• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
BSI British Standards Information Governance Workshop Presentation
 

BSI British Standards Information Governance Workshop Presentation

on

  • 2,523 views

BSI British Standards Information Governance Workshop Presentation. Information Governance Workshop: Where next for Standards? Examines data protection and the role of standards, including BS 10012 ...

BSI British Standards Information Governance Workshop Presentation. Information Governance Workshop: Where next for Standards? Examines data protection and the role of standards, including BS 10012 for data protection.

Statistics

Views

Total Views
2,523
Views on SlideShare
2,511
Embed Views
12

Actions

Likes
0
Downloads
71
Comments
0

1 Embed 12

http://www.slideshare.net 12

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 16
  • 17

BSI British Standards Information Governance Workshop Presentation BSI British Standards Information Governance Workshop Presentation Presentation Transcript

  • BSI Information Governance Workshop Where next for Standards? 05 October 2009 Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Timeline: BSI and Information Governance 1995 Data Protection Directive 95/46/EC implemented BSI publishes Information Security standard BS 7799 1998 UK Data Protection Act receives Royal Assent 1999 BSI publishes guidance for Data Protection Act (PD 0012) BSI publishes Code of Practice for Legal Admissibility of electronic information (PD 5000) 2000 Freedom of Information Act comes into force Information Security standard ISO/IEC 17799 published 2001 Records Management standard ISO 15489 published 2002 Freedom of Information (Scotland) Act comes into force BSI publishes guidance for Records Management ISO 15489 2003 BSI publishes guidance for Freedom of Information Act (BIP 0001) 2005 Information Security ISO/IEC 27000 series published BSI publishes revised guidance on Legal Admissibility (BIP 0008) 2008 BSI publishes Legal Admissibility standard (BS 10008) BSI publishes revised guidance on Legal Admissibility (BIP 0008) 2009 BSI publishes Data Protection standard (BS 10012) Read more at: http://shop.bsigroup.com/ictstandards
  • Objectives for today
    • Has BS 10012 achieved what it set out to do?
    • What else needs to be done?
    • What are the issues around Information Governance standardization?
    • How can BSI best serve the Information Governance sector in future?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Data Protection Agenda for new ICO
    • Risk, governance and accountability
    • Too important to be left to experts
    • Appetite for simplification and clarity
    • Liberty versus Security balance
    • False comfort of mass data collection
    • Less centralisation / Government collection
    • Data cleansing and wider data quality
    • Privacy by design / Privacy Impact Assessments
    • Reform of EU Directives & International Standards
    Read more at: http://shop.bsigroup.com/ictstandards
  • Where next for BSI and Information Governance?
    • Now
      • The first formal standard on data protection, complementary to other data protection publications & information governance standards
      • Need to continue working with stakeholders to meet user needs
    • Next?
      • Ongoing developments in information governance standards
        • Revisions to Information Security ISO/IEC 27000 series (2012)
        • New ISO/IEC Information Security standards relating to Privacy & Identity Management
        • ISO standard for Management System for Records (2012)
      • Increasing ICO powers?
      • Future revisions to European Directives?
      • Societal responses to e.g. increased use of biometrics, etc?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Timeline: BSI and Data Protection 1999 BSI publishes guidance to practical implementation of the DPA 1998 (PD 0012) - BSI Access & Privacy Editorial Board (APEB) established - Assistance and introduction from ICO 2000 First major revision (BIP 0012) 2003 Second major revision (BIP 0012) 2006 Third major revision (BIP 0012) 2007 Workshop identified a stakeholder desire for a formal data protection standard 2008 New project added to BSI work programme for Technical Committee, IDT/1 Document Management Applications - Drafting panel IDT/1/-/4 set up to develop standard (Chair: Gordon Wanless) 2009 Draft for Public Comment launched on 2 nd January for a 3 month period - Panel reviews the comments and develops final text BS 10012 published on 2 nd June Read more at: http://shop.bsigroup.com/ictstandards
  • Original business case (1) Description of the product Working title: “ Code of Practice for the Management of Personal Information in Compliance with the Data Protection Act 1998” Read more at: http://shop.bsigroup.com/ictstandards
  • Original business case (2) Working Scope This Code of Practice gives recommendations for the management of personal information by organisations in both the public and private sectors. It is intended for those who are responsible for initiating, implementing and maintaining compliance with the Data Protection Act 1998 (DPA) within their organisation. It is intended to provide a common ground for the management of personal information, for providing confidence in its management, and for enabling an effective assessment of compliance with the DPA by both internal and external assessors, and by consumers. Read more at: http://shop.bsigroup.com/ictstandards
  • Original business case (3) Expansion on the title for non-experts The Data Protection Act 1998 implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the DPA as data relating to living individuals. The DPA requires organizations known as “data controllers” to comply with Eight Data Protection Principles and to notify the Information Commissioner of their data processing (to ensure openness). The DPA also gives individuals or “data subjects” rights of access to their personal data, to object to or to stop certain types of processing and to sue data controllers for damages when breaches of the law occur. Read more at: http://shop.bsigroup.com/ictstandards
  • Formation of the drafting panel
    • Panel IDT/1/-/4 formed with the specific task of drafting the standard
    • Gordon Wanless becomes Chairman - Panel supported by BSI Content Developer
    • Expertise taken from Government (including The National Archives), NHS trusts, healthcare, legal, insurance, telecom, banking, education, local authorities, consultancy, consumer & privacy groups
    • ICO aware of work being carried out and provided comments at key stages
    Read more at: http://shop.bsigroup.com/ictstandards
  • Public Comment process
    • Launched on 2 nd January 2009 – BSI circulated press release
    • Over 500 comments received from over 60 respondents
    • Commenting period closed 31 st March 2009
    • IDT/1/-/4 met in April to resolve public comments
    • Final draft circulated to panel and BSI committee in early May 2009 for approval
    • BS 10012 published 2 nd June 2009 – launched at DP Forum AGM
    Read more at: http://shop.bsigroup.com/ictstandards
  • Launch of BS 10012
    • Launched on 2 nd June 2009 at the Data Protection Forum AGM
      • BSI Press Release
      • Survey of 500 Small Medium Enterprises
    • Associated books – www.bsigroup.com/bip0050
    • BSI Conference and Workshop 30 th June / 1 st July “Information Governance & Data Protection Standards, Guidance and Best Practice”
    • BSI Data Protection Online tool launched 16 th September
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Survey of BSI DP guidance subcribers (2006) Read more at: http://shop.bsigroup.com/ictstandards DP Purchasers by Sector Commercial Local Government Education Healthcare & NHS Government Agency Museums, Art Galleries Police Central Government Financial Housing Association Manufacturing Charity Professional Body Legal Consultant Publisher
  • Survey of BS 10012 users by Sector Read more at: http://shop.bsigroup.com/ictstandards
  • Survey of BS 10012 users by Sector Read more at: http://shop.bsigroup.com/ictstandards
  • Survey of BS 10012 users by organisation Read more at: http://shop.bsigroup.com/ictstandards
  • Survey of other BS 10012 users Read more at: http://shop.bsigroup.com/ictstandards
  • BSI Research: Data Protection and Public Sector
    • BSI – UK Government Engagement Event, March 2009
    • Key conclusions
      • Reputational harm from DP breach cannot be ignored
      • Cultural issues key to successful compliance
        • Culture change needs senior level champion
        • Clear accountability required for data protection & privacy
      • Particular challenges
        • Supply chain - interface with private sector, other public sector
        • Outsourcing contracts & enforcement of DP requirements
        • Data sharing – what, how, when?
      • Specific guidance needed for different sectors?
    Read more at: http://shop.bsigroup.com/ictstandards
  • BSI Research: Data Protection and SMEs
    • BSI survey of UK SMEs, May 2009
    • Key conclusions
      • 20% thought they had unwittingly breached the DPA
      • 32% felt complexity of DPA restricted their compliance capability
      • 43% confirmed there is no one in their business with specific responsibility for data protection
      • 65% provide no data protection training for their staff
      • 15% were not confident that their data sharing practices conform to the DPA
        • 5% frequently share data regardless
      • 18% said that data protection is less of a priority in the current economic climate
    Read more at: http://shop.bsigroup.com/ictstandards
  • Marketing & Media Coverage
    • BSI Stakeholders
    • Coverage of BS 10012 widely reported in general & regional news, business, IT, HR, security, legal, manufacturing, financial & public sectors
    • Articles for Financial Services Technology magazine, Business Standards magazine, Information Age
    • BSI Product Marketing (web page, e-shots)
    • Positive reviews (Pinsent Masons, Eversheds, Wragge & Co, Data Council)
    • Broadcast on http://www.smallbusinessadvice.tv
    • Blogs
    Read more at: http://shop.bsigroup.com/ictstandards
  • BSI input into Public Consultations Read more at: http://shop.bsigroup.com/ictstandards
  • ISO TMB Privacy Task Force
    • Recommendations – September 2009
    • ISO lead effort to engage broader standards community to intensify interaction (Conference?)
    • Establish common terminology on privacy and principles (Consult existing committees?)
    • ISO establish live inventory for all committees to share ongoing privacy work
    • Engage with public policy organisations
    • Indentify key stakeholders, work streams & standards work that can support international privacy standardisation
    • ‘ Privacy technology’ committee to be systematically informed about sector specific needs in order to address their own work programme
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 1
    • What are the main issues for organizations relating to Data Protection?
    • Has data protection become an issue at boardroom level?
    • Can organizations confidently share data with each other?
    • How can organizations become more proactive rather than being reactive to data protection compliance?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 2
    • Does BS 10012 (and associated guidance) meet the needs of its users?
    • How does the standards user benefit from using BS 10012?
    • What improvements should it bring to their organization?
    • What do users or organizations need to achieve from using a Data Protection standard?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 3
    • Are there any missing or new themes & products to develop? How does BS 10012 link to other standards?
    • Can further ‘sector specific’ guidance be produced?
    • Are there future topics that should be considered?
    • Can BS 10012 be used as part of a suite of Information Governance standards?
    • Can BS 10012 be linked to other ‘technology based’ standards?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 4
    • How can BS 10012 relate to European and global requirements?
    • Will an international standard assist global organizations, regions, or those trading across borders?
    • What will be the challenges involved in producing a truly global standard?
    • Can BS 10012 be applied globally in the interim before the publication of an international standard?
    • How can any impact of revisions to EU Directives be captured within the standards making process?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 5
    • What are the certification requirements of organizations?
    • Is it desirable for an organization to become certified to the standard?
    • What are the primary benefits and drivers for certification?
    • Is this unique to certain sectors, or specific parts of organizations?
    • Are there any disadvantages to certification?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 6
    • What are the training requirements of users?
    • Do users undertake Data Protection training?
    • How do users currently obtain Data Protection training?
    • What are the different ways that such training can be delivered?
    • Can training based around the standard benefit organizations ?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Topics 1, 2, 3
    • Topic 1: What are the main issues for organizations relating to Data Protection?
    • Topic 2: Does BS 10012 (and associated guidance) meet the needs of its users?
    • Topic 3: Are there any missing or new themes & products to develop? How does BS 10012 link to other standards?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topics 4, 5, 6
    • Topic 4: How can BS 10012 relate to European and global requirements?
    • Topic 5: What are the certification requirements of organizations?
    • Topic 6: What are the training requirements of users?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation
    • The problem:
    • Information stored in an electronic form has a finite life (retention period)
      • Storage media may become obsolete
      • Electronic format may be incompatible with retrieval software
    • Retention requirements may exceed this requirement
    • It may be necessary to demonstrate authenticity at any time
    Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation
    • Storage media
    • Information stored in an electronic form always has a finite life
    • Longevity of storage media
      • Support by manufacturer
      • Reliability of off-line media in store
    • New technologies provide faster / cheaper storage
    • If storage media is changed, a migration process is required
    • Costs / resource requirements
    • Proof of integrity / completeness
    Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation
    • Electronic format
    • How long will a particular electronic format be supported?
    • Is there a need for a long term storage format
    • If electronic format is changed, a conversion process is required
    • Costs / resource requirements
    • Proof of integrity / completeness
    • Accuracy of rendition
    Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation What we have now (1) Long term preservation ISO/TR 18492:2005 - Long-term preservation of electronic document-based information ‘ How to’ guide - Digital records preservation JWG (TC 46/SC 11 & TC 171 ) Storage media ISO/TR 10255 - Document management - Optical disk storage technology - Management and standards (at final proof stage) ISO 12142:2001 - Electronic imaging - Media error monitoring and reporting techniques for verification of stored data on optical digital data disks (in ballot for withdrawal, replaced by:) ISO 23868:2008 - Document management - Monitoring and verification of information stored on 130mm optical media Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation What we have now (2) Processes ISO/NP XXXXX Digital records conversion and migration processes (Records management) Use of microfilm ISO 11506:2009 - Document management applications - Archival of electronic data - Computer Output Microform (COM) / Computer Output Laser Disc (COLD) Authenticity ISO 12654:1997 - Electronic imaging - Recommendations for the management of electronic recording systems for the recording of documents that may be required as evidence, on WORM optical disk (Adopted as BS 7768 in UK) ISO/TR 15801:2004 - Electronic imaging - Information stored electronically - Recommendations for trustworthiness and reliability (revision due 2009) Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation What we have now (3) Electronic preservation formats ISO 32000-1:2008 - Document management - Portable Document Format - PDF 1.7 ISO/NWI 32000-2 - Document management - Portable Document Format - PDF X ISO 19005-1:2005 Document management - Electronic document file format for long-term preservation - Use of PDF 1.4 (PDF/A-1) ISO/CD 19005-2 Document management - Electronic document file format for long-term preservation (PDF/A) - PDF 1.7 (Due 2009/10) ISO 24517-1:2008 - Document management - Engineering document format using PDF - Use of PDF 1.6 (PDF/E-1) ISO/NWI 14289 - PDF / Universal Access Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation What we have now (4) BSI publications: Preservation BIP 0089:2008 A manager’s guide to the long-term preservation of electronic documents Authenticity BS 10008:2008 Evidential weight and legal admissibility of electronic information BIP 0008:2008 Code of practice for implementing BS 10008 Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation
    • What we have now (5)
    • Other Information Governance topics:
    • Records Management
    • ISO 15489:2001 Records management
      • Part 1 – General
      • Part 2 – Guidelines
    • BIP 0025 series supports ISO 15489
    • Information Security Management
    • ISO 27000 series – Information Security Management
    • BIP 0071-75 supports ISO 27000 series
    • BS 25999 – Business continuity management
    • BIP 0020:2008 – Securing email and electronic messages
    Read more at: http://shop.bsigroup.com/ictstandards
  • Survey of BS 10008 users by Sector Read more at: http://shop.bsigroup.com/ictstandards
  • Electronic preservation Where do we go from here? Workshop topics: 1. Electronic preservation – do we need more guidance? How do we get more take-up with PDF/A? 2. Legal admissibility – still seems to be an issue – how do we solve the issue? 3. Information Governance is growing in stature – what guidance is needed? What existing standards topics need to be included within Information Governance? Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 1
    • What are the issues for the user with regard to electronic preservation?
    • Do we need more guidance to assist users with the technologies?
    • How do we get more take-up with PDF/A?
    • Are there specific sector products that can be developed?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 2
    • What are the issues for the user with regard to legal admissibility of electronic documents?
    • How do the needs for public and private sectors differ?
    • Can compliance schemes and self assessment tools assist users of BS 10008?
    • Can BSI improve its products to assist organizations?
    • Can BS 10008 be linked to other topics?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Topic 3
    • What do stakeholders need from BSI in relation to Information Governance?
    • What additional guidance is needed?
    • How can guidance on Freedom of Information be delivered?
    • What topics should BSI include within the Information Governance portfolio?
    • Would more regular BSI workshops & stakeholder events benefit the user?
    Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  • Agenda 10.00 Introduction 10.10 Review of BS 10012 versus original business case 10.30 BS 10012 success and general feedback 10.50 Briefing for morning workshop 11.00 Workshops to consider BS 10012 and Data Protection 12.00 Feedback from morning workshop teams 12.30 Lunch 13.30 Preservation of electronic records 14.10 Briefing for afternoon workshop 14.15 Workshops to consider preservation of electronic records and information governance 15.00 Feedback from afternoon workshop teams 15.15 Closing remarks Read more at: http://shop.bsigroup.com/ictstandards
  •