View
217
Download
0
Category
Preview:
Citation preview
Data Protection in Financial ServicesAre you Seeing the Bigger Picture?
17 September 2008
17 September 2008
Disclaimer
1. This presentation does not constitute specific legal advice
2. This talk is to raise awareness – not to solve specific problems
3. Opinions, errors and omissions are the speaker’s alone
4. This talk is designed to engender discussion about the risks associated with data security within the FSA regulated sector
17 September 2008
Why do we keep records?
17 September 2008
Data security: security of what?
17 September 2008
Rules, rules and more rules…
Data Protection Act 1988The Human Rights ActTelecommunications (Lawful Business Practice)
Interception of Communications Regulations 2000Companies ActFreedom of Information Act….
17 September 2008
Data Protection Act 1998
“personal data” means data which relate to a living individual who can be identified—(a) from those data, or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Section 1 Data Protection Act 1998
17 September 2008
Data Protection Principles
The Data Protection Act 1998 - ‘The Eight Principles’ Fair and lawful processing Obtained for one or more lawful process Adequate, relevant and not excessive Not kept for longer than is necessary Processed in accordance with the data subject’s rights Appropriate technical measures to prevent unauthorised access, loss ,
damage or destruction No non-EEA data transfers without adequate levels of protection of data
subject’s right
17 September 2008
FSA definition of ‘Data’ and ‘Personal Data’
17 September 2008
FSA Statutory Objectives
Statutory Objectives market confidence: maintaining confidence in the financial system; public awareness: promoting public understanding of the financial system; consumer protection: securing the appropriate degree of protection for
consumers; and the reduction of financial crime: reducing the extent to which it is possible
for a business to be used for a purpose connected with financial crime.
17 September 2008
The FSA’s approach to regulation
Risk based complianceLarge firms = safe?Small firms = risky?
Principles based complianceNo rule to point toOne size doesn’t fit all
17 September 2008
Regulatory overlap: FSA v ICO
• Statutory objectives
• Fair and lawful processing
• Obtained for one or more lawful process
• Adequate, relevant and not excessive
• Not kept for longer than is necessary
• Processed in accordance with the data subject’s rights
• Appropriate technical measures to prevent unauthorised access, loss , damage or destruction
• No non-EEA data transfers
17 September 2008
Regulatory overlap: FSA v ICO
• Principles for Business– Principle 3 – Systems and
Controls– Principle 6 – Customer’s
Interests– Principle 10 – Protection of
Client Assets
• Fair and lawful processing
• Obtained for one or more lawful process
• Adequate, relevant and not excessive
• Not kept for longer than is necessary
• Processed in accordance with the data subject’s rights
• Appropriate technical measures to prevent unauthorised access, loss , damage or destruction
• No non-EEA data transfers
17 September 2008
• Current initiative – ‘Treating Customers Fairly’
• Fair and lawful processing
• Obtained for one or more lawful process
• Adequate, relevant and not excessive
• Not kept for longer than is necessary
• Processed in accordance with the data subject’s rights
• Appropriate technical measures to prevent unauthorised access, loss , damage or destruction
• No non-EEA data transfers
Regulatory overlap: FSA v ICO
{
17 September 2008
Stuff the ICO, the FSA is the new data protection regulator!
ICO: £ 5,000 fine; personal liability for company officers; imprisonmentFSA: unlimited fines; personal liability for Approved Persons
17 September 2008
ISO 27002:2005 – Code of Practice for Information Security Management
Data Management
2. Secu
rity Policy
3. Organization of Information Security
5. Human Resources Security
4. Asset Management
7. C
omm
unic
ation
s and
O
pera
tions
Man
agem
ent
6.Physical and Environm
ental
Security
8. Acc
ess C
ontrol
10. Incident management
9. Information Systems Acquisition, Development, Maintenance
11. Business Continuity
12. Compliance
17 September 2008
Would you recognise when you have a data security issue?
17 September 2008
Their loss is your [potential] lossHBOSAlliance & LeicesterRoyal Bank of ScotlandScarborough Building SocietyClydesdale BankNatwestUnited National BankBarclays BankCo-operative BankHFC BankThe Post Office
• CGNU• BNPP Private Bank• Nationwide Building
Society• Capita Financial
Administrators• Merchant Securities Group
…to be continued?
17 September 2008
Steven HarrisonJohn ShelvinMail Source/Graphic Data…
17 September 2008
What is the biggest threat to data security in your firm?
17 September 2008
The true cost of good data managementHow to get senior management buy-in
Protecting the firm’s reputation – 99%Protecting the firm’s assets - 84%Improving efficiency/cost reduction – 75%Enabling business opportunities - 68%
Source: BERR 2008 Report
17 September 2008
Where do you go from here?
17 September 2008
Think laterally, not literally!Risk assessDraft, implement and test policies and proceduresTrain your staff appropriatelyRead widely from multiple sources , and assess relevance
to your firm.
17 September 2008
Further Reading
FSA Data Security in Financial Services Report – April 2008 - http://www.fsa.gov.uk/pubs/other/data_security.pdf
The BERR 2008 Information Security Breaches Survey - http://www.berr.gov.uk/files/file45714.pdf
FSA Enforcement Action Final Notices - http://www.fsa.gov.uk/Pages/Library/Communication/Notices/Final/
Information Commissioner’s Office Enforcement Actions - www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Information Commissioner’s Office Good Practice Guides - http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx
17 September 2008
Further Information or Assistance
Email: Elizabeth.Nelson@b2bregulatorysupport.co.ukWebsite: www.b2bregulatorysupport.co.ukTel: 0870 042 1048
Recommended