No Slide Title

advertisement
THE DATA PROTECTION ACT 1998
A QUESTION OF PRINCIPLES
Sheelagh F M Keddie
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
THE ROLE OF IT AND THE IT PROFESSIONAL IN DATA
PROTECTION
1987 Data Protection manager
• IT security manager/administrator
1980’s onwards shift in management of system development
• Business area orientated responsibilities
• User role in Project management
• Service Level Agreements
2005 Data Processor
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
British Computer Society Code of Conduct [Extracts]
The Public Interest
1. You shall carry out work with due care and diligence in accordance with the
relevant authority’s requirements, and the interests of system users. If your
professional judgement is overruled, you shall indicate the likely risks and
consequences.
3. You shall have regard to the legitimate rights of third parties …
includes..members of the ‘public’ who might be affected by an IS project without
their being directly aware of its existence.
4. You shall ensure that within your professional field/s you have knowledge and
understanding of relevant legislation, regulations and standards and that you
comply with such requirements.
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
MANAGING DATA PROTECTION
POLICY
ORGANISATION
EDUCATION AND TRAINING
GUIDELINES
PROCESSES
INVENTORY
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
WHAT DOES GOOD DP PRACTICE LOOK LIKE?
• A clear, complete and relevant policy
• An inventory of personal data
• Controls to ensure that data are collected legally
• Only relevant data and sufficient data are collected
• Controls to ensure that data are only used in accordance
with how they were collected
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
WHAT DOES GOOD DP PRACTICE LOOK LIKE?
• A clear, complete and relevant policy
• An inventory of personal data
• Controls to ensure that data are collected legally
• Only relevant data and sufficient data are collected
• Controls to ensure that data are only used in accordance
with how they were collected
• Procedures to correct inaccurate data
• Procedures to delete data when the purpose is completed
• Procedures to meet requests from individuals to see their
data within the legal time limit
• Staff understand their responsibilities and meet them
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
DATA PROTECTION POLICY
• Access rules reflect lawful use
• chinese walls within data controller reflecting different
purposes
• compartmentalised access v. hierarchical
• more than one logical id for some users
• clear policy on monitoring usage
• users rights to private use of e-mails, Internet , IT facilities,
telephones
• monitoring usage v content
• automated monitoring v human surveillance
• authorisation of specific investigations
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
INVENTORY OF PERSONAL DATA
• Broader base for inventory
• all automated personal data not just ‘processed by
reference’
• includes back-ups
• includes e-mails
• includes word-processing documents
• reflects logical business purposes not necessarily technical
data relationships - logical map underpinned by technical map
• reflects business ownership of personal data
• is not limited to automated data
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
• Project initiation and specification
• Fair collection - Principle 1
• specify which condition[s] in schedules 2 and 3 are
being met
• eg the exact wording if consent is being sought
• in document
• in telephone script
• on web-site
• the legal obligation which necessitates collection
• the public function which necessitates the
collection
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
• Project initiation and specification
• Lawful use - Principle 2
• ensure internal use reflects the information given to the
data subject
• ensure any intended disclosures to any other legal
entity also reflect this information
Principle 2 - only obtained for specified and lawful purposes
and not further processed in an incompatible manner [ including by an employee or a
third-party recipient]
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
USE
COLLECT
STORE
legal entity
purposes
Property of Common Sense Privacy - all rights reserved
consent/objections
01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
Systems design
• CRM or discrete data sets
• controls to
• reflect multiple purposes and multiple legal entities
• maintain accuracy
• record dissent
• support retention policies
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
Systems specification and design
• include reports to produce accessible copies of an individual’s
data
• per legal entity
• per person
• explain codes
• omit clearly exempt material
• includes - e-mails, archives, back-up, possibly telephone calls
don’t give me - screen prints, multiple copies of call logs and emails, coded actions
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - BUILDING SECURE SYSTEMS
• Establish necessary, effective security controls
• Carry out and document impact assessments - likely harm to
an individual of a security breach
• add control assessments - risk reduction
• establish joint ownership with business users of control
strategy
Principle 7 - secured against unauthorised or unlawful processing, accidental loss
or destruction, damage
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
CONTROLS - MANAGING THE DATA PROCESSOR
RELATIONSHIP
• Data Processor
• Written statement regarding security controls
• policy
• staff training
• physical, procedural and technical controls
•Data Controller
• Part of the procurement process
• part of the management and audit processes
• clear documented instructions on processing of personal
data
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
COLLECTION AND DISCLOSURE VIA WEB-SITES
• No covert collection mechanisms
• place collection information before collection action eg
above the submit button in online forms
• get positive consent eg tick that you have read and accept the
privacy information
• don’t bundle consent to various purposes
• enable choices to be made on-line
• opt -in via opt-out
• shun the passive opt-in - boxes already ticked
• remember placing personal data on the Internet is world-wide
disclosure/ transfer
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
Questions?
Property of Common Sense Privacy - all rights reserved
01875340890 [email protected]
Download