Hosted by: Russell & Mike

BSS5 – Knowing Me, Knowing You – Privacy rules

Some business confidential information is leaked from the company. How, who, and what is the impact?

It’s easy to be relaxed about privacy rules in business dealings in this supposedly transparent and open world. Should Jakob and Zelda be worried about Zelda’s dad knowing the inner workings of Sydeline? How important is confidentiality in business?

Mike and Russell discuss privacy rules, company and personal information confidentiality.

Blue Sky Stinking
Blue Sky Stinking
BSS5 - Knowing Me, Knowing You - Privacy rules


Episode script

Privacy Rules Discussion Transcript

MIKE: Oh dear, oh dear.  What a wind up merchant Nero is proving to be!  Anyway, regardless of his motives he has given us the topic for the week, and that is confidentiality.  And to discuss this with me this time is not quite who we hoped, so, unfortunately Russell’s back….

RUSSELL: You must be delighted. It’s a shame our (former) friend and colleague was unable to join us… How do you want to do this then?

MIKE: Well perhaps we should start with explaining what our credentials for discussing confidentiality are firstly

RUSSELL: Ok! Well, if I kick off.  I have been responsible for Information security in various local government bodies since 1997, when I was first appointed to a delightful role.  At one point I was a Single Point of Contact for the Regulation of Investigatory Powers Act, when it was first introduced and operated in some businesses with some very sensitive data under its control… What about you?

MIKE: I’ve done a number of different bits. I’ve worked for some very sensitive central government departments with some very secretive and sensitive data.  I’ve worked in the nuclear industry and there’s lots of sensitive things there.  I’ve worked within pharmaceuticals and healthcare.  So, yeah, some quite stringent security regimes I’ve worked within.  Got the t-shirt on a lot of these things. 

But I guess, in the things that you’ve done, you must have seen some bad examples of maintaining confidentially, quite often I would think.

RUSSELL: Yes, especially in the early days of early data protection it was very prevalent, it was very easy spot people which were fracturing the law.  Everything from people forwarding email.  We had one with a sensitive chain of conversations though email and then some attached that chain to a meeting invite.  Including the person who was potentially go though a disciplinary with all the conversations that had gone though before.  There’s been situations where people have deliberately shared private information with people they really knew they shouldn’t. And there’s always the accidental event; some have been quite severe, which I don’t want to go into because it could embarrass people.  Information confidentiality is a very broad subject.  It’s worth thinking about what’s going on in Sydeline?

MIKE: I think there’s numbers of areas of confidentiality and one of our areas in Gydeline is around personal data protection.  But I think a lot of the issues in Sydeline are really around company confidential information, competitive information, that sort of thing.  Because it’s not a great scenario where there’s two companies that in competition with one another that are sharing information.  I’ve worked in a lot of competitive situations where either side of that competition would dearly want to know what the competitor is thinking, saying and it going to bid.  I guess you put yourself at a disadvantage and your competition at an advantage if you share information too readily.  Family or not, that ready sharing of information, warts and all, is not the best way forwards in business.  Open and honest is great, but at the right time

RUSSELL: There’s also an aspect in certain industries, and I think you’ve worked in a few of them where there is a duty of confidentiality, where there’s a professional requirement – how can you explain what that entails?

MIKE: Those industries, and the nuclear industry is certainly an example of one, that there should be good induction and training in place to inform those individuals of what their obligations and what they should do.  Things like Healthcare is an example where there are some quite onerous obligations on how you should and shouldn’t deal with things like sensitive patient data.  So, this entails an awareness, but also an attitude around information and treating that information as something of value, an asset to the organisation.  Much as you would just go a give your car keys or your laptop to somebody.  Why would you give information willy-nilly.  It’s an attitude as well as some controls that you might need to put in place as well.

RUSSELL: Yes, but as it happens, Zelda didn’t have a duty of confidentiality enforced on her be a professional body.  She had no requirements there, but she does having an obligation to Jakob as a partner in the business.

MIKE: So what do you think they should have done to stop that being a problem in that case?

RUSSELL: Well, if nothing else, it’s something they should have talked about.  We discussed this in previous episodes, having an agreement on how your partnership is going to work.  Ok, they’re directors in a limited company but it’s still a partnership, they’re still joined together to give a common aim.  There should be some form of ground rules. Something that says, this is what we share between ourselves, this is what we’ll share publicly and this we’ll keep company private.  That could also extend out to shareholders where you would expect a certain amount of confidentiality in professional business meetings.  You mentioned competition previously. We’ve both worked in the tricky world of telecommunications where there was this really strange juggling game of openness and confidentiality with competitors – Do you perceive that as a common dilemma, in your experience?

MIKE: I think it can be.  There are some businesses that see everybody as a competitor.  More and more organisations try to work in a partnership model where they either see business opportunities to work together with whoever those other companies are – a lot of the time that will be to deliver joint services to a customer but in some occasions they are in competition.  It’s a dilemma but things like Non Disclosure Agreements and the way that company is organised or divided can help to minimise some of those issues. But there’s definitely the family aspect, in Sydeline, and the friends aspect.  One does wonder if Jakob treats all of his investments in this way and whether he goes in without agreements.  One also wonders if the competitors was someone other than your dad, then it might be a little less tricky to be hard-nosed about it.

RUSSELL: It has to be said that family business, or having family that’s in business together does create an additional complication.  It’s a different dilemma- you and I are not family we go home to our respective locations and we have a separate personal life to a business life.  Especially if you live in the same house you end up talking business.  You’ll end up talking business in front of the children, or potentially bringing up fairly sensitive issues with friends or guests possibly because it’s on your mind or the subject of the moment.  That becomes even worse if you start roping in difficult staffing problems.  If you’re not a large company, it can be very easy for your friends and family, that are not in the business, to quickly identify who you’re talking about even if you’re a little vague on it.  Because a job title or a description of somebody might easily identify them – all of sudden you confidentially is blown your business professionalism is blown.

MIKE: There’s any number of avenues that might get opened up as part of those seemingly innocuous conversations. If you’re talking about money or finance you might expose some weakness or even some opportunity that you’re intending to go for that your competitor might ben able to exploit.  Ideas that you’ve had.  Things that you’ve created or might want to create that could be potentially stolen.  Any technical flaws you might have, there are any number of things that could be used against you.  So it’s a tricky area.

RUSSELL: You mention that, and going back to the phrase that Nero used, that they’d nicked the product line.  That’s an Intellectual Property issue, or IP as it’ can be lovingly referred to on occasions.  How would you describe Intellectual Property to anyone who has never thought they have any in their business?

MIKE: It’s an interesting one as every business has some form of IP.  The easiest way to think about is that it’s something you created but it doesn’t have to be a physical thing it doesn’t have to be a tangible object.  There are many different examples of what this creation you have made is.  It could be designs, ideas, blueprints, symbols, names, logos, any number of intangible thing that you’ve created could be a piece of IP.  It could the way you do something, a process or even an approach to something.  Anyone listening out there, really have a good think about areas of IP that you’ve got and then those areas of IP where you might need to think about being cautious with and protecting.

RUSSELL: So that use of the word nicked.  Could hide an underlying problem.  That product could be part of a registered design or a patent or something. He doesn’t appear to be doing anything about it, though, having said that.

MIKE: Hmmm, Not at the moment. We’ll have to see if anything happens on that front in the future.  I guess we talk about confidentiality without talking about how technology affects this.  We are very much as digital business.  It’s getting bigger and bigger in every business.  There aren’t many that rely solely on paper or lack of technology so.  Given that the hackers and those that would do us harm are always one step ahead.  Is it something we can completely mitigate, or do we have to accept that we can get information stolen?  What do we do?

RUSSELL: Obviously we don’t want to just accept it.  That would be like saying I got stuff in my house and eventually it will get nicked, no matter what I do

MIKE: You don’t leave the front door open and the windows unlocked and then say, oh, somebody nicked my things! If the doors and windows are locked, then you did what you could

RUSSELL: That’s absolutely right.  You’ve got to do what you can to protect your data.  The problem with any of the measures that you see, your anti-virus you’ve got or your anti-malware or any of the ‘anti’ devices you might install on a piece of hardware, and you might have physical precautions that you put in place.  Like where you store your computer equipment.  All these things, people are constantly, if there’s a benefit of them getting access to your technology, your data, then they are going to work a way to try and break it.  You can’t actually ever get rid of the risk and the real problem is, in this digital world, you got to constantly keep up with it. It sounds like a burden, but there are people out there to help you

MIKE: I would draw us back to a comment made earlier in the conversations.  It’s all about attitude and people and approach.  If people have the right thinking around technology and security and they’re thinking about and aware of it, the biggest mitigation that you can have, rather than trying to put every single measure you can think of in place.

RUSSELL: Yes, otherwise you just end up with this horrendous technological burden, security burden which, apart from being expensive to implement, would be expensive to maintain.  It could also make you working environment difficult, there has to be a balance in maintaining confidentiality, technical security against being able to operate a business.

MIKE: Absolutely.

RUSSELL: So, we do ask our experts to sum up with some top tips – give us one to kick off…

MIKE: Understand whether you have any duties of confidentiality, any obligation, any professional standards that you need to abide by.  Whether you’re and accountant or therapist or a clinician or anything like.  If you got something you need to abide by you need to make sure you aware of those.

RUSSELL: I’ve put some examples of some of those codes of practice on our show page for this episode. You also need to understand the situations when you may have to break that confidentially, they do exist. There’s something called the Police and Criminal Evidence Act which enables the Police to come in and request of you…

MIKE: And even that’s not cut and dried.  If you get a request you’ve got to validate it and make sure they aren’t just fishing for information and that they’ve got a legitimate reason for requesting you break that confidence.

RUSSELL: That brings us to protecting the confidential information – Set your policies, processes and procedures up and for paperwork in filing system ask yourself, who has access, are the rooms and cabinet secure enough.  Is t sufficient for the data I’m storing in there.

MIKE: As for storing information on technology.  That’s got a whole different set of challenges.  You’ve got to make sure it’s stored securely, transferred security and that there are measures in place.  And then back to informing your people about the rules and requirements they need to follow.

RUSSELL: Finally, make sure you are clear on what you would do if confidentiality is breached.  How would you report it and record it.  Then you might have to  deal with the fall out, telling the affected people of the breach, and organisations, and then you might need to work to manage professional bodies, if you’re a member of any.  You may even need to get in touch with the media and make sure you’re well training in the media to so you don’t do a Gerald Ratner on your situation.

MIKE: Yes, and for all the listeners out there, if you’re doing data breach processes for your data protection, then that’s a good template for how to deal with breaches in confidentiality.  So make sure you’re up to date with that. These all good basic tips to give confidentiality a chance in your organisation.  So that’s about it for confidentiality at the moment… I doubt this will be the last time it raises its head in Sydeline

RUSSELL: We’ll have to wait and see, but I think you’re right.  That leaves me to wrap up this episode and encourage you to get busy liking, rating, sharing and commenting on the podcast site you’re using. 

MIKE: There is always the opportunity for you to be a guest in a future episode, we’re already have a healthy line-up

RUSSELL: Unless we get more no-shows of course

MIKE: I’m sure he was just very busy!  So… if you have a hot topic to discuss, I’m sure Sydeline might suffer a related issue in the near future for you to comment on.  Check out the show notes page on our website and we look forward to you company next time in “I Have A Dream” in which Zelda’s premises are coming together… Or coming apart, I wonder which!

RUSSELL: I wonder…