer with VPN access-so I can work remotely from the main server. My USB stick is also encrypted. If someone stole either, they wouldn't be able to gain access to any data. All passwords are in my head!
In case of files, I have to transport information in my car from time to time. I never leave it alone-if I stop, it is carried in a locked briefcase. At home, it may have to be stored overnight in a locked filing cabinet. Unfortunately, because I have to work across England and Wales at times, there is no option but to carry files sometimes.
I have only worked in one LA so excuse my ignorance :)
We are not allowed to use memory sticks at all. All files are stored on the council's internal database that can only be accessed with user code and password. This can also be accessed by social workers from home via the internet, if they install the necessary software, although I have not done this myself. I do not believe in taking work home unless it really is an emergency, as the more you do at home 'outside office hours' the more you are expected to do in the future as it becomes the norm. I also personally believe that the LA should be aware of how much one worker can really do in a day (8 hours in the office) in order for them to be able to identify an achievable caseload for each worker. Of course if you are claiming your hours for work completed at home that will be recognised, but I worry that when people start working extra hours at home it puts pressure on others to follow suit.
Sorry to digress!!