Discussion points and feedback:
Is it okay to take company property out of the office?
A laptop is designed to be used on the move and notebooks and presentation materials are clearly very useful for going out to client meetings. However, you need to be vigilant with company property, particularly as it will contain client information. As an actuary, you should be mindful of the Integrity principle of the Actuaries’ Code (Code) where “Members should respect confidentiality”. The Compliance principle also comes into play in this scenario which states that “Members must comply with all relevant legal, regulatory and professional requirements”, this could include following your company’s IT data security policies.
Is it okay to keep written notes of meetings?
Taking handwritten notes at a meeting is perfectly acceptable, but it would be good practice to type up the handwritten notes on returning to the office. This means the information is recorded on file and then the handwritten notes can be shredded.
Has the company’s policy on IT sharing security worked in this case?
It appears that company policy was not followed in this scenario, as multiple confidential items are missing. Natalie was aware that the company file transfer site should be used for data sharing, but the system was down at the time when she was working late. She therefore decided to put the presentation on a USB as the file was too big to send by email. Whilst this may have been a pragmatic work around, there is a risk that it is breaching company policy. You should always be aware of your company’s policies and procedures in relation to the process to be followed when sharing files. The Integrity principle may apply here with regard to confidentiality if member data was on the USB – this may have GDPR [General Data Protection Regulation] implications (European Union legislation).
Is it okay to have a written record of passwords?
It can be difficult to remember work passwords as they often have to be changed regularly. Organisations will have different rules around passwords – such as a minimum number of characters and a combination of uppercase letters, lowercase letters, numbers and symbols. In the scenario it would appear that the company had good password principles in place and Natalie appeared to be aware of them. However, it would have been more appropriate to have written the passwords in a secure manner – perhaps using code words that you know the meaning of, but a casual reader wouldn’t be able to understand, and keep the record separate from the laptop.
What principles of the Code should be taken into account in the scenario?
As IFoA members, the Code applies to Natalie and Dominic at all times. Quite a few of the principles should have been taken into account in the scenario.
Speaking up principle: “Members should speak up if they believe, or have reasonable cause to believe, that a course of action is unethical or is unlawful.”
The Speaking up principle comes into play here as a crime has taken place and Natalie should have considered reporting it to the police.
Integrity principle amplification: “Members must show respect for others in the way they conduct themselves.”
Natalie was perhaps being a little flippant in relation to the situation and company policies. She was also slightly rude about Paula earlier on in the conversation, which shows a lack of respect.
Communication principle: “Members must communicate appropriately” and Competence and Care principle: “Members must carry out work competently and with care.”
Natalie had copies of the reports in her laptop bag, but she had mentioned previously that she was going to hand them out to the client in the morning. This suggests that she wasn’t communicating appropriately as it appears that she forgot to do so. The Competence and Care principle also comes into play in this situation.
What would be the next steps?
In the scenario, Dominic was going to contact the Data Protection and Risk Management Team, which is a good course of action. It’s likely that the team would give Natalie instructions as to what to do next. Part of that would be to try to determine if the USB stick really had been lost, whether it's in a pocket somewhere, or perhaps it was in the laptop bag. Natalie may be required to contact her client to inform them that data had been lost. The issue would be logged by the team along with other potential incidents within the organisation.
Summary
There may potentially be an issue with company culture – was it just Natalie who was a bit lax with regard to data security or could there potentially be a more systemic issue? Natalie said she was up to date with data security following recent training however she wasn’t living the spirit of the training. This incident may potentially identify further training needs and consideration of whether other policies and procedures need to be updated.
