Data Protection for CYPorganisations
This presentation is intended to help youunderstand aspects of the Data ProtectionAct 1998 and related legislation.It is n...
Data Protection overview    ∗ Prevent harm to the individuals whose data we hold,      or other people (How?)    ∗ Reassur...
Preventing harm    ∗ Keep information only in the right hands    ∗ Hold accurate, good quality data4
Reassuring people so that they               trust us    ∗ Be transparent – open and honest, don’t hide things      or go ...
Additional legal obligations    ∗   Right to opt out of direct marketing    ∗   Right of Subject Access    ∗   Notificatio...
The Data Protection Principles1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpo...
Security (Principle 7)    Security is about ensuring that the boundaries set by your    confidentiality policies are prote...
Penalties for security breaches∗ Herts. County Council twice faxed details of child abuse cases to the  wrong people∗ Eali...
Lessons from security breaches∗ ‘Data in transit’ is where most serious breaches occur∗ Simple mistakes are usually the ca...
Cloud computing                  ISP       E-mail                          Web site                Backup       Word     p...
Cloud computing                  ISP       E-mail                          Web site                Backup                 ...
Cloud computing characteristicsCheap and flexible, especially for small organisations:∗ Standard offering∗ Available anywh...
Cloud examples∗   Office programs (Microsoft 365, Google Apps)∗   Storage & processing capacity (Amazon)∗   Contact manage...
Security and the cloud∗ Breaches do occur∗ Standard terms and conditions often non-negotiable∗ Due diligence  ∗ Understand...
What else can go wrong?∗ Loss of service  ∗ at their end  ∗ at your end∗ Retrieving your data if the service ceases or you...
And finally …∗ Most countries have laws allowing authorities to  access data∗ US Patriot Act ostensibly anti-terrorist  ∗ ...
So what do you need to do?∗ Check the contract (or standard terms and conditions) very  carefully on areas like:  ∗ securi...
The new cookie law∗ Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 came into force on ...
What the Regulations say∗ You must not store information (e.g. through a  cookie) on someone else’s computer unless:  ∗ th...
What the Information         Commissioner says∗ He wants ‘good solutions rather than rushed ones’.∗ No ‘wave of knee-jerk ...
What do we need to do?∗   Document what cookies we have∗   Assess how intrusive they are∗   Decide whether we really need ...
“After-sales service”∗ Any queries:  ∗ paul@paulticher.com  ∗ www.paulticher.com  ∗ 0116 273 8191
Upcoming SlideShare
Loading in …5
×

Data protection For CYP Organisations

668 views
573 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
668
On SlideShare
0
From Embeds
0
Number of Embeds
197
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Data protection For CYP Organisations

  1. 1. Data Protection for CYPorganisations
  2. 2. This presentation is intended to help youunderstand aspects of the Data ProtectionAct 1998 and related legislation.It is not intended to provide detailed adviceon specific points, and is not necessarily a fullstatement of the law.
  3. 3. Data Protection overview ∗ Prevent harm to the individuals whose data we hold, or other people (How?) ∗ Reassure people that we use their information responsibly, so that they trust us (How?) ∗ Comply with specific legal requirements (Such as?)3
  4. 4. Preventing harm ∗ Keep information only in the right hands ∗ Hold accurate, good quality data4
  5. 5. Reassuring people so that they trust us ∗ Be transparent – open and honest, don’t hide things or go behind people’s back ∗ Offer people a reasonable choice over how you use their data, and what for5
  6. 6. Additional legal obligations ∗ Right to opt out of direct marketing ∗ Right of Subject Access ∗ Notification ∗ (And others)6
  7. 7. The Data Protection Principles1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s) you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad7
  8. 8. Security (Principle 7) Security is about ensuring that the boundaries set by your confidentiality policies are protected, so that information does not fall into the wrong hands. The Data Protection Act says you must prevent: ∗ unauthorised access to personal data ∗ accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. The Information Commissioner can impose a penalty of up to £500,000 for gross breaches of security.8
  9. 9. Penalties for security breaches∗ Herts. County Council twice faxed details of child abuse cases to the wrong people∗ Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house∗ Worcs. County Council e-mailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients∗ Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved∗ A lawyer’s website was hacked and details of at least 6000 people leaked
  10. 10. Lessons from security breaches∗ ‘Data in transit’ is where most serious breaches occur∗ Simple mistakes are usually the cause: ∗ Sending things to the wrong people – by fax, e-mail or in the post – or losing laptops, USB sticks, etc.∗ Disclosing confidential material, even about only one or two people is serious∗ Laptops must be encrypted∗ Your website security is your responsibility
  11. 11. Cloud computing ISP E-mail Web site Backup Word processing Database ? Photos
  12. 12. Cloud computing ISP E-mail Web site Backup ? Word Photos processing Database
  13. 13. Cloud computing characteristicsCheap and flexible, especially for small organisations:∗ Standard offering∗ Available anywhere there is an internet connection∗ Suppliers claim good security and service levelsBased on:∗ Shared facilities∗ Location of data irrelevant (and may be obscure)∗ May be layers of sub-contract
  14. 14. Cloud examples∗ Office programs (Microsoft 365, Google Apps)∗ Storage & processing capacity (Amazon)∗ Contact management database (Salesforce, CiviCRM)∗ Photo/video storage and sharing (Picasa, YouTube)∗ Online meetings & phone calls (GoToMeeting, Skype)∗ Social networking sites when used by organisations
  15. 15. Security and the cloud∗ Breaches do occur∗ Standard terms and conditions often non-negotiable∗ Due diligence ∗ Understand what you are checking ∗ International standards ∗ ISO 27000 series (from British Standards Institute) ∗ self-assessed less reliable than certified ∗ check credentials of certifying company ∗ relevance & scope (ISO 27000 Statement of Applicability) ∗ HMG Security Framework substantially based on ISO 27000 ∗ SAS70 (US) – auditing process, not security
  16. 16. What else can go wrong?∗ Loss of service ∗ at their end ∗ at your end∗ Retrieving your data if the service ceases or you get into a dispute∗ Contract terms which allow the supplier to make use of your data (mainly consumer-oriented services)∗ Unclear ownership/location of data and the equipment it is stored on (within Europe, no problem)∗ Unilateral changes in policy by provider
  17. 17. And finally …∗ Most countries have laws allowing authorities to access data∗ US Patriot Act ostensibly anti-terrorist ∗ has also been used in non-terrorist cases ∗ supplier may not agree (or even be allowed) to inform customer of access∗ Include in risk assessment
  18. 18. So what do you need to do?∗ Check the contract (or standard terms and conditions) very carefully on areas like: ∗ security ∗ location of data (especially if it could be outside the EEA) ∗ liability/sub contractors ∗ back-up/access ∗ copyright (e.g. Google)∗ Use your findings to make and record a risk assessment and get authorisation to proceed∗ Be transparent with your Data Subjects
  19. 19. The new cookie law∗ Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26th May 2011∗ Information Commissioner announced a year’s grace before enforcement action would be taken∗ Information Commissioner issued guidance in December 2011, updated May 2012
  20. 20. What the Regulations say∗ You must not store information (e.g. through a cookie) on someone else’s computer unless: ∗ they have clear information about the purpose; and ∗ they have given consent∗ You only have to ask them the first time∗ They can consent through browser settings (but …)∗ You don’t need consent for cookies that are ‘strictly necessary’ for the functioning of a website
  21. 21. What the Information Commissioner says∗ He wants ‘good solutions rather than rushed ones’.∗ No ‘wave of knee-jerk formal enforcement action’ as long as people are making the effort to comply.∗ There are ‘pockets of good practice’ and while he ‘cannot endorse specific products or services’, there are ‘people going about this the right way’.∗ Analytics cookies are covered, but not a priority.
  22. 22. What do we need to do?∗ Document what cookies we have∗ Assess how intrusive they are∗ Decide whether we really need them all∗ Provide appropriate information ∗ In the privacy statement ∗ At appropriate points on the website∗ Decide what we need consent for and how to get it∗ Work out how people can withdraw consent
  23. 23. “After-sales service”∗ Any queries: ∗ paul@paulticher.com ∗ www.paulticher.com ∗ 0116 273 8191

×