Merit Event - Understanding and Managing Data Protection


Published on

From the 24th of October 2002, the Data Protection Act 1998, which applies to local government, NHS Trusts, Schools, Universities and all UK organisations who process personal information, comes into full force. The Data Protection Act 1998 gives people more rights to have their personal information handled fairly, to object to certain types of processing and to have access to any information held about them.

Who should attend:

These briefings have been designed for those who are responsible for the implementation of the Data Protection Act 1998. The practical as well as the theory will be dealt with and attendees will have the opportunity to discuss Data Protection business issues with experts and other delegates.

Briefing Content:

Morning session - Introduction

a) The Data Protection Act and its Principles
b) Responsibilities
c) Policies and Notification
d) Dealing with sub-contractors
e) Subject Access
f) Manual Records
g) Human Resource

Afternoon Session - Auditing

a) Do you need to Audit?
b) How to Audit
c) Do you know what data you process?
d) Reviewing Responsibilities
e) Procedures and Processes
f) Putting Things Right
g) Demonstrating Compliance

About the eBusiness Club

This training day is being organised as part of the eBusiness Club activities managed on behalf of the Chamber on Merseyside by MERIT (NW) Ltd and supported by leading public and private sector partners. The Merseyside eBusiness club will assist members to achieve the best possible results from their ICT and eBusiness systems. At the same time they will learn about innovations in the market place and hear directly from the leading voices in the industry

Full details about the eBusiness Club can be found online at or alternatively by contacting Ian Bulmer, eBusiness Club Co-ordinator, MERIT (NW) Ltd, One Old Hall Street, Liverpool. L3 9HG. Tel: 0151 285 1400 email:

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Merit Event - Understanding and Managing Data Protection

  1. 1. Data Protection Act 1998 <ul><li>Introduction to </li></ul><ul><li>Data Protection </li></ul><ul><li>Alan Shipman </li></ul><ul><li>Group 5 Training Limited </li></ul>
  2. 2. BSI Training <ul><li>Objective for Session </li></ul><ul><li>To help you understand the </li></ul><ul><li>Data Protection Act 1998, and be able to assess your organisations level of compliance </li></ul>
  3. 3. BSI Training Workshop <ul><li>Agenda </li></ul><ul><li>Definitions </li></ul><ul><li>Data Protection Principles </li></ul><ul><li>Responsibilities </li></ul><ul><li>Policies and Notification </li></ul><ul><li>Dealing with Data Processors </li></ul><ul><li>Subject Access Procedures </li></ul><ul><li>Manual Records </li></ul><ul><li>Human Resource </li></ul>
  4. 4. BSI Training Workshop <ul><li>Agenda </li></ul><ul><li>Do you need to audit </li></ul><ul><li>How to audit </li></ul><ul><li>Data audit </li></ul><ul><li>Responsibilities </li></ul><ul><li>Procedures and processes </li></ul><ul><li>How an audit is carried out </li></ul><ul><li>Corrective Procedures </li></ul><ul><li>Demonstrating compliance </li></ul>
  5. 5. Introductions
  6. 6. Definitions
  7. 7. The Act <ul><li>Data Protection Act 1998 </li></ul><ul><li>‘An Act to make provision for the regulation of the processing of information relating to individuals …’ </li></ul>
  8. 8. The Act <ul><li>EU Data Protection Directive 95/46/EC </li></ul><ul><li>Objectives … </li></ul><ul><li>No restriction on personal data flow in EU </li></ul><ul><li>Right to privacy </li></ul><ul><li>Deadline for implementation </li></ul><ul><li>24 October 1998 </li></ul>
  9. 9. Definitions <ul><li>Personal Data </li></ul><ul><li>Data which relates to a living individual who can be identified from those data, or from those data and other information which is in, or likely to come into, the possession of the data controller </li></ul>
  10. 10. Definitions <ul><li>Processing </li></ul><ul><li>Includes obtaining, holding and carrying out any operation on data </li></ul><ul><li>No requirement that processing is by reference to data subject </li></ul>
  11. 11. The Eight Principles
  12. 12. Principles <ul><li>The 8 Data Protection Principles </li></ul><ul><li>(Schedule 1) </li></ul>
  13. 13. First Principle <ul><li>Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless:- </li></ul><ul><li>a) at least 1 of the conditions in Schedule 2 is met, </li></ul><ul><li>and </li></ul><ul><li>b) in the case of sensitive personal data, at least 1 </li></ul><ul><li>of the conditions in Schedule 3 is also met </li></ul>
  14. 14. Schedule 2 <ul><li>What is fair? </li></ul><ul><li>Consent </li></ul><ul><li>Contract </li></ul><ul><li>Legal obligation </li></ul><ul><li>Vital interests </li></ul><ul><li>Public functions </li></ul><ul><li>Legitimate interests </li></ul>
  15. 15. Sensitive Data <ul><li>Personal data relating to: </li></ul><ul><li>Racial or ethnic origin </li></ul><ul><li>Political beliefs </li></ul><ul><li>Religious or other beliefs </li></ul><ul><li>Trade union membership </li></ul><ul><li>Physical or mental health </li></ul><ul><li>Sexual life </li></ul><ul><li>Commission of any offence </li></ul><ul><li>Proceedings / convictions for any offence </li></ul>
  16. 16. Schedule 3 <ul><li>What is fair? </li></ul><ul><li>Explicit consent </li></ul><ul><li>Employment law </li></ul><ul><li>Vital interests </li></ul><ul><li>Activities of political, religious or trade unions </li></ul><ul><li>Information made public </li></ul><ul><li>Legal / regulatory proceedings </li></ul><ul><li>Administration of justice </li></ul><ul><li>Medical purposes </li></ul>
  17. 17. Second Principle <ul><li>Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes </li></ul>
  18. 18. Third Principle <ul><li>Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed </li></ul>
  19. 19. Fourth Principle <ul><li>Personal data shall be accurate and where necessary, kept up to date </li></ul>
  20. 20. Fifth Principle <ul><li>Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose </li></ul>
  21. 21. Sixth Principle <ul><li>Personal data shall be processed in accordance with the rights of data subjects under this Act </li></ul>
  22. 22. Seventh Principle <ul><li>Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data </li></ul>
  23. 23. Eighth Principle <ul><li>Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of Data Protection </li></ul><ul><li>Note: Does not apply if at least 1 of the conditions in Schedule 4 is met </li></ul>
  24. 24. Schedule 4 <ul><li>When can you do it? </li></ul><ul><li>Consent </li></ul><ul><li>Performance of contract with data subject </li></ul><ul><li>Performance of contract with other </li></ul><ul><li>Substantial public interest </li></ul><ul><li>Legal proceedings </li></ul><ul><li>Vital interests </li></ul><ul><li>Public register </li></ul><ul><li>Authorised by the Commissioner </li></ul>
  25. 25. Responsibilities
  26. 26. Responsibilities <ul><li>The ‘Data Controller’ is the organization, but…….. </li></ul><ul><li>Someone must have overall responsibility </li></ul><ul><ul><li>co-ordination role </li></ul></ul><ul><ul><li>ensure that notification is up to date </li></ul></ul><ul><ul><li>ensure that appropriate strategy is implemented </li></ul></ul><ul><ul><li>focal point for queries </li></ul></ul><ul><ul><li>reporting of issues </li></ul></ul>
  27. 27. Responsibilities <ul><li>Policy </li></ul><ul><li>Who writes it </li></ul><ul><li>Who approves it </li></ul><ul><li>Approval by top management (e.g. the Board) demonstrates support and buy-in </li></ul>
  28. 28. Responsibilities <ul><li>Compliance audit </li></ul><ul><li>Is the policy being implemented </li></ul><ul><li>Are individuals following the procedures </li></ul><ul><li>Audit report </li></ul><ul><li>Resolve non-compliances </li></ul><ul><li>Annual report (maybe) </li></ul>
  29. 29. Responsibilities <ul><li>Who! </li></ul><ul><li>Who is actually responsible </li></ul><ul><li>Who will be the first to get it wrong? </li></ul><ul><ul><li>Any member of staff who handles personal data </li></ul></ul>
  30. 30. Responsibilities <ul><li>Training </li></ul><ul><li>Do individuals know what they must do </li></ul><ul><ul><li>when talking to data subjects </li></ul></ul><ul><ul><li>when handling personal data </li></ul></ul><ul><ul><li>during system design </li></ul></ul><ul><ul><li>when deciding security issues </li></ul></ul><ul><li>Ensure no-one acts recklessly </li></ul>
  31. 31. Responsibilities <ul><li>Training </li></ul><ul><li>Give everyone guidelines </li></ul><ul><li>Do they understand their responsibilities </li></ul><ul><li>And what happens if they get it wrong </li></ul>
  32. 32. Responsibilities <ul><li>Subject access </li></ul><ul><li>Who deals with subject access requests </li></ul><ul><li>How are they dealt with </li></ul><ul><ul><li>procedures </li></ul></ul><ul><ul><li>time scales </li></ul></ul><ul><ul><li>fees </li></ul></ul>
  33. 33. Notification
  34. 34. Notification <ul><li>What you have to do </li></ul><ul><li>Review current registration(s) </li></ul><ul><li>Determine timescales </li></ul><ul><li>Categorise your data </li></ul><ul><ul><li>Use the Notification Handbook </li></ul></ul><ul><li>Check security arrangements </li></ul>
  35. 35. Notification <ul><li>Notification </li></ul><ul><li>Check for exemptions </li></ul><ul><ul><li>from notification </li></ul></ul><ul><ul><li>from the Act </li></ul></ul><ul><li>Decide method </li></ul><ul><ul><li>phone </li></ul></ul><ul><ul><li>web </li></ul></ul>
  36. 36. Notification <ul><li>Current registration(s) </li></ul><ul><li>Get details of all registrations </li></ul><ul><li>Find out when each one expires </li></ul><ul><li>As current registrations run out - combine </li></ul><ul><li>When last registration run out - notify </li></ul><ul><li>Or just notify ASAP </li></ul>
  37. 37. Notification <ul><li>Categorise Personal Data </li></ul><ul><li>Get relevant OIC notification template </li></ul><ul><li>Compare with information audit results </li></ul><ul><li>Categorise data </li></ul><ul><ul><li>why have you got it (purpose) - Handbook 3.1.8 </li></ul></ul><ul><ul><li>who is it about (data subject) - Handbook 3.1.9 </li></ul></ul><ul><ul><li>what have you got (data class) - Handbook 3.1.10 </li></ul></ul><ul><ul><li>who might it be disclosed to (recipients) - Handbook 3.1.11 </li></ul></ul>
  38. 38. Notification <ul><li>Check security arrangements </li></ul><ul><li>Comply with BS 7799? </li></ul><ul><li>Security policy / procedures </li></ul><ul><li>Disaster recovery plans </li></ul><ul><li>Security during transfer </li></ul><ul><ul><li>physical </li></ul></ul><ul><ul><li>encryption </li></ul></ul>
  39. 39. Notification <ul><li>Notification </li></ul><ul><li>What information do you need </li></ul><ul><ul><li>identity </li></ul></ul><ul><ul><li>purposes </li></ul></ul><ul><ul><li>for each purpose </li></ul></ul><ul><ul><ul><li>data subject </li></ul></ul></ul><ul><ul><ul><li>data class </li></ul></ul></ul><ul><ul><ul><li>recipients </li></ul></ul></ul><ul><ul><li>what countries are involved </li></ul></ul><ul><ul><li>security measures </li></ul></ul>
  40. 40. Notification <ul><li>How? </li></ul><ul><li>Method </li></ul><ul><ul><li>phone </li></ul></ul><ul><ul><li>web </li></ul></ul><ul><li>What happens next </li></ul><ul><ul><li>check form </li></ul></ul><ul><ul><li>pay fees </li></ul></ul><ul><ul><li>check register </li></ul></ul><ul><li>Keep it up to date (28 days) </li></ul>
  41. 41. Notification <ul><li>Phone Notification </li></ul><ul><li>Be ready </li></ul><ul><li>Contact by phone </li></ul><ul><li>Answer questions </li></ul>
  42. 42. Notification <ul><li>Web Notification </li></ul><ul><li>Where to go </li></ul><ul><li>What do you see </li></ul><ul><li>How does it work </li></ul>
  43. 43. Data Processors
  44. 44. Data Processors <ul><li>Definition </li></ul><ul><li>Process personal data on behalf of a Data Controller, and does not implement its own purposes </li></ul>
  45. 45. Data Processors <ul><li>Responsibilities </li></ul><ul><li>Who is responsible for data processed by a Data Processor? </li></ul><ul><li>The Data Controller - i.e. you! </li></ul>
  46. 46. Subject Access Procedures
  47. 47. Subject Access <ul><li>Whole purpose of Data Protection law is to protect information about living individuals and guard their privacy </li></ul>
  48. 48. Subject Access <ul><li>Procedures </li></ul><ul><li>Who will deal with requests </li></ul><ul><li>How will request be verified </li></ul><ul><ul><li>identity </li></ul></ul><ul><ul><li>in writing </li></ul></ul><ul><ul><li>fees </li></ul></ul><ul><li>What has been requested (reasonable?) </li></ul><ul><li>Keep an audit trail of requests </li></ul>
  49. 49. Subject Access <ul><li>Procedures </li></ul><ul><li>How to respond </li></ul><ul><ul><li>is processing occurring </li></ul></ul><ul><ul><li>don’t correct it! </li></ul></ul><ul><ul><li>copy of the data </li></ul></ul><ul><ul><li>source (if known) </li></ul></ul><ul><ul><li>not disclosed due to exemption </li></ul></ul><ul><ul><li>disproportionate effort </li></ul></ul><ul><ul><li>what if a third party is identified </li></ul></ul><ul><li>When to respond by (40 days) </li></ul>
  50. 50. Subject Access <ul><li>Procedures </li></ul><ul><li>How to handle blocking requests </li></ul><ul><ul><li>made by data subject </li></ul></ul><ul><ul><li>validity </li></ul></ul><ul><ul><li>ensure action </li></ul></ul><ul><ul><li>audit trails </li></ul></ul><ul><li>Compensation </li></ul>
  51. 51. Subject Access <ul><li>Procedures </li></ul><ul><li>Automatic processing </li></ul><ul><ul><li>manual decision override </li></ul></ul>
  52. 52. Manual Records
  53. 53. Manual Records <ul><li>Types </li></ul><ul><li>Now included: </li></ul><ul><ul><li>paper </li></ul></ul><ul><ul><li>microfilm </li></ul></ul><ul><ul><li>CCTV </li></ul></ul><ul><ul><li>voice recording </li></ul></ul><ul><li>Be prepared! </li></ul>
  54. 54. Human Resources
  55. 55. Human Resources <ul><li>Issues </li></ul><ul><li>Personnel files </li></ul><ul><li>Managers own copies </li></ul><ul><li>e-mails </li></ul><ul><li>References </li></ul>
  56. 56. Do you need to audit?
  57. 57. Need to audit? <ul><li>Do you know: </li></ul><ul><li>Where you store personal data? </li></ul><ul><li>Who has access to it? </li></ul><ul><li>How do they use it? </li></ul><ul><li>Are the security measures adequate? </li></ul><ul><li>If NO to any, you need to audit! </li></ul>
  58. 58. What an audit should achieve
  59. 59. Audit objectives <ul><li>What should be achieved? </li></ul><ul><li>Demonstration of compliance </li></ul><ul><li>Improved confidence </li></ul><ul><li>Better procedures </li></ul>
  60. 60. Audit objectives <ul><li>Who is being audited? </li></ul><ul><li>Your own organization </li></ul><ul><ul><li>whole </li></ul></ul><ul><ul><li>part </li></ul></ul><ul><li>A third party </li></ul><ul><ul><li>data processor </li></ul></ul>
  61. 61. Audit objectives <ul><li>Who undertakes DP audits? </li></ul><ul><li>Internal auditor </li></ul><ul><li>External auditor </li></ul><ul><li>Information Commissioner </li></ul><ul><li>Customers </li></ul>
  62. 62. Data audit
  63. 63. Data audit <ul><li>Who knows what is processed? </li></ul><ul><li>Department managers </li></ul><ul><li>Records managers </li></ul><ul><li>IT staff </li></ul><ul><li>Users </li></ul>
  64. 64. Data audit <ul><li>How to audit </li></ul><ul><li>Don’t ask open questions </li></ul><ul><ul><li>What data have you got? </li></ul></ul><ul><li>Create a survey form </li></ul><ul><li>Use the ‘headers’ from the Notification Handbook </li></ul>
  65. 65. Review responsibilities
  66. 66. Responsibilities <ul><li>Are these responsibilities defined? </li></ul><ul><li>Who has specific responsibility </li></ul><ul><li>Who approves policy </li></ul><ul><li>Who audits compliance </li></ul><ul><li>Who trains staff </li></ul><ul><li>Who deals with subject access requests </li></ul><ul><li>Who deals with security issues </li></ul>
  67. 67. Procedures and processes
  68. 68. Processes & procedures <ul><li>Data Protection Policy </li></ul><ul><li>Is there one? </li></ul><ul><li>Has it been approved? </li></ul><ul><li>Is it available to all? </li></ul><ul><li>Are responsibilities included? </li></ul><ul><li>Is the policy policed? </li></ul>
  69. 69. Processes & procedures <ul><li>Data Protection Co-ordinator </li></ul><ul><li>Is there one? </li></ul><ul><li>Conversant with the Act? </li></ul><ul><li>Known to all staff? </li></ul><ul><li>Able to liaise with other departments? </li></ul>
  70. 70. Data Use <ul><li>Fair processing </li></ul><ul><li>When collecting data, is it performed fairly? </li></ul><ul><ul><li>Do users know what they can do (and cannot do) </li></ul></ul>
  71. 71. Data Use <ul><li>Disclosure of data </li></ul><ul><li>Do staff know when to disclose? </li></ul><ul><li>Does the policy include guidelines and training requirements? </li></ul>
  72. 72. People <ul><li>Management of people </li></ul><ul><li>Are there appropriate management strategies for all staff? </li></ul><ul><li>Does this include: </li></ul><ul><ul><li>recruitment? </li></ul></ul><ul><ul><li>training / direction? </li></ul></ul><ul><ul><li>supervision / discipline? </li></ul></ul>
  73. 73. People <ul><li>Management of people </li></ul><ul><li>Is there an effective communications system? </li></ul><ul><li>Is DP compliance in contract of employment? </li></ul><ul><li>Is there a disciplinary procedure? </li></ul>
  74. 74. Documentation <ul><li>Management of documentation </li></ul><ul><li>Are there adequate audit trails? </li></ul><ul><li>Are there documented procedures: </li></ul><ul><ul><li>collection, access, use? </li></ul></ul><ul><ul><li>disclosure? </li></ul></ul><ul><ul><li>transfer? </li></ul></ul><ul><ul><li>disposal? </li></ul></ul>
  75. 75. Documentation <ul><li>Management of documentation </li></ul><ul><li>Are there procedures for: </li></ul><ul><ul><li>data subject explanations? </li></ul></ul><ul><ul><li>recording of subject access requests? </li></ul></ul><ul><ul><li>how to use data correctly? </li></ul></ul><ul><ul><li>staff obligations / authority? </li></ul></ul>
  76. 76. Data quality <ul><li>Data audit </li></ul><ul><li>Are there procedures for ensuring that data is: </li></ul><ul><ul><li>adequate, relevant and not excessive? </li></ul></ul><ul><ul><li>accurate? </li></ul></ul><ul><ul><li>retention and destruction? </li></ul></ul><ul><ul><li>security? </li></ul></ul>
  77. 77. Data quality <ul><li>Data audit </li></ul><ul><li>Do you review data quality? </li></ul><ul><ul><li>effective training and communications? </li></ul></ul><ul><ul><li>authority? </li></ul></ul><ul><ul><li>procedures? </li></ul></ul><ul><ul><li>review new systems? </li></ul></ul>
  78. 78. Data quality <ul><li>Data audit </li></ul><ul><li>Have you reviewed your processing? </li></ul><ul><ul><li>information needs? </li></ul></ul><ul><ul><li>storage formats? </li></ul></ul><ul><ul><li>purposes? </li></ul></ul><ul><ul><li>fair collection? </li></ul></ul><ul><ul><li>fair use? </li></ul></ul>
  79. 79. Data quality <ul><li>Data audit </li></ul><ul><li>Have you reviewed your processing? </li></ul><ul><ul><li>deleted unwanted data? </li></ul></ul><ul><ul><li>information need policy? </li></ul></ul><ul><ul><li>review procedures? </li></ul></ul><ul><ul><li>review responsibilities? </li></ul></ul><ul><ul><li>results documented? </li></ul></ul>
  80. 80. Data quality <ul><li>Data audit </li></ul><ul><li>Have you reviewed your processing? </li></ul><ul><ul><li>results reviewed? </li></ul></ul><ul><ul><li>identify ‘sensitive’ data? </li></ul></ul><ul><ul><li>actions implemented? </li></ul></ul><ul><ul><li>review complete? </li></ul></ul><ul><ul><li>established need? </li></ul></ul>
  81. 81. Data quality <ul><li>Data acquisition </li></ul><ul><li>Is data collection: </li></ul><ul><ul><li>restricted to a minimum? </li></ul></ul><ul><ul><li>justified? </li></ul></ul>
  82. 82. Data quality <ul><li>Data acquisition </li></ul><ul><li>Do data collection procedures: </li></ul><ul><ul><li>identify data need? </li></ul></ul><ul><ul><li>identify minimum requirement? </li></ul></ul><ul><ul><li>justify each item? </li></ul></ul><ul><ul><li>check for alternative source? </li></ul></ul><ul><ul><li>act in the best interests of subject </li></ul></ul><ul><ul><li>authorise collection? </li></ul></ul>
  83. 83. Data quality <ul><li>Data acquisition </li></ul><ul><li>Are data collection forms appropriate? </li></ul><ul><ul><li>paper? </li></ul></ul><ul><ul><li>web? </li></ul></ul><ul><ul><li>verbal? </li></ul></ul><ul><li>Does they include consent requirements? </li></ul>
  84. 84. Data quality <ul><li>Data accuracy </li></ul><ul><li>Do you avoid recording of opinions? </li></ul><ul><li>Where inaccurate data is held: </li></ul><ul><ul><li>is it retained where it is a true record? </li></ul></ul><ul><ul><li>are reasonable steps taken? </li></ul></ul><ul><ul><li>is the data subject notified if necessary? </li></ul></ul>
  85. 85. Data quality <ul><li>Data retention </li></ul><ul><li>Are retention periods justifiable? </li></ul><ul><li>Are retention periods sufficient? </li></ul><ul><li>Has legal advice been taken? </li></ul><ul><li>Have you checked for relevant Codes of Practice? </li></ul>
  86. 86. Data quality <ul><li>Data retention </li></ul><ul><li>Are records up to date? </li></ul><ul><li>Is accuracy checked? </li></ul><ul><li>Is frequency of checking adequate? </li></ul><ul><li>Is inaccurate data deleted where necessary? </li></ul>
  87. 87. Data quality <ul><li>Data destruction </li></ul><ul><li>Is there a retention and destruction policy? </li></ul><ul><li>Are these supported by procedures? </li></ul><ul><li>Is compliance monitoring included? </li></ul><ul><li>Is the retention schedule appropriate? </li></ul>
  88. 88. Data quality <ul><li>Data destruction </li></ul><ul><li>Are there destruction procedures? </li></ul><ul><li>Is inadvertent destruction prevented? </li></ul><ul><li>Are destruction procedures audited? </li></ul>
  89. 89. Security <ul><li>Security procedures </li></ul><ul><li>Is security on the DP agenda? </li></ul><ul><ul><li>technical? </li></ul></ul><ul><ul><li>procedural? </li></ul></ul><ul><li>Supervision and training included? </li></ul>
  90. 90. Security <ul><li>Security measures </li></ul><ul><li>Is there an information security policy, including DP? </li></ul><ul><li>Monitored and reviewed? </li></ul><ul><li>Responsibilities? </li></ul><ul><li>Staff procedures? </li></ul>
  91. 91. Security <ul><li>Security measures </li></ul><ul><li>Suitable technology used? </li></ul><ul><li>Security levels appropriate? </li></ul><ul><li>Security in Data Processor contracts? </li></ul><ul><li>BS ISO 17799? </li></ul>
  92. 92. Security <ul><li>Security threats </li></ul><ul><li>Have these been identified? </li></ul><ul><li>Contingency plans appropriate? </li></ul><ul><li>Recovery times acceptable? </li></ul>
  93. 93. Security <ul><li>Security procedures </li></ul><ul><li>Security of data transfers? </li></ul><ul><li>Security of destruction? </li></ul>
  94. 94. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is there a documented procedure? </li></ul><ul><li>Does it check for request validity? </li></ul><ul><li>Do you: </li></ul><ul><ul><li>confirm you are processing? </li></ul></ul><ul><ul><li>provide copy of the data? </li></ul></ul>
  95. 95. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is there a manual override for automated processing? </li></ul><ul><li>Are amendments stopped when a request is being processed? </li></ul><ul><li>Is there a fee charging policy? </li></ul>
  96. 96. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is the request processed in time? </li></ul><ul><li>Is there an identification procedure? </li></ul><ul><li>Is the person who deals with requests known? </li></ul><ul><li>Do searches include data processors? </li></ul>
  97. 97. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is data supplied in permanent form? </li></ul><ul><li>Is there a procedure where disproportionate effort is claimed? </li></ul><ul><li>Is the data source disclosed? </li></ul><ul><li>Is there a telephone request procedure? </li></ul>
  98. 98. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is there a request form? </li></ul><ul><li>Is there a procedure for requests by minors? </li></ul><ul><li>Is there a procedure for requests on behalf of minors? </li></ul>
  99. 99. Subject Access Request <ul><li>Procedures </li></ul><ul><li>Is there a procedure for requests for references? </li></ul><ul><ul><li>are the rights of third parties considered? </li></ul></ul><ul><li>Is there a procedure where objections to processing are received? </li></ul>
  100. 100. How to carry out an audit
  101. 101. Audit process <ul><li>How to audit? </li></ul><ul><li>Project plan </li></ul><ul><li>Identify: </li></ul><ul><ul><li>who should be interviewed </li></ul></ul><ul><ul><li>which processes to review </li></ul></ul><ul><ul><li>how to audit security measures </li></ul></ul><ul><li>Creating awareness </li></ul><ul><li>Use the Workbook! </li></ul>
  102. 102. Audit process <ul><li>BSI-DISC Pre-Audit Workbook </li></ul><ul><li>PD 0012-5 </li></ul><ul><li>Assists and documents audit </li></ul><ul><li>Provides statement of compliance </li></ul><ul><li>Links to procedural documentation </li></ul>
  103. 103. Audit process <ul><li>Document results </li></ul><ul><li>Necessary to demonstrate process and results </li></ul><ul><li>Provides an audit trail of compliance </li></ul><ul><li>Workbook is a great help! </li></ul>
  104. 104. <ul><li>Corrective Actions </li></ul>
  105. 105. Corrective Actions <ul><li>What to do </li></ul><ul><li>Are there any gaps? </li></ul><ul><li>Each gap should be reviewed and corrective action taken </li></ul><ul><li>Look at subject access procedures first </li></ul><ul><li>Use common sense! </li></ul><ul><li>Pretend that it is your data! </li></ul>
  106. 106. <ul><li>Demonstrating Compliance </li></ul>
  107. 107. Data Protection <ul><li>Demonstrating Compliance </li></ul><ul><li>Completed Workbook </li></ul><ul><li>Training records </li></ul><ul><li>Policies </li></ul><ul><li>Records of breaches and actions </li></ul><ul><li>Records of subject access requests </li></ul>
  108. 108. Thank you Any Questions? Alan Shipman 07702-125265 [email_address]