Date post: | 20-Dec-2014 |
Category: |
Technology |
Upload: | miles-maier |
View: | 484 times |
Download: | 0 times |
Data Protection for CYP organisations
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
3
Data Protection overview
Prevent harm to the individuals whose data we hold, or other people (How?)
Reassure people that we use their information responsibly, so that they trust us (How?)
Comply with specific legal requirements (Such as?)
7
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)
you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad
8
Security (Principle 7)
Security is about ensuring that the boundaries set by your confidentiality policies are protected, so that information does not fall into the wrong hands.The Data Protection Act says you must prevent:
unauthorised access to personal data accidental loss or damage of personal data
The security measures must be appropriate.They must also be technical and organisational.The Information Commissioner can impose a penalty of up to £500,000 for gross breaches of security.
Penalties for security breaches
Herts. County Council twice faxed details of child abuse cases to the wrong people
Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house
Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients
Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved
A lawyer’s website was hacked and details of at least 6000 people leaked
Lessons from security breaches
‘Data in transit’ is where most serious breaches occur
Simple mistakes are usually the cause: Sending things to the wrong people – by fax, e-mail
or in the post – or losing laptops, USB sticks, etc. Disclosing confidential material, even about only
one or two people is serious Laptops must be encrypted Your website security is your responsibility
?
Cloud computing
ISP
Web site
Backup
PhotosWord processing
Database
?
Cloud computing
ISP
Web site
Backup
PhotosWord processing
Database
Cloud computing characteristics
Cheap and flexible, especially for small organisations: Standard offering Available anywhere there is an internet connection Suppliers claim good security and service levelsBased on: Shared facilities Location of data irrelevant (and may be obscure) May be layers of sub-contract
Cloud examples
Office programs (Microsoft 365, Google Apps) Storage & processing capacity (Amazon) Contact management database (Salesforce,
CiviCRM) Photo/video storage and sharing (Picasa, YouTube) Online meetings & phone calls (GoToMeeting,
Skype) Social networking sites when used by
organisations
Security and the cloud
Breaches do occur Standard terms and conditions often non-
negotiable Due diligence
Understand what you are checking International standards
ISO 27000 series (from British Standards Institute) self-assessed less reliable than certified check credentials of certifying company relevance & scope (ISO 27000 Statement of Applicability)
HMG Security Framework substantially based on ISO 27000
SAS70 (US) – auditing process, not security
What else can go wrong?
Loss of service at their end at your end
Retrieving your data if the service ceases or you get into a dispute
Contract terms which allow the supplier to make use of your data (mainly consumer-oriented services)
Unclear ownership/location of data and the equipment it is stored on (within Europe, no problem)
Unilateral changes in policy by provider
And finally …
Most countries have laws allowing authorities to access data
US Patriot Act ostensibly anti-terrorist has also been used in non-terrorist cases supplier may not agree (or even be allowed) to
inform customer of access Include in risk assessment
So what do you need to do?
Check the contract (or standard terms and conditions) very carefully on areas like: security location of data (especially if it could be outside the
EEA) liability/sub contractors back-up/access copyright (e.g. Google)
Use your findings to make and record a risk assessment and get authorisation to proceed
Be transparent with your Data Subjects
The new cookie law
Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26th May 2011
Information Commissioner announced a year’s grace before enforcement action would be taken
Information Commissioner issued guidance in December 2011, updated May 2012
What the Regulations say
You must not store information (e.g. through a cookie) on someone else’s computer unless: they have clear information about the purpose; and they have given consent
You only have to ask them the first time They can consent through browser settings (but …) You don’t need consent for cookies that are ‘strictly
necessary’ for the functioning of a website
What the Information Commissioner says
He wants ‘good solutions rather than rushed ones’. No ‘wave of knee-jerk formal enforcement action’
as long as people are making the effort to comply. There are ‘pockets of good practice’ and while he
‘cannot endorse specific products or services’, there are ‘people going about this the right way’.
Analytics cookies are covered, but not a priority.
What do we need to do?
Document what cookies we have Assess how intrusive they are Decide whether we really need them all Provide appropriate information
In the privacy statement At appropriate points on the website
Decide what we need consent for and how to get it
Work out how people can withdraw consent