UCD for Data Breach Reporting part 1

We've just made a start on a piece of work that takes us into some unusual territory, to enable the reporting of data breaches and cyber incidents.

If you have done some user-research or any work in this area, please get in touch with us or comment below.

Photo by Jason Dent on Unsplash

Cumbria currently have an internally facing SharePoint form, designed by the Information Governance team to allow staff to report a data protection incident. The form data is stored in SharePoint lists where Info Gov officers follow a manual process to collate further information through investigation and also store relevant files, emails, reports, documents in a document library. This does the job and meets our legislative obligations to GDPR, Computer Misuse Act, etc.

There’s a few reasons that Digital are taking a look at this:

  • As I understand it the existing SharePoint instance is being replaced/upgraded to Microsoft 365 and to migrate the Data Breach system would require some re-work. It therefore makes sense to review as a whole.
  • Info Gov have a business requirement to allow external entities; schools, Fire, partners, the public, to all report data breaches and cyber incidents.
  • The Senior Information Governance and Data Protection officer is keen to utilise our service design approach to improve and design an end to end service.

This is a service people will use when something has gone wrong. Business teams and external partners are probably unsure about the consequence of submitting a report. And end users will be using it because they are victims or witnesses of an incident. Not the happiest start to a user journey!

At the end of the day this service should help people to report something, a letter delivered to the wrong person, a phone left in a café, or a phishing email they’ve received. But the service shouldn’t make it hard and should make them feel comfortable not anxious about the outcomes.

What’s next?

  • Lisa is leading process and customer journey mapping sessions
  • We’re engaging with other functions that are impacted, like Information Security and our Senior Information Risk Owners
  • We need to engage with users. Where would you start your user research for this one?