The Scandinavian approach to Awareness Raising: ENISA survey reveals how 100 European Local Governments 'can do more'

The EU Agency ENISA presents the results of a survey of 100 Scandinavian local government's data management efforts within health, hospital, regional development, education and public transportation services

One of the most common privacy infringements is wrongful access to a patient's sensitive data. Health care services, hospitals, public transport and education systems at regional and municipal level alike all treat personal data, with inherit risks. The study portrays how 110 regions and municipalities, responsible for the services above in the three Scandinavian countries, Denmark, Norway and Sweden are working on the secure management of such information. The conclusion is that not enough attention is paid to raising awareness among staff, but generally the authorities do well in terms of technical systems and policies.

A total of 110 public bodies, (of which 97 municipalities and 13 regions) responded to a 54 questions-survey. The responses are consolidated and analyzed in a Scandinavian perspective. The survey focused on four areas: 1. Managing IT Risks, 2. Information Security Management, 3. Policy Enforcement, 4. Awareness Management- securing employee compliance and attention to policies, roles and responsibilities. Overall, the survey shows that the bodies have focused on: 1. Risks, 2. Goals for information security (policy), 3. Creating a framework for information security management. 4. With regard to the staff awareness, the survey confirms that:

- Rights, obligations and sanctions are typically described by the bodies
- Staff is to some extent given access to security rules
- Little is done to provide knowledge through further training
- Knowledge of rules is rarely followed-up
- Undesired behaviour is rarely followed-up

The Executive Director of ENISA, Mr. Andrea Pirotti observed: "This report underlines the fact that staff must first be aware of a) what data has to be protected and b) why, it if they are to comply with security rules. The situation is good, but not good enough: more still has to be done."

The report is the result of the kind support by the ENISA Awareness Raising (AR) Community.

For further information:

Source: ENISA - European Network and Information Security Agency