Personal data protection and Information security Presentation to HKCSS Charles Mok Internet Society Hong Kong 2008.06.05

Data protection principle in PDPO Principle 1 -- Purpose and manner of collection. This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject. Principle 2 -- Accuracy and duration of retention. This provides that personal data should be accurate, up-to-date and kept no longer than necessary. Principle 3 -- Use of personal data. This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose. Principle 4 -- Security of personal data. This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable). Principle 5 -- Information to be generally available. This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. Principle 6 -- Access to personal data. This provides for data subjects to have rights of access to and correction of their personal data.

Principle 1 -- Purpose and manner of collection. This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.

Principle 2 -- Accuracy and duration of retention. This provides that personal data should be accurate, up-to-date and kept no longer than necessary.

Principle 3 -- Use of personal data. This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.

Principle 4 -- Security of personal data. This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

Principle 5 -- Information to be generally available. This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

Principle 6 -- Access to personal data. This provides for data subjects to have rights of access to and correction of their personal data.

What happened? Hospital Authority 10 cases: USB storage, digital camera, notebook, PDA, MP3 player HSBC IMMD, Police Foxy But it was worse in the UK 10/07: 2 computer discs were lost in the mail by the tax authority, with personal data of 25M citizens, including names, addresses, national insurance numbers, and information on almost all children under 16 in Britain. (Password protection but no encryption.)‏

Hospital Authority

10 cases: USB storage, digital camera, notebook, PDA, MP3 player

HSBC

IMMD, Police

Foxy

But it was worse in the UK

10/07: 2 computer discs were lost in the mail by the tax authority, with personal data of 25M citizens, including names, addresses, national insurance numbers, and information on almost all children under 16 in Britain. (Password protection but no encryption.)‏

2007: Worst year in UK privacy history 22 February - 80 passports are lost in the post every month, it's revealed - 1,000 peoples' data compromised 28 February - A laptop containing details of Worcestershire County council employees was stolen - 16,000 23 March - A CD which contained personal details relating to past and present Torbay Council staff and councillors vanished in the post - 6,500 27 March - Halifax allowed details of mortgage customers to go astray after the briefcase holding the documents was stolen from a member of staff's car - 13,000 16 April - A laptop stolen from the King's Mill Hospital in Nottinghamshire contained data on children aged between eight months and eight years, including their names, addresses and dates of birth - 11,000 27 April - MTAS published the details of junior doctors' medical applications online - 1,000 3 May - A laptop computer containing personal and bank details of people at the Royal Cornwall Hospitals Trust was stolen - 5,000 9 May - Standard Life admitted some of its customers may have been affected by a security breach in which individuals' personal financial information was sent to others by mistake. - 300 14 May - Marks & Spencer company laptop theft was stolen - 26,000 20 May - TK Maxx reveals world's largest ever credit card hackers fraud which affected some UK customers. Estimated numbers affected - worldwide total 200m - 5,000,000 7 June - Details of Bank of Scotland mortgage customers were on a disk lost in the post - 62,000 14 June - A computer containing personal details of hundreds of staff at the Eden project was stolen from a car - 500 30 August - Monster job-seeking site hacked and contact details of all users stolen - 3,100,000 18 September - A former employee downloaded confidential information from a Pfizer computer system without the company's knowledge - 34,000 21 September - St Edmundsbury Council staff member had a laptop with staff details stolen – 1,400 3 November - HMRC admitted a courier had lost the records of Standard Life customers. - 15,000 5 November - Personal details and scans of patients' retinas on a stolen laptop taken from St Julian's GP surgery in Newport - 1,000 20 November - Alistair Darling reveals the loss of all data on child benefit claimants – 25,000,000 27 November - Newcastle City Council accidentally compromised the personal data of credit card holders because of a computer server error by a member of staff - 50,000

22 February - 80 passports are lost in the post every month, it's revealed - 1,000 peoples' data compromised

28 February - A laptop containing details of Worcestershire County council employees was stolen - 16,000

23 March - A CD which contained personal details relating to past and present Torbay Council staff and councillors vanished in the post - 6,500

27 March - Halifax allowed details of mortgage customers to go astray after the briefcase holding the documents was stolen from a member of staff's car - 13,000

16 April - A laptop stolen from the King's Mill Hospital in Nottinghamshire contained data on children aged between eight months and eight years, including their names, addresses and dates of birth - 11,000

27 April - MTAS published the details of junior doctors' medical applications online - 1,000

3 May - A laptop computer containing personal and bank details of people at the Royal Cornwall Hospitals Trust was stolen - 5,000

9 May - Standard Life admitted some of its customers may have been affected by a security breach in which individuals' personal financial information was sent to others by mistake. - 300

14 May - Marks & Spencer company laptop theft was stolen - 26,000

20 May - TK Maxx reveals world's largest ever credit card hackers fraud which affected some UK customers. Estimated numbers affected - worldwide total 200m - 5,000,000

7 June - Details of Bank of Scotland mortgage customers were on a disk lost in the post - 62,000

14 June - A computer containing personal details of hundreds of staff at the Eden project was stolen from a car - 500

30 August - Monster job-seeking site hacked and contact details of all users stolen - 3,100,000

18 September - A former employee downloaded confidential information from a Pfizer computer system without the company's knowledge - 34,000

21 September - St Edmundsbury Council staff member had a laptop with staff details stolen – 1,400

3 November - HMRC admitted a courier had lost the records of Standard Life customers. - 15,000

5 November - Personal details and scans of patients' retinas on a stolen laptop taken from St Julian's GP surgery in Newport - 1,000

20 November - Alistair Darling reveals the loss of all data on child benefit claimants – 25,000,000

27 November - Newcastle City Council accidentally compromised the personal data of credit card holders because of a computer server error by a member of staff - 50,000

27 November - Abbott, the £40bn pharmaceutical giant lost current and ex-employee records containing names, bank account details, and National Insurance numbers, in transit to its payroll office in Queenborough, Kent – 64,000 29 November - An employee with online finance firm loans.co.uk sold on sensitive customer files. - 250,000 29 November - A package containing details of pension benefit statements was lost after being sent from the Scottish Public Pensions Agency to NHS Greater Glasgow - 200 2 December - CDs with the names, addresses, dates of birth and National Insurance numbers of thousands of people receiving benefits up and down the country were found at the home of a former contractor to the Department for Work and Pensions - 18,000 5 December - The names, dates of birth and national insurance numbers of people claiming housing and council tax benefits in Kirklees, West Yorkshire were lost en route to the government - 45,000 5 December - Names, addresses and ages of Warwickshire teenagers went missing in the post. The details of pupils taking vocational courses alongside their school work went missing after they were posted to a consultancy firm - 200 7 December - Personal details of drivers were sent to strangers by mistake by the DVLA - 1,200 8 December - Bank account numbers, national insurance numbers, names, addresses and dates of birth were on a laptop stolen from a Citizens Advice Bureau staff member's car in Belfast - 60,000 11 December - Leeds Building Society has mislaid data containing the personal information of its entire workforce - 1,000 12 December - Trade unions on Merseyside also revealed that personal details health authority staff had been sent out to private firms - 1,800 16 December - Reports emerge that a HMRC worker reported in October that his laptop containing data was stolen from a car - 2,000 17 December - Ruth Kelly admits the loss of learner drivers' data when a hard drive was lost in Iowa - 3,000,000 20 December - HMRC lost the details of Countrywide Assured policyholders - 6,500 21 December - Skipton, the financial giant, had a laptop stolen with customer details on - 14,000 26 December - Nine NHS trusts admitted losing confidential patient records - 168,000 27 December - Devon and Cornwall police left a floppy disk with employee details in a computer sent for recycling - 6,000 27 December - Northern Ireland DVLA lost details on two discs being sent to the Swansea DVLA - 7,700 TOTAL DATA LOSS – 36,989,300 (Source: Liberal Democrats' research)‏ 2007: Worst year in UK privacy history

27 November - Abbott, the £40bn pharmaceutical giant lost current and ex-employee records containing names, bank account details, and National Insurance numbers, in transit to its payroll office in Queenborough, Kent – 64,000

29 November - An employee with online finance firm loans.co.uk sold on sensitive customer files. - 250,000

29 November - A package containing details of pension benefit statements was lost after being sent from the Scottish Public Pensions Agency to NHS Greater Glasgow - 200

2 December - CDs with the names, addresses, dates of birth and National Insurance numbers of thousands of people receiving benefits up and down the country were found at the home of a former contractor to the Department for Work and Pensions - 18,000

5 December - The names, dates of birth and national insurance numbers of people claiming housing and council tax benefits in Kirklees, West Yorkshire were lost en route to the government - 45,000

5 December - Names, addresses and ages of Warwickshire teenagers went missing in the post. The details of pupils taking vocational courses alongside their school work went missing after they were posted to a consultancy firm - 200

7 December - Personal details of drivers were sent to strangers by mistake by the DVLA - 1,200

8 December - Bank account numbers, national insurance numbers, names, addresses and dates of birth were on a laptop stolen from a Citizens Advice Bureau staff member's car in Belfast - 60,000

11 December - Leeds Building Society has mislaid data containing the personal information of its entire workforce - 1,000

12 December - Trade unions on Merseyside also revealed that personal details health authority staff had been sent out to private firms - 1,800

16 December - Reports emerge that a HMRC worker reported in October that his laptop containing data was stolen from a car - 2,000

17 December - Ruth Kelly admits the loss of learner drivers' data when a hard drive was lost in Iowa - 3,000,000

20 December - HMRC lost the details of Countrywide Assured policyholders - 6,500

21 December - Skipton, the financial giant, had a laptop stolen with customer details on - 14,000

26 December - Nine NHS trusts admitted losing confidential patient records - 168,000

27 December - Devon and Cornwall police left a floppy disk with employee details in a computer sent for recycling - 6,000

27 December - Northern Ireland DVLA lost details on two discs being sent to the Swansea DVLA - 7,700

TOTAL DATA LOSS – 36,989,300 (Source: Liberal Democrats' research)‏

A new attitude is needed Changing environment The impact of IT and Internet Working outside of office, incl. mobile trend Increasing awareness by the community Legal requirements and consequences From policy to guidelines From education to communications The role of technology Preventing occurrence as much as possible Minimizing the damage when problems occur

Changing environment

The impact of IT and Internet

Working outside of office, incl. mobile trend

Increasing awareness by the community

Legal requirements and consequences

From policy to guidelines

From education to communications

The role of technology

Preventing occurrence as much as possible

Minimizing the damage when problems occur

The need for a new culture It is about people's behavior It is not about: Simply putting blames on the staff Avoiding the use of technology – trading off efficiency and even safety etc. Developing a new corporate culture Convenience vs. security and respect for other people's privacy Legal and institutional safeguards

It is about people's behavior

It is not about:

Simply putting blames on the staff

Avoiding the use of technology – trading off efficiency and even safety etc.

Developing a new corporate culture

Convenience vs. security and respect for other people's privacy

Legal and institutional safeguards

Information security Classification of sensitive information Privacy impact study Security audit Clear, down-to-earth, up-to-date guidelines Reminders Do not ignore physical security Explore and maximize technological means: System design Encryption

Classification of sensitive information

Privacy impact study

Security audit

Clear, down-to-earth, up-to-date guidelines

Reminders

Do not ignore physical security

Explore and maximize technological means:

System design

Encryption

Incident reporting Community expectation Regulatory requirements? Implement incident reporting and handling measures

Community expectation

Regulatory requirements?

Implement incident reporting and handling measures

Application security Before using the system User account control Role-based access right: by grade/rank, needs When using the system Logging on – reminder messages Auto-timeout/logout features Closed workstations for shared mode Control on downloading data After using the system Keeping audit log Checking audit log – random, triggered or rule-based automatic checks

Before using the system

User account control

Role-based access right: by grade/rank, needs

When using the system

Logging on – reminder messages

Auto-timeout/logout features

Closed workstations for shared mode

Control on downloading data

After using the system

Keeping audit log

Checking audit log – random, triggered or rule-based automatic checks

Q&A Thank you! Charles Mok Internet Society Hong Kong [email_address] http://www.isoc.hk http://charlesmok.blogspot.com/ http://www.it360.hk

Thank you!

Charles Mok

Internet Society Hong Kong

[email_address]

http://www.isoc.hk

http://charlesmok.blogspot.com/

http://www.it360.hk