This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
What is CCPA? The California Consumer Privacy Act increases the transparency of the collection and selling of physical and digital data, while providing California residents with more control over what happens to their personal information that companies collect. CCPA is approaching with a compliance deadline of January 2020. With the countdown to compliance less than 6 months away it’s critical to know how this can potentially impact your business in order to avoid violation fines. Join our webinar as we unpack the key requirements and considerations to keep in mind in order to stay compliant. See how CCPA impacts all advertisers, not just Californians.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
What is CCPA? The California Consumer Privacy Act increases the transparency of the collection and selling of physical and digital data, while providing California residents with more control over what happens to their personal information that companies collect. CCPA is approaching with a compliance deadline of January 2020. With the countdown to compliance less than 6 months away it’s critical to know how this can potentially impact your business in order to avoid violation fines. Join our webinar as we unpack the key requirements and considerations to keep in mind in order to stay compliant. See how CCPA impacts all advertisers, not just Californians.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
Transparents Formation SMS, Séminaire de Médiation Scientifique janvier 2012Fabien Gandon
Transparents pour "pourquoi et comment faire de la médiation scientifique sur les webs de demain" @inria
https://wiki.inria.fr/mecsci/SMS:2012-01-23#Les_points_cl.C3.A9s_:_ce_quil_faut_savoir_avant_le_SNMS
Slides present data and information system. In any information system security and integrity is the prime concern. How we can make sure stored data is more secure and generated information should be accurate, reliable and consistent.
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations.
Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR.
For more information visit https://www.brightpay.co.uk
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data. The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
Our administrative and public law seminar covered:
- a review of the last 12 months in FOIA and a case law update
- scope of prerogative powers - what are they and what is the scope of them; the topic is very much in the news at the moment due to Brexit
- non EU treaty obligations of relevance to administrative law
- procurement in 2016 and beyond - current trends, updates and the impact of Brexit
- case law update on various areas of public law, including judicial review.
Presentation on data protection given at the Community Archives conference 2018 by Jon Elliott (Archives and Records Association) and Jack Latimer (Community Archives and Heritage Group)
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Digital Rewards for CPD: Developing a Digital Practitioner Series of Open BadgesJisc Scotland
Presentation given at a joint Jisc/SHED event held at Jisc RSC Scotland in November 2014. The topic for the day was Open Education and this presentation outlines the development of a Digital Practitioner series of Open Badges developed to complement the CPD portfolio available from Jisc RSC Scotland.
Creating accessible information using Microsoft Word: hints and tips for ever...Jisc Scotland
Most people who work in colleges regardless of their role produce Word documents. They are used to create learning and teaching material, to produce information about services, to communicate information across the organisation.
There is a legal obligation for colleges to ensure that no-one is disadvantaged because of a disability, to anticipate the needs of people who might be accessing your information and your services and to make reasonable adjustments to accommodate their needs. One simple thing that everyone can do to meet these obligations is to ensure that the material that they create using Microsoft Office is created inclusively, doing so will ensure that it is accessible to a wide range of people who use assistive technologies or who have difficulty accessing text based information.
This presentation will highlight some simple ways to make your documents accessible using Word 2010 and how well designed Word documents can be converted into accessible PDFs.
This presentation offers an overview of the built in inclusivity features of Apple iPad, iPhone, iPod devices.
It concentrates not only on inbuilt accessibility and inclusion but looks at apps to support learning and productivity.
Presentation delivered as part of the ULib practitioners workshop at City of Glasgow College, Thu 14 August, 2014. Presented by George Harkins, City of Glasgow College and Penny Robertson, Jisc RSC Scotland.
Presentation about using social media tools for learning and teaching. Tools covered includes blogs, media sharing tools, digital curation tools and social networking tools (Facebook).
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
2. Overview
• To understand key terms and principles
of the Data Protection Act (DPA)
• Understand types of information
personal/sensitive
• How an organisation can comply with
the DPA
3. Intro to Data Protection Act
• Established 1998 to safe guard
personal data
• Framework for how organisations can
collect and use personal data
• Personal data means data which relates
to a living individual who can be
identified:
– From those data
– From those data and other information in
the possession of the data controller
4. Eight Principles of DPA
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than is necessary
6. processed in line with the date subjects’
rights
7. secure
8. not transferred to other countries without
adequate protection
Anyone who processes personal information must comply
with eight principles, which make sure that personal
information is:
5. Types of information I
– Names,
addresses,
– Birth details,
– Contact details,
– Age, gender
– NI number,
– Marital history,
partnerships
– Travel details,
leisure activities,
membership of
organisations,
– Employment
details
– Finance details
6. Types of information II
• Sensitive
– Mental or physical health
– Racial or ethnic origin
– Political opinions
– Religious or related beliefs
– Trade union membership
– Sexual life
– Criminal convictions
– Offences, including alleged
http://www.ico.gov.uk/for_organisations/data_pro
7. Data Protection and FE
• Data protection is important to FE and HE
institutions
– collect, process and use the data of
individuals such as students, staff,
alumni and enquirers for various
purposes.
Specific guidance for education sector:
http://www.ico.gov.uk/for_organisations/sector_guides/
examination records
expected requirements under FOI(S)A
8. Roles within the DPA
• Data controller: determines the
purposes for which and the manner in
which personal data are to be
processed
• Data Processor: person who processes
the data on behalf of the data controller
• Data Subject: an individual who is the
subject of personal data
9. Who’s responsible!
• North Glasgow College is the data
controller
• Data controllers must register with the
Information Commissioner’s Office
(ICO)
http://www.ico.gov.uk/what_we_cover/registe
• S.4 (4) of the DPA: ultimate
responsibility for adhering to the Act
lies with the ‘Data Controller’.
10. Information Commissioner’s Office
(ICO)
• independent public body set up to
uphold information rights in the public
interest, promoting openness by public
bodies and data privacy for individuals
http://www.ico.gov.uk/for_organisations/da
• Also a Scottish Information Commission
but ICO has specific regulatory
responsibility for DPA
12. £150,000
7 June 2013
Issued to Glasgow City Council the
loss of two unencrypted laptops,
one of which contained the personal
information of 20,143 people.
13. 24 January 2013
Sony PlayStation Network Platform was
hacked in April 2011, compromising the
personal information of millions of
customers, including their names,
addresses, email addresses, dates of
birth and account passwords. Customers’
payment card details were also at risk.
£250,000
14. £250,000
11 September 2012
Issued to Scottish Borders Council after
former employees’ pension records were
found in an over-filled paper recycle bank
in a supermarket car park.
All monetary penalties and decisions by
the ICO can be viewed at:
http://www.ico.gov.uk/enforcement/fines.aspx
16. Scenario one
A new admin assistant was asked to fax a child protection report to
a solicitors. The report contained extensive sensitive personal
data about the child, and a number of her family relations.
The law firm was a regular contact, but had recently changed its fax
number. The admin assistant used the contact list to find the
number. The new number had been handwritten over the previous
number.
The following day the law firm called to say it had not received the
faxed report. On checking what had happened, the admin
assistant had misread a number on the new fax contact number.
Identify and discuss any data
protection issues in this incident
17. Scenario two
An HR worker asked an administrator to send some documents to her
work email address so that she could work on them at home.
The documents included a spread sheet listing a number of her clients,
their names and addresses and contact time. Additional information
included descriptors of their physical and mental health problems. The
spread sheet also contained notes relating to family members.
The administrator attempted to email the social worker but there were
problems with the organisations email system. The social worker asked
the administrator to email her personal email instead, and she would
then transfer the documents from her home computer.
The administrator emailed the documents to the social worker’s personal
email. Later in the evening, the social worker checked her email but the
documents had not been received. On checking with the administrator, it
transpired that the email address had been taken down incorrectly.
• Identify and discuss any data protection
issues in this incident
18. Scenario three
• The organisation operates a number of services in conjunction with a range of
voluntary agencies. One of the services is an outreach centre for young
people. The outreach workers and social workers will routinely share
information about the users of the service. The people who use the centre will
typically only frequent it for 3 to 6 months before moving on.
• The outreach centre has three desktop computers. One of these is used to
send and store the reports for the council. That computer, and the relevant
folders are password protected. The password is XYZ123 and has never been
updated. It is pinned on the inside of a drawer in the office.
• The centre also keeps information for its own purposes, which might include
details of disruptive attendees and notes about their external associates. This
information is kept on all three computers.
•
• The centre is broken into and the three desktop computers are stolen. During
the council’s investigation, the centre informs the investigating officer that
reports had not been deleted from their computers for at least the past five
years.
• Identify and discuss any data protection
issues in this incident
19. Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:
• No phone ahead fax policy; No checking policy to make sure faxes are
received by the intended recipients; pre-programmed fax numbers, no
evidence of an appointed person responsible for checking or updating fax
numbers;
• No fax cover sheet mentioned;
• The data controller should have been aware of the risks associated with
faxing sensitive personal data, as the risks have been previously well
publicised by the ICO;
• No evidence that other methods had been considered for transmitting
sensitive personal data;
• Higher risk of error with hand written fax contact list of numbers;
• Had the administration assistant involved with this breach received data
protection training?
• Should a relatively new member of staff have been entrusted with faxing
sensitive personal data, is it reasonable to assume this task requires a
certain level of experience and responsibility?
20. Scenario two - issues
• Email breach – security of sensitive personal data sent by email, also third
data protection principle
• No clear email security policy;
• No mention of a contractual agreement between the council and the
outsourced third party finance provider;
• Potential contravention of the third data protection principle, excessive and
irrelevant amount of information going to finance department;
• Potential contravention of the third and seventh data protection principles,
irrelevant personal data being sent by insecure email to a third party
finance provider;
• Administrator should not have emailed spreadsheets to a personal email
address, without first checking data security protocols, or using encryption;
• No cross checking of personal email address to ensure accuracy;
• The council’s home working policy is vague about the security and storage
of personal data when working from home.
21. Scenario three - issues
• Theft of data – organisational and technical security of personal data, also fifth
data protection principle, retention of personal data
• No evidence that a data sharing agreement was in place between the council and
the outreach centre
• Potential contravention of the fifth data protection principle, reports kept for 5
years, when people who use the centre generally only attend for 3-6 months;
• Password to computer storing reports shouldn’t have been kept in a drawer and
should have demonstrated a higher degree of complexity (alphanumerical, upper
and lower case, symbols etc), the password should also have been changed on a
regular basis;
• Lack of technical security x2 desktop computers storing personal data not
password protected, (there is generally no obligation to encrypt desktop
computers);
• What physical security measures were in place at the outreach centre?
• What DPA training would voluntary outreach workers have undertaken and were
such volunteers vetted by the council – how did the council satisfy themselves
about this?
• This breach could involve sensitive personal data as defined by section 2 of the
22. Ensure your compliant
• Governance
• Policy and guidance, risk register, impact levels,
protective marking
• Training
• protecting information course, knowing where to get
help and advice on DPA
• Records management
• retention schedules, disposal records, information asset
register
• Security of personal data
• mobile devices, physical security of manual records,
owner/responsibility, incident reporting/third party
contracts
• Dealing with requests
• Owner/responsibility, log of incidents,
monitoring/redaction, data sharing agreements, SAR
log
23. Governance
• Policies and procedures ( data
protection, information security, email
policies, portable devices)
• Measure and impact, risk register
– http://www.nationalarchives.gov.uk/documents
24. Assessing the risk to personal
information
• Identify the risk
• Treat the risk
• Monitor and review
• review what personal data is held
(privacy impact assessment)
• Apply security measures for physical or
electronic assets
• Create an information asset register
25. The right of access to
personal data
• individual can send you a subject
access request (SAR) requiring you to
tell them about the personal information
you hold about them, and to provide
them with a copy of that information.
• In most cases you must respond to a
valid subject access request within 40
calendar days of receiving it.
• Example of a SAR form
26. Requests for personal data
• owner / procedure
• record and log requests
• redaction
• Exemptions
http://www.ico.gov.uk/for_organisations/data
• data sharing agreements
28. Records Management
• roles and responsibilities
• retention schedules
• indexing/tracking records
• destruction/disposition
29. Retention for SARs
Record of subject
access request
Initial request,
response, related
correspondence
and other
supporting
documentation
Completion of
request + 3 years
Statutory Destroy
Record of subject
access request
where appeal
made to UK
Information
Commissioner
Initial request,
response, appeal
records, related
correspondence
and other
supporting
documentation
Outcome of
appeal + 6 years
Statutory Destroy
General
compliance
records
Files re DP audit,
general
compliance, data
breaches, security
training etc
Current year + 3 Business req Destroy
Notification and
changes
Current year + 3 Statutory Destroy
31. Security measures
• owner/responsibility (North Glasgow
College Data Protection policy)
• physical security of manual records
• network security and access permissions
• mobile devices
• security incident log
• remote working risk assessment
http://www.reading.ac.uk/internal/imps/D
ataProtection/DataProtectionGuidelines/i
mps-d-p-encryption-remote-working.aspx
32. How the ICO can help
http://www.ico.gov.uk/what_we_cover/au
dits_advisory_visits_and_self_assessmen
ts.aspx
http://www.ico.gov.uk/~/media/document
s/library/data_protection/detailed_specia
list_guides/personal_information_online_
cop.pdf
33. Ensure that…
• only collect information that you need
for a specific purpose;
• keep it secure;
• ensure it is relevant and up to date;
• only hold as much as you need, and
only for as long as you need it; and
• allow the subject of the information to
see it on request.
• ensure all staff are aware of their
responsibility
36. North Glasgow College
Civil Service Learning / Protecting
Information course
Level 1: provides useful information and
advice to help you protect and share
information safely and appropriately.
Approx.: 45 minutes to complete
https://north-gla.blackboard.com/
Editor's Notes
Slide 1 Intro of myself advisor for learning resources, bgnd, information arch manager at SQA with direct responsibility for the management of the process of Data Protection Act and also to ensure the continued accreditation to the international standard 27001, which was the effective management of an information security system. Ask them to introduce one another and their bgnd. today short workshop will look at some of the process that is involved to ensure personal information, is stored, managed, processed and secured in accordance with the Data Protection Act
Slide 2 this workshop is by no stretch that magical silver bullet that will solve all data protection woes and challenges for an organisation, it really is a very general introduction and also to give some ideas about how Angus College can ensure the integrity and confidentiality of personal data. we’ll have a look at some of the key terms and principles within the data protection act have a look at the 2 main levels of personal information and some of the tools and processes an organisation can deploy to ensure adherence to the data protection act.
Slide 3 so the DPA, although it was established in 1998 it became an effective legislation tool from about March 2000, the act and legislation outlines a framework for organisations for the collection and use of personal data ensuring the confidentiality and integrity of that data remains, ensuring no loss of privacy or harm to the person the data is about that an organisation is storing, the DPA does not approve of the ‘we’ll store this data, just in case’ attitude, and rightly so so when we talk of personal data this covers data which relates to a living individual and said individual can be identified from those data and/or an amalgam of other data in possession of the data controller this also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. So an example would be if you’re marking a students paper and you write feedback or any remark on it, within the context of a personal information request this information would have to be transcribed and sent to the individual.
Slide 4 The act hinges on 8 principles that 1 st data principle have legitimate grounds for collecting and using the personal data; be transparent in how you are going to use the date not use the data in ways that have unjustified adverse effects on the individuals concerned; 2 nd data principle clear about the purpose or purposes for which you hold personal data so that you can then ensure that you process the data in a way that is compatible with your original purpose or purposes (or ”not incompatible”, as the Data Protection Act says.) Specifying those purposes at the outset is likely to help you avoid the possibility of “function creep”. make sure that you process personal data in accordance with the other data protection principles, and that you have notified the Information Commissioner if you need to do so, you are likely to comply with the requirement to “specify” without doing anything more. 3,4 & 5 Ensuring you don’t hold excessive amounts of data, You should not hold personal data on the off-chance that it might be useful in the future Data protection principle 4 take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information. Data protection principle 5 Retention the current and future value of the information; the costs, risks and liabilities associated with retaining the information; and the ease or difficulty of making sure it remains accurate and up to date. Principle 6 The right of access to what an organisation holds about them a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act. Principle 7 Adequate security controls are in place to ensure the integrity and confidentiality of the personal information design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; be ready to respond to any breach of security swiftly and effectively. Principle 8 It is important to remember that all the data protection principles apply to overseas transfers of personal data – not just the eighth principle. So you must consider how you will comply with the other principles if you transfer.
Slide 5 The types of personal information an organisation may hold falls into two types, we have what is deemed personal…
Slide 6 And we also have sensitive/restricted information regarding a living individual The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate. The first data protection principle requires, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information. if you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. http://www.legislation.gov.uk/uksi/2000/417/contents/made
Slide 7 The ICO website holds information and guidance for educational establishments, the guidance covers information such as A students examination records and in your packs I’ve included the specific guidance for access to pupils data in Scotland FOI This guidance gives examples of the kinds of information that we would expect colleges of Further Education to provide in order to meet their commitments under the model publication scheme. Any publication scheme you have that was created before 1 January 2009 is now out of date and you should replace it with the ICO model scheme. 7 classes of information, how you should make the information available, what you can charge, and what you need to tell members of the public about the scheme. It is also required that you tell the ICO that you have made these changes to your publication scheme.
Slide 8 To ensure some structure and generic reference within the act they use roles defined as the following :- Data controller, usually an organisation who determines how the personal data will be processed Data processors specifically Data subject Within a organisation it is paramount that all staff are aware of their role and responsibility to data protection and understand the consequences or enforcement of processing personal information. Some organisations, for example, will stipulate procedures within their policy if a member of staff breaches or does not comply with their responsibilities as a data processor, some organisations will develop specific contracts for staff who process personal data
Slide 9 Within your organisation North Glasgow College is the data controller It is mandated that all organisations that process personal data must notify and register with the information commission officer the registry of data controllers is public information and available online, click on link search the registry and show angus colleges notification this documents all purposes that Angus College use personal data and what they are processed for the ultimate responsibility for the adherence to the data protection act is the data controller
Slide 10 the Data Protection Act is enforced is via the Information Commissioner’s Office, ICO is an independent body set up to uphold our information rights and promote openness and transparency within the public sector and ensure data privacy for individuals click on link to show information and guidance available for organisations on DP there is a Scottish Information Commission and have jurisdiction in the management and enforcement of Freedom of Information (Scotland) Act, the ICO has specific regulatory responsibility for data protection.
Slide 11 so how does the ICO enact upon breaches for the data protection act by organisations, well they hit them where it hurts the most, money and reputation The ICO has the power to fine organisation up to a maximum penalty of £500,000 for the mismanagement of personal information.
Couple of recent examples are Sony were fined £250,000
Another one closer to home is that of Borders Council…read slide Slide 13 to determine the amount an organisation will be fined, the ICO uses a framework, they consider The seriousness of the breach, this would include the hurt or damage done to the persons data involved And they also consider any mitigating factors or aggravating factors - your policies and procedures in place, what your organisation does to ensure compliance (mitigating) Aggravating factors may be if this is your second or more offence Click on link And as I mentioned the reputation of an organisation, all monetary fines and decisions pertaining to breaches are published on the website The financial impact on the organisation, the case working group will take into account any financial hardship on the organisation, they want proof from the data controller and this can be used as evidence for their case
Slide 21 So how does an organisation ensure it compliance with the data protection act, well I think it’s a mixture of these 5 attributes It’s all very well having a policy that adheres to a certain level of information security and vocalises how an organisation will ensure the confidentiality and integrity of personal data but quite another thing to embed that policy as process in an organisational culture. Most organisations will develop information governance process and include all these as part of the implementation of good practice to ensure adherence to the data protection act, this can go further than just how to manage personal data all of this can also be embedded to ensure good information management practice for all information within an organisation. People, process and policy are the 3 key ingredients to good information management, ensuring your valued assets are aware of their responsibilities, that they understand the processes and policy your organisation works with. The more time spent on training and awareness will ensure adherence to your policies and process.
Slide 22 within an organisation the ICO would view it towards mitigating factors of a breach if there is an effective management system in place for personal data North Glasgow College has a data protection and IT security policy that documents exactly how staff must comply when working with personal data, it also includes measures to ensure the security of data be it physical or electronic access There are other areas that need organisations to have a policy or guidance in place for staff with the onslaught of mobile devices a lot of organisations need to consider what their policy is, a survey released in December last year "Independent research commissioned by Cisco reveals that 73% of Local Government, Healthcare and Higher & Further Education organisations allow employees to use personal devices at work. But while the majority have begun to embrace BYOD, only 22% have put specific and enforceable policies in place for users. In addition, only 24% have installed security solutions on user devices. email is also an issue and it must be specified within an organisation what can be shared, transferred over the internet via email. ensuring staff are aware of these policies and what the implication is for them is how an organisation can develop a secure data culture Know what you’ve got, where it is and what security controls must be applied, most organisations work within a risk framework and apply levels of risk to their operational and production processes, information is a valued asset in an organisation and so it can be useful to measure risk to data and what the impact may be a level of risk to an information asset if its loss of revenue to the organisation or damaging reputation click on link
Slide 23 In creating an information asset register or including information as an asset within your corporate risk register, you need to look at information and Identifying the risk to the information Then looking at how to treat the risk by how to by avoiding, reducing, transferring or accepting them so it looks what impacts the risk and how you can apply measures to mitigate the risk An organisation should then actively monitor and review risk to ensure stability in their treatments There are other tools that are worth considering, privacy impact assessments are useful if you are using third party data processors for example, PIAs can ensure that the external supplier adheres to the rigours of data protection and information security. Know what you’ve got, where it is and what security controls must be applied to ensure continued integrity and confidentiality of that information
We all have the right as individual to ask organisations about the personal information they hold about us. These requests are referred to as subject access requests A lot of organisations will specify how they deal with a subject access request and what kind of information they hold on their website, Click on link to SQA webpage and click on link for the SAR form. It is vital that an organisation specifies who is responsible for the dealing of SARs and that this information is monitored and reviewed
Slide25 dealing with SARs it is imperative that an organisation has ownership/responsibility in place, who deals with them and who is involved in the procedure By using good retention it is important that these requests are logged and recorded properly and are kept for a specific amount of time If the information being sent out involves other persons you must make sure that that persons information has been redacted Example of SQA exam logs from invigilators, all other persons who have been recorded must be redacted before sending out this information Click on link there are specific exemptions within the DPA , in the main are concerned with criminal proceedings or financial processes or management information within an organisation Example of an exemption The senior management of an organisation are planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest in advance of an announcement of the management’s plans). Example Your Examination script is exempt from release under the Data Protection Act. SQA markers are instructed not to add their comments to examination scripts, but occasionally this does happen. You are entitled to receive a copy of any marks or comments markers add to your script. We will provide these, if available, in response to your subject access request. examination marks and personal data contained in examination scripts; Mention the handout access to pupils information Another consideration for personal data requests is when an organisation shares data with other organisations for a specific purpose, data sharing agreements are extremely important to ensure data subjects are aware of how their personal information will be processed and what the external organisation is legitimately allowed to do with the data (mention the data sharing checklist and the code of practice for data sharing agreements)
Slide 26 Training and awareness are fundamental to creating good information governance Click on link ICO has created a useful toolkit for companies to download and use to raise awareness of protecting personal data Coming along this morning is also a useful in building up your ideas for moving forward with protecting personal information
Slide 27 Another of the attributes I mentioned earlier tat can help an organisation develop and embed good data protection process is records management, ensuring you have documented the Read slide
Slide 28 Example of retention schedule dealing with subject access requests from SQA, it documents exactly what information is comprised of, how long it must be stored, if it’s a statutory or business requirement and what treatment is used to complete the documents lifecycle.
Slide 29 Technology is an integral part of ensuring security procedures are in place for the management of personal data Most of this is very practical in nature and straightforward but it is amazing to see staffing organisations doing things like working with sensitive information, leaving their desk, not locking their pc, a security breach just waiting to happen An incident management team can be an effective way to govern both physical and electronic incidents, comprising of a board and working group with responsibility to ensure compliance and awareness amongst staff.
Angus College has specified in their policy who owns and has responsibility of security measures This also must be taken into consideration for the security of physical records and access to IT have management of the network of the organisation and ensuring access controls and permissions are in place to ensure only the right people gain access to the data they are allowed to view. Some organisations will introduce a security breach log to ensure any data breaches are reported, handled and solved. And due to the flexibility these days of working practice, some institutions will create guidance and policy for staff Click on link show remote working assessments to ensure security of data when working at home
Slide 31 Don’t despair! The ICO may be the ones that dole out the financial fines but they also have an excellent information dissemination policy and are there to help organisations embed and develop good information management practice. Click on link Advisory visits Self assessment data protection is ever evolving and is a developing piece of legislation, with our society being enslaved to an online environment the ICO have created a code of practice of how organisations can process and personal information online.
In summary:
Slide 33 we share our information everywhere now and it is increasingly difficult to keep up to speed with who has your information and what they may be doing with it and with that in mind click on link