Handling a data breach at Public Digital

At Public Digital we know that mistakes - big or small - are an inevitable part of life.

One of our core positions as an organisation is the value of openness. We know how vital it is to build trust among our people, clients and collaborators, and so many of our working practices, from weeknotes to tunking, are designed to nurture that trust.

We know that in the rare event that things do go wrong, the trust we have in our staff will be what makes all the difference in how we respond as an organisation.

A recent incident at Public Digital has reminded us of just how important that can be.

In March of this year, my team at PD identified a data breach.

The leak concerned a user-research project we were conducting for one of our clients relating to the experience of in-patient mental health treatment.

The incident occurred when a consent form was emailed to participants. Rather than eight documents being sent to each individual, a single Docusign file was sent in error to all eight people, meaning that the names of participants who had already filled out the document were visible to those opening the document.

Given the nature of the research, and the potential for participants to be relating traumatic experiences, the environment in which the breach occurred was a highly emotive one, and needed to be protected as a sensitive space for our participants.

While the breach was relatively minor, it was important that we treated the incident extremely seriously.

Our response followed four steps:

• Act to mitigate damage

• Escalate internally

• Inform and check in with those affected

• Reflect on lessons learnt

This blog post examines these steps in detail, and explores how our culture of openness - and profound trust in our people - at Public Digital shaped our response to the incident.

The Docusign file was sent on a Friday afternoon, something which could have risked delaying our discovery of the breach to the following week.

However, we were extremely fortunate in identifying it promptly, and our first action was to limit any further impact. We immediately cancelled the consent form, triggering an email to all participants explaining that the document had been sent in error.

We looked at data from the Docusign which identified the individuals affected: those who had opened the form, and those whose names had been exposed to other participants. Our use of Docusign gave us an advantage over alternatives like email as we were able to immediately remove access to the forms and view visibility data.

True to our practice of working in the open, Public Digital advocates a no blame culture which prioritises fixing the problem over pinning responsibility on individuals. The swift response of our team in communicating the breach internally is a testament to the work we have done embedding this culture within our network as well as our core employee base.

Within moments of identifying the leak, the senior team were assessing its impact using the Information Commissioner's Office (ICO) self-assessment tool.

With the assessment concluding that the incident was unlikely to result in a risk to individuals, the decision was made by the senior team to contact the affected parties and continue with the research.

Later the same day, we contacted the three participants affected, advising them of the incident and apologising. We gave them the option to withdraw from the research, and we were grateful to all three for responding with their desire to continue.

While our client was not directly involved in delivering the user research in which the breach had occurred, they had commissioned it, and informing them as soon as possible was a core priority for our team. In the next available meeting with the client, we explained how the incident had occurred and the steps we had taken to address it. The client confirmed they were happy with our response and plan to progress with the research as scheduled.

In the interests of transparency, we ensured that all our external communications concerning the breach shared all the information we had. We were determined to be as transparent as possible, and it mattered to us that our clients and collaborators knew that.

Based on our experience, institutional practice is critical to maintaining effective information security. To reflect on the incident as an organisation, we held a company meeting to report on the breach and discuss the lessons learnt for Public Digital more broadly.

We have since devised these guidelines to be followed across the organisation:

• Consent forms will be sent out via the client team and the Public Digital operations team who have full knowledge of the Docusign product.

• Consent forms will be sent out at the start of the day to reduce the risk of initial emails/notifications occurring out of hours.

• Training on Docusign will be provided for staff

Given the sensitive nature of the research content on this project, we had expected its key risks to relate to the research practice itself. We had undergone a number of steps to ensure participants were protected from any risk factors, including securing ethical approval and ensuring a clinician was present on every call with our participants.

We could never have predicted that the source of the problem would be something as simple as the consent form.

What this shows is that despite our best efforts to prevent them, incidents like this are inevitable, and it is important for teams to be prepared for anything.

That doesn’t just mean being aware that something may happen. It means being prepared to work efficiently, openly and responsibly as a team when it does.

Without our culture of openness at PD, our response to the breach would have been different. Without our strengths as a team - our ability to communicate, to make decisions quickly, and to trust each other - the impact could have been far worse.