Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Personal data protection and information security


Published on

Personal data protection and information security - presentation to Hong Kong Council of Social Service -- 2008.06.05

Published in: Technology, Economy & Finance

Personal data protection and information security

  1. 1. Personal data protection and Information security Presentation to HKCSS Charles Mok Internet Society Hong Kong 2008.06.05
  2. 2. Data protection principle in PDPO <ul><li>Principle 1 -- Purpose and manner of collection. This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject. </li></ul><ul><li>Principle 2 -- Accuracy and duration of retention. This provides that personal data should be accurate, up-to-date and kept no longer than necessary. </li></ul><ul><li>Principle 3 -- Use of personal data. This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose. </li></ul><ul><li>Principle 4 -- Security of personal data. This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable). </li></ul><ul><li>Principle 5 -- Information to be generally available. This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. </li></ul><ul><li>Principle 6 -- Access to personal data. This provides for data subjects to have rights of access to and correction of their personal data. </li></ul>
  3. 3. What happened? <ul><li>Hospital Authority </li></ul><ul><ul><li>10 cases: USB storage, digital camera, notebook, PDA, MP3 player </li></ul></ul><ul><li>HSBC </li></ul><ul><li>IMMD, Police </li></ul><ul><ul><li>Foxy </li></ul></ul><ul><li>But it was worse in the UK </li></ul><ul><ul><li>10/07: 2 computer discs were lost in the mail by the tax authority, with personal data of 25M citizens, including names, addresses, national insurance numbers, and information on almost all children under 16 in Britain. (Password protection but no encryption.)‏ </li></ul></ul>
  4. 4. 2007: Worst year in UK privacy history <ul><li>22 February - 80 passports are lost in the post every month, it's revealed - 1,000 peoples' data compromised </li></ul><ul><li>28 February - A laptop containing details of Worcestershire County council employees was stolen - 16,000 </li></ul><ul><li>23 March - A CD which contained personal details relating to past and present Torbay Council staff and councillors vanished in the post - 6,500 </li></ul><ul><li>27 March - Halifax allowed details of mortgage customers to go astray after the briefcase holding the documents was stolen from a member of staff's car - 13,000 </li></ul><ul><li>16 April - A laptop stolen from the King's Mill Hospital in Nottinghamshire contained data on children aged between eight months and eight years, including their names, addresses and dates of birth - 11,000 </li></ul><ul><li>27 April - MTAS published the details of junior doctors' medical applications online - 1,000 </li></ul><ul><li>3 May - A laptop computer containing personal and bank details of people at the Royal Cornwall Hospitals Trust was stolen - 5,000 </li></ul><ul><li>9 May - Standard Life admitted some of its customers may have been affected by a security breach in which individuals' personal financial information was sent to others by mistake. - 300 </li></ul><ul><li>14 May - Marks & Spencer company laptop theft was stolen - 26,000 </li></ul><ul><li>20 May - TK Maxx reveals world's largest ever credit card hackers fraud which affected some UK customers. Estimated numbers affected - worldwide total 200m - 5,000,000 </li></ul><ul><li>7 June - Details of Bank of Scotland mortgage customers were on a disk lost in the post - 62,000 </li></ul><ul><li>14 June - A computer containing personal details of hundreds of staff at the Eden project was stolen from a car - 500 </li></ul><ul><li>30 August - Monster job-seeking site hacked and contact details of all users stolen - 3,100,000 </li></ul><ul><li>18 September - A former employee downloaded confidential information from a Pfizer computer system without the company's knowledge - 34,000 </li></ul><ul><li>21 September - St Edmundsbury Council staff member had a laptop with staff details stolen – 1,400 </li></ul><ul><li>3 November - HMRC admitted a courier had lost the records of Standard Life customers. - 15,000 </li></ul><ul><li>5 November - Personal details and scans of patients' retinas on a stolen laptop taken from St Julian's GP surgery in Newport - 1,000 </li></ul><ul><li>20 November - Alistair Darling reveals the loss of all data on child benefit claimants – 25,000,000 </li></ul><ul><li>27 November - Newcastle City Council accidentally compromised the personal data of credit card holders because of a computer server error by a member of staff - 50,000 </li></ul>
  5. 5. <ul><li>27 November - Abbott, the £40bn pharmaceutical giant lost current and ex-employee records containing names, bank account details, and National Insurance numbers, in transit to its payroll office in Queenborough, Kent – 64,000 </li></ul><ul><li>29 November - An employee with online finance firm sold on sensitive customer files. - 250,000 </li></ul><ul><li>29 November - A package containing details of pension benefit statements was lost after being sent from the Scottish Public Pensions Agency to NHS Greater Glasgow - 200 </li></ul><ul><li>2 December - CDs with the names, addresses, dates of birth and National Insurance numbers of thousands of people receiving benefits up and down the country were found at the home of a former contractor to the Department for Work and Pensions - 18,000 </li></ul><ul><li>5 December - The names, dates of birth and national insurance numbers of people claiming housing and council tax benefits in Kirklees, West Yorkshire were lost en route to the government - 45,000 </li></ul><ul><li>5 December - Names, addresses and ages of Warwickshire teenagers went missing in the post. The details of pupils taking vocational courses alongside their school work went missing after they were posted to a consultancy firm - 200 </li></ul><ul><li>7 December - Personal details of drivers were sent to strangers by mistake by the DVLA - 1,200 </li></ul><ul><li>8 December - Bank account numbers, national insurance numbers, names, addresses and dates of birth were on a laptop stolen from a Citizens Advice Bureau staff member's car in Belfast - 60,000 </li></ul><ul><li>11 December - Leeds Building Society has mislaid data containing the personal information of its entire workforce - 1,000 </li></ul><ul><li>12 December - Trade unions on Merseyside also revealed that personal details health authority staff had been sent out to private firms - 1,800 </li></ul><ul><li>16 December - Reports emerge that a HMRC worker reported in October that his laptop containing data was stolen from a car - 2,000 </li></ul><ul><li>17 December - Ruth Kelly admits the loss of learner drivers' data when a hard drive was lost in Iowa - 3,000,000 </li></ul><ul><li>20 December - HMRC lost the details of Countrywide Assured policyholders - 6,500 </li></ul><ul><li>21 December - Skipton, the financial giant, had a laptop stolen with customer details on - 14,000 </li></ul><ul><li>26 December - Nine NHS trusts admitted losing confidential patient records - 168,000 </li></ul><ul><li>27 December - Devon and Cornwall police left a floppy disk with employee details in a computer sent for recycling - 6,000 </li></ul><ul><li>27 December - Northern Ireland DVLA lost details on two discs being sent to the Swansea DVLA - 7,700 </li></ul><ul><li>TOTAL DATA LOSS – 36,989,300 (Source: Liberal Democrats' research)‏ </li></ul>2007: Worst year in UK privacy history
  6. 6. A new attitude is needed <ul><li>Changing environment </li></ul><ul><ul><li>The impact of IT and Internet </li></ul></ul><ul><ul><li>Working outside of office, incl. mobile trend </li></ul></ul><ul><ul><li>Increasing awareness by the community </li></ul></ul><ul><ul><li>Legal requirements and consequences </li></ul></ul><ul><li>From policy to guidelines </li></ul><ul><li>From education to communications </li></ul><ul><li>The role of technology </li></ul><ul><ul><li>Preventing occurrence as much as possible </li></ul></ul><ul><ul><li>Minimizing the damage when problems occur </li></ul></ul>
  7. 7. The need for a new culture <ul><li>It is about people's behavior </li></ul><ul><li>It is not about: </li></ul><ul><ul><li>Simply putting blames on the staff </li></ul></ul><ul><ul><li>Avoiding the use of technology – trading off efficiency and even safety etc. </li></ul></ul><ul><li>Developing a new corporate culture </li></ul><ul><ul><li>Convenience vs. security and respect for other people's privacy </li></ul></ul><ul><ul><li>Legal and institutional safeguards </li></ul></ul>
  8. 8. Information security <ul><li>Classification of sensitive information </li></ul><ul><li>Privacy impact study </li></ul><ul><li>Security audit </li></ul><ul><li>Clear, down-to-earth, up-to-date guidelines </li></ul><ul><li>Reminders </li></ul><ul><li>Do not ignore physical security </li></ul><ul><li>Explore and maximize technological means: </li></ul><ul><ul><li>System design </li></ul></ul><ul><ul><li>Encryption </li></ul></ul>
  9. 9. Incident reporting <ul><li>Community expectation </li></ul><ul><li>Regulatory requirements? </li></ul><ul><li>Implement incident reporting and handling measures </li></ul>
  10. 10. Application security <ul><li>Before using the system </li></ul><ul><ul><li>User account control </li></ul></ul><ul><ul><li>Role-based access right: by grade/rank, needs </li></ul></ul><ul><li>When using the system </li></ul><ul><ul><li>Logging on – reminder messages </li></ul></ul><ul><ul><li>Auto-timeout/logout features </li></ul></ul><ul><ul><li>Closed workstations for shared mode </li></ul></ul><ul><ul><li>Control on downloading data </li></ul></ul><ul><li>After using the system </li></ul><ul><ul><li>Keeping audit log </li></ul></ul><ul><ul><li>Checking audit log – random, triggered or rule-based automatic checks </li></ul></ul>
  11. 11. Q&A <ul><li>Thank you! </li></ul><ul><li>Charles Mok </li></ul><ul><li>Internet Society Hong Kong </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>