BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal information
Upcoming SlideShare
Loading in...5
×
 

BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal information

on

  • 877 views

A consumer’s guide to protecting personal information...

A consumer’s guide to protecting personal information

British Standard BS 10012:2009 Data protection – specification for a personal information management system

Every time you use your supermarket reward card, contact your bank, use NHS services or buy something online, organisations collect and store certain information about you – this might be your name, address, date of birth, medical history, bank details, credit card number or even your shopping habits.

Used correctly this information can make your life easier. But, if it is used incorrectly, or falls into the wrong hands, you could become a victim of identity theft or fraud. This is where criminals use your personal information to get credit cards, open bank accounts, claim benefits, and even get new passports in your name. This could cost you dearly and take a lot of time and effort to sort out. According to the Home Office, identity theft costs UK consumers around £1.2 billion each year.¹

You can protect your personal data by keeping information in a safe place and being careful who you give your details to. But how can you be sure that organisations, such as councils, GPs, hospitals, banks, insurers, online stores and supermarkets are using your personal information correctly and keeping it safe?

The law

The Data Protection Act 1998 is there to make sure that organisations collect only relevant and accurate information, store it safely and use it correctly. The Act also gives you the right to find out what information an organisation holds about you on paper and on computer records.

But the Act doesn’t guarantee the safe-keeping of your personal data. A 2009 survey conducted by the British Standards Institution found that 1 in 5 businesses admitted to unwittingly breaching the Data Protection Act. Of these, nearly half said they had breached the Act more than once and an additional 18% said they were not sure whether they had or not.

The Data Protection Act sets out eight principles that organisations must adhere to, but it doesn’t give them any guidance on what to do or how to manage personal information effectively and lawfully.

So, even organisations that want to comply with the Act can find it confusing and difficult. British Standard BS 10012 helps to fill that gap. It has been specifically written to help organisations meet the requirements of the Data Protection Act and gives companies step by step guidance on how to manage the information they hold about their customers.

BS 10012 – The basics

The British Standard for data protection was first published in June 2009. It is the first standard of its kind in the area of data protection. The standard can be used by organisations of any size, and in any sector. It provides a clear framework for UK organisations that want to comply with data protection law, helping them to create a tailored management system for personal data.

The standard gives detailed guidance in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties. However, the standard is voluntary so organisations do not have to sign up to it.

¹ Survey by The Identity Fraud Steering Committee (IFSC) published

Statistics

Views

Total Views
877
Views on SlideShare
876
Embed Views
1

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal information BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal information Document Transcript

  • A consumer’s guide to protecting personal information 01www.bsigroup.com/ConsumerStandardsA consumer’s guide to protectingpersonal informationBritish Standard BS 10012:2009 Data protection – specification fora personal information management systemEvery time you use your supermarket reward card, contact your bank, use NHS services or buysomething online, organisations collect and store certain information about you – this mightbe your name, address, date of birth, medical history, bank details, credit card number or evenyour shopping habits.Used correctly this information can make your life easier. But, if it is the Act more than once and an additional 18% said they were notused incorrectly, or falls into the wrong hands, you could become a sure whether they had or not.victim of identity theft or fraud. This is where criminals use your The Data Protection Act sets out eight principles that organisationspersonal information to get credit cards, open bank accounts, claim must adhere to, but it doesn’t give them any guidance on what tobenefits, and even get new passports in your name. This could cost do or how to manage personal information effectively and lawfully.you dearly and take a lot of time and effort to sort out. According So, even organisations that want to comply with the Act can find itto the Home Office, identity theft costs UK consumers around confusing and difficult.£1.2 billion each year.¹ British Standard BS 10012 helps to fill that gap. It has been specificallyYou can protect your personal data by keeping information in a safe written to help organisations meet the requirements of the Dataplace and being careful who you give your details to. But how can you Protection Act and gives companies step by step guidance on howbe sure that organisations, such as councils, GPs, hospitals, banks, to manage the information they hold about their customers.insurers, online stores and supermarkets are using your personalinformation correctly and keeping it safe? BS 10012 – The basicsThe law The British Standard for data protection was first published in June 2009. It is the first standard of its kind in the area of dataThe Data Protection Act 1998 is there to make sure that protection. The standard can be used by organisations of any size,organisations collect only relevant and accurate information, store and in any sector. It provides a clear framework for UK organisationsit safely and use it correctly. The Act also gives you the right to find that want to comply with data protection law, helping them to createout what information an organisation holds about you on paper a tailored management system for personal data.and on computer records.But the Act doesn’t guarantee the safe-keeping of your personal The standard gives detailed guidance in areas such as training anddata. A 2009 survey conducted by the British Standards Institution awareness, risk assessment, data sharing, retention and disposal offound that 1 in 5 businesses admitted to unwittingly breaching the data and disclosure to third parties. However, the standard isData Protection Act. Of these, nearly half said they had breached voluntary so organisations do not have to sign up to it. ¹ Survey by The Identity Fraud Steering Committee (IFSC) published October 2008 What are British Standards? The British Standards Institution (BSI) has been developing standards for over 100 years to make products and services safer for consumers. Standards set out good practice and guidelines for organisations to follow. It’s not compulsory for organisations to sign up to a standard, so you can feel confident that those that choose to comply with British Standards take safety and customer service seriously.
  • A consumer’s guide to protecting personal information 02BS 10012 – What should you expect?A clear policy • All customers providing information to the organisation should• A senior management team should be responsible for creating and be given a ‘privacy notice’ or online privacy statement before maintaining a data protection policy that sets a clear framework they hand over any details, clearly telling them how their for good practice and for complying with the law. personal information will be used.• The policy should follow the 15 commitments set out in the • Information should only be used for the purposes specified standard. – if companies want to use it for something else they should let you know beforehand.Clear responsibility • Information can only be passed to third parties if customers• A member of senior management should be accountable agree. Third parties can only use personal information for for the management of personal information within the reasons specified to the customer. organisation. • Organisations must make sure that personal information is• One or more people should be responsible for making sure that protected against loss, damage or theft by using appropriate the company complies with the policy on a day-to-day basis and security measures. that the Personal Information Management System (PIMS) is updated when changes happen within the company. • Access to personal information should be restricted to those members of staff that actually need it.• The organisation should be able to demonstrate their competence in understanding data protection legislation • All staff handling data should know what to do if security is and good practice. breached in any way.• Adequate resources should be allocated to the PIMS. • All consumers should be sent copies of their personal data held by the organisation, on request.Education and training• The details and importance of the data protection policy should Regular checks be clearly communicated to all members of staff that handle • Audits should be carried out at planned intervals to make sure data. that the PIMS is operating in accordance with policy and procedures.• Relevant staff should be made aware of the PIMS and receive ongoing training. • Any problems should be flagged up to management so that they can be resolved as quickly as possible.Use of personal information • There should be regular management reviews to make sure that• Information collected should be relevant and not excessive the system remains effective and is updated when needed. to needs.• Information should be accurate and kept up to date. Complaints • The organisation should create a complaints and appeals• Information should not be kept any longer than necessary procedure to make it easy for customers that have complaints and should be disposed of safely. about the processing of their personal information.• To identify any potential problems organisations should make an inventory of the types of data they collect and how it is used.• Organisations should have procedures in place to ensure that personal information is used fairly and lawfully. USEFUL INFORMATION British Standards Institution (BSI) 020 8996 9001 www.bsigroup.com Information Commissioner’s Office (ICO) 0303 123 1113 (helpline) 9am to 5pm, Monday to Friday www.ico.gov.uk CIFAS (UK Fraud Prevention Service) www.cifas.org.uk www.identitytheft.org.uk www.actionfraud.org.uk
  • A consumer’s guide to protecting personal information 03 Checklist ✓ At home keep your personal information safe ✓ Think carefully before supplying your personal information to any organisation. ✓ Does the organisation you’re dealing with use BS 10012? If you’re not sure then ask. ✓ When asked for personal information you should receive a clear statement of what the organisation is collecting it for and be asked to agree to it. ✓ If you have concerns, ask for a copy of the personal information that the organisation holds about you. Frequently asked questions Q. Do all organisations have to follow BS 10012? A. No, the standard is voluntary and it is up to individual organisations to sign up to the standard if they choose. Those that do should follow the guidelines it lays out. In the event of a major data breach, the Information Commissioner’s Office will look for evidence that compliance with data protection legislation was being taken seriously, and application of BS 10012 could be considered an example of this. Q. Who do I complain to if I think that my personal information has not been handled according to the eight principles of the Data Protection Act? A. Contact the Information Commissioners Office for help. Complaints are usually dealt with informally but, if this isnt possible, enforcement action can be taken.BSI Group Headquarters389 Chiswick High Road London W4 4AL UKTel +44 (0)20 8996 9001Fax +44 (0)20 8996 7001www.bsigroup.com© BSI copyrightraising standards worldwide™ View slide