View
215
Download
0
Category
Tags:
Preview:
Citation preview
Information Commissioner’s OfficeInformation Commissioner’s Office
Sheila LoganOperations and Policy Manager
Information Commissioner’s Office
Business Matters20 May 2008
The Data Protection PrinciplesThe Data Protection Principles
All data controllers must comply with the Data Protection Act 1998
The 8 PrinciplesThe 8 Principles
• Fair and lawful.• Only used for specified purposes.• Adequate, relevant and not excessive.• Accurate and up to date.• Not kept longer than necessary.• Individual rights.• Kept secure.• Not transferred outside European
Economic Area without adequate protection.
Information SecurityInformation Security
The Data Protection Act 1998 requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss destruction or damage.
Principle 7
7th Data Protection Principle7th Data Protection Principle
Security contraventions can have BIG implications
• Potential harm to individuals when things go wrong.
• Damage to business reputation.
Risk based assessmentRisk based assessment
Information is an organisation’s second most important asset.
Do you know what information the organisation possesses?
Do you have detailed security procedures?
Does your asset register include hard wear and portable media?
How valuable or sensitive is the information?How valuable or sensitive is the information?
What effect would a security breach have on your organisation?
In costs?
To your reputation?
To the trust of your customers, clients and stakeholders?
What damage or distress could be caused to individuals if there were a security breach?
Who is responsible?Who is responsible?
Day to day responsibility for security.
Written procedures for staff to follow.
Excellent staff training.
Regular audits.
Monitoring changes.
Investigating a security incident.
Organisational measuresOrganisational measures
Has a risk assessment been carried
out?
How effective are your current
security measures?
Where are the weaknesses?
Organisational measuresOrganisational measures
Senior management commitment.
Making resources available.
Know where responsibility lies.
Do staff understand security the procedures?
Are changes required?
StaffStaff
High proportion of security incidents are staff
related.
What background checks are carried out?
Valid qualifications.
Disclosures - accidental, procured or deliberate?
Contract of employment.
Access to internet and email policies.
Examples of good practiceExamples of good practice
• Transparent and appropriate vetting procedures.
• Risk assessment for staff who have access to large volumes of customer data.
• Not wearing company passes outside the workplace.
• Changing computer access when changing roles.
Physical securityPhysical security
General vulnerability – isolated, ground
floor, poor lighting, previous incidents.
Entry and exit points.
Laptops and external devices.
Paper – including disposal of
confidential waste.
Examples of good practiceExamples of good practice
Configure equipment so data cannot
be copied.
Disable drives so corrupt data cannot be
introduced to your system.
Restrict access to areas of high risk.
Visitor policy for ALL visitors.
A key register.
Lockers for staff use.
Examples of good practiceExamples of good practice
Portable Media:
Genuine business need to have device.
Encryption for customer information.
Safe storage.
Who has these devices? What happens
when they leave the organisation.
Company mobile phones.
Examples of good practiceExamples of good practice
Disposal of personal information
Using contractor to dispose of paper and
computer equipment.
Guidance for home workers and mobile
staff.
Audits and spot checks.
Storage in secure and controlled area.
What are the real benefits?What are the real benefits?
• Organisational efficiency.
• Fewer complaints and less compensation.
• Business reputation.
• Customer confidence.
• Overall reduction in costs.
Recommended