Question

Margaret found herself facing a tough situation. Her babysitter called and cancelled 10 minutes before she needed to leave for work. She had a meeting with her manager that she could not miss. She brought her 12-year-old daughter, Molly, with her to work. Margaret sat Molly down in front of the computer in the office, telling her to play solitaire and surf the Internet until she returned. After the meeting, they went home.

Three days later, the chief privacy officer (CPO) confronted Margaret about her access of patient information. Several patients had received phone calls telling them that they had avian flu. The patients had all panicked. Margaret was the only user who had access to all of the patient accounts. She denied the accusations, but then realized that her daughter had had access to her computer. She relayed the story to her CPO.

What actions should be taken as a CPO?

What could have been done to prevent this situation from happening?

Answer 1

1. The role of a CPO is to develop and implement policies designed to protect employee & customer data from unauthorized access. In our case due to negligence of Margaret patient's information are accessed by an unauthorized person. Margaret allowed her daughter to access her computer when she had to attain a meeting. Margaret told her 12 year old daughter to play Solitaire and surf the internet. But instead of doing that her daughter had accessed the patients data & did some changes in the data. Due to this act, patients got scared due to wrong information received by them.

As a CPO, he must warn Margaret about the consequences of her negligence and asked her to inform the patients about the truth and should apologize for the same. As per corporate law it is illegal to disclose the private information of patients. Margaret should not give office computer to her daughter for playing games. In this case the CPO should interfere and tell Margaret to sort out the issue by discussing the matter with patients. Again Margaret should learn not to repeat this in future.

2. In a corporate, all information should be handled carefully & confidentially. Employee and customer data should always be protected from unauthorized access. A CPO is appointed to look after this task. In addition to it, CCTV cameras should be there to record what's going on behind the authorised person. There should be a person who should monitor it and take the action accordingly. Computers should be password protected & particularly all the private files should be protected with a strong password so that except authorized person noone can access it.

These preventive measures should be taken by any organization to keep their data safe and protected.