Data Protection for CYP organisations

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

3

Data Protection overview

Prevent harm to the individuals whose data we hold, or other people (How?)

Reassure people that we use their information responsibly, so that they trust us (How?)

Comply with specific legal requirements (Such as?)

7

The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)

you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad

8

Security (Principle 7)

Security is about ensuring that the boundaries set by your confidentiality policies are protected, so that information does not fall into the wrong hands.The Data Protection Act says you must prevent:

unauthorised access to personal data accidental loss or damage of personal data

The security measures must be appropriate.They must also be technical and organisational.The Information Commissioner can impose a penalty of up to £500,000 for gross breaches of security.

Penalties for security breaches

Herts. County Council twice faxed details of child abuse cases to the wrong people

Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house

Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients

Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved

A lawyer’s website was hacked and details of at least 6000 people leaked

Lessons from security breaches

‘Data in transit’ is where most serious breaches occur

Simple mistakes are usually the cause: Sending things to the wrong people – by fax, e-mail

or in the post – or losing laptops, USB sticks, etc. Disclosing confidential material, even about only

one or two people is serious Laptops must be encrypted Your website security is your responsibility

?

Cloud computing

E-mail

ISP

Web site

Backup

PhotosWord processing

Database

?

Cloud computing

E-mail

ISP

Web site

Backup

PhotosWord processing

Database

Cloud computing characteristics

Cheap and flexible, especially for small organisations: Standard offering Available anywhere there is an internet connection Suppliers claim good security and service levelsBased on: Shared facilities Location of data irrelevant (and may be obscure) May be layers of sub-contract

Cloud examples

Office programs (Microsoft 365, Google Apps) Storage & processing capacity (Amazon) Contact management database (Salesforce,

CiviCRM) Photo/video storage and sharing (Picasa, YouTube) Online meetings & phone calls (GoToMeeting,

Skype) Social networking sites when used by

organisations

Security and the cloud

Breaches do occur Standard terms and conditions often non-

negotiable Due diligence

Understand what you are checking International standards

ISO 27000 series (from British Standards Institute) self-assessed less reliable than certified check credentials of certifying company relevance & scope (ISO 27000 Statement of Applicability)

HMG Security Framework substantially based on ISO 27000

SAS70 (US) – auditing process, not security

What else can go wrong?

Loss of service at their end at your end

Retrieving your data if the service ceases or you get into a dispute

Contract terms which allow the supplier to make use of your data (mainly consumer-oriented services)

Unclear ownership/location of data and the equipment it is stored on (within Europe, no problem)

Unilateral changes in policy by provider

And finally …

Most countries have laws allowing authorities to access data

US Patriot Act ostensibly anti-terrorist has also been used in non-terrorist cases supplier may not agree (or even be allowed) to

inform customer of access Include in risk assessment

So what do you need to do?

Check the contract (or standard terms and conditions) very carefully on areas like: security location of data (especially if it could be outside the

EEA) liability/sub contractors back-up/access copyright (e.g. Google)

Use your findings to make and record a risk assessment and get authorisation to proceed

Be transparent with your Data Subjects

The new cookie law

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26th May 2011

Information Commissioner announced a year’s grace before enforcement action would be taken

Information Commissioner issued guidance in December 2011, updated May 2012

What the Regulations say

You must not store information (e.g. through a cookie) on someone else’s computer unless: they have clear information about the purpose; and they have given consent

You only have to ask them the first time They can consent through browser settings (but …) You don’t need consent for cookies that are ‘strictly

necessary’ for the functioning of a website

What the Information Commissioner says

He wants ‘good solutions rather than rushed ones’. No ‘wave of knee-jerk formal enforcement action’

as long as people are making the effort to comply. There are ‘pockets of good practice’ and while he

‘cannot endorse specific products or services’, there are ‘people going about this the right way’.

Analytics cookies are covered, but not a priority.

What do we need to do?

Document what cookies we have Assess how intrusive they are Decide whether we really need them all Provide appropriate information

In the privacy statement At appropriate points on the website

Decide what we need consent for and how to get it

Work out how people can withdraw consent

“After-sales service”

Any queries: paul@paulticher.com www.paulticher.com 0116 273 8191