Learning from privacy incidents
Developing a structured approach allows an agency to conduct its analysis of its privacy incident response in an objective and focused manner.
A structured approach to analysing privacy incidents helps you to identify any possible trends, whether any changes are required to systems and processes, and whether there’s a need for additional privacy training and awareness for staff.
Learning from privacy incidents is an important part of a mature privacy programme.
The amount of effort given to analysing the causes should reflect whether the privacy incident was a one-off breach or a recurring series of incidents and whether the breach led, or could have led, to significant harm to an individual or group.
Lessons learned process
The lessons learned process is a good way for an agency to identify and communicate what worked well, what didn’t work well and what could be improved with how it responded to a privacy breach.
The lessons learned process typically includes:
- a workshop attended by all those involved in the incident response or a representative group of those involved in the incident response
- documenting and sharing the lessons learned from the incident
- storing the lessons learned document in a privacy incident repository
- a regular review of the lessons learned documents for continuous improvement.
A successful lessons learned process depends on a successful workshop. It’s best practice that the workshop is facilitated by an individual not directly involved in the incident response.
The facilitator should review the incident response plan and the documents created during the incident response. The facilitator then prepares a list of questions specific to the incident response.
The facilitator should always ask the following 3 key questions:
- What worked well?
- What didn’t work well?
- What needs to be improved?
Root cause analysis
One way of analysing privacy incidents is by using root cause analysis. Root cause analysis is useful for identifying why the breach occurred in the first place.
Root cause analysis is a systematic process used to determine:
- what happened
- why it happened
- what can be done to prevent another incident occurring.
The benefits of using root cause analysis include:
- identifying the root cause
- using the root cause to find a process-based solution
- facilitating a collaborative team environment
- bringing together diverse backgrounds and experiences
- saving time and money by determining the root cause rather than focusing on mitigating the symptoms.
The 5 Whys technique
The 5 Whys technique is a way of undertaking root cause analysis. This technique works by asking ‘why?’ 5 times to reveal the root cause of the incident.
The use of the ‘why?’ questions moves the focus from generic statements like ‘human error’ as the cause of a privacy incident, to finding the root cause that lies behind the problem. Once the root cause has been isolated, the agency can identify how to reduce or remove the cause and determine what steps can be put in place to prevent a repeat.
The focus of the analysis should be on examining the agency’s systems and processes, not on blaming people. Although the technique is called the 5 Whys, it may take more or less to get to the root cause. A general rule of thumb is to keep asking ‘why?’ until the answer is a process or system issue.
The 5 Whys approach is particularly useful when the root cause is not known, the cause is suspected and needs to be confirmed, or little or no quantitative data is available.