Philip Brining, Absolute Data
DATA PROTECTION COMPLIANCE
ESSENTIALS
Agenda
1. Welcome and Introductions
2. Absolute Data
3. What is data protection?
4. The Data Protection Act (1998)
5. The Privacy and Electronic Communications Regulations (2011)
6. Overview of Breaches
7. Powers of the ICO
8. What You Can Do to Comply
9. WIIFM
10. Questions and Close
Welcome & Introductions
1. Names, Organisations, Roles
2. Expectations from this session
Absolute Data Limited
OUR BACKGROUND
• 10+ years experience of providing practical advice, information and
guidance to a variety of organisations in the public, private and
third sector in respect of information governance, data protection
and privacy.
Data Strategy
Data Services
Data Systems
Data Compliance
Data Protection Compliance
•
•
•
•
Data Protection Act (1998)
Privacy and Electronic Communications Regulations (2011)
Freedom of Information Act (2000)
CCTV, Phone Monitoring, Human Rights Act
Data Protection Compliance
• Data Protection Act (1998)
• Privacy and Electronic Communications Regulations (2011)
•
•
Freedom of Information Act (2000)
CCTV, Phone Monitoring, Human Rights Act
Overview
• DPA (1998)
– Public register of data controllers
– 8 Principles
– Rights of data subjects
– Defines “data” under the scope of the legislation
– European-wide
• PECR (2011)
– Rules regarding e-comms (text, e-mail, phone etc.)
– Suppression lists (opting out)
– Cookies (educate, consent)
What exactly is the Data Protection Act?
“The Data Protection Act 1998 establishes a framework
of rights and duties which are designed to safeguard
personal data.
The Information Commissioner’s Office (ICO) is the UK’s
independent authority who upholds information rights in
the public interest, promoting openness by public bodies
and data privacy for individuals” (ICO, 2009).
What is classified as “Data”?
The Data Protection Act defines Data, and Personal Data, and further differentiates
between Personal Data and Sensitive Personal Data.
Data means information which –
a) is being processed by means of equipment
operating automatically in response to
instructions given for that purpose,
b) is recorded with the intention that it
should be processed by means of such
equipment,
c) is recorded as part of a relevant filing
system or with the intention that it should
form part of a relevant filing system,
d) does not fall within paragraph (a), (b) or (c)
but forms part of an accessible record as
defined by section 68, or
e) is recorded information held by a public
authority and does not fall within any of
paragraphs (a) to (d).
Personal data means Data which relate to a
living individual who can be identified –
a) from those data, or
b) from those data and other information
which is in the possession of, or is likely
to come into the possession of, the data
controller,
and includes any expression of opinion about
the individual and any indication of the
intentions of the data controller or any other
person in respect of the individual.
Organisations
are
prohibited
from
processing sensitive personal data unless
they can prove why it is necessary and
can satisfy the Act’s “Conditions for
Processing” rules.
Examples of Personal Data?
•
•
•
•
•
•
•
•
•
•
Database containing names and addresses of UK customers
Paper files containing names and addresses of Japanese shareholders
Data capture forms
List of customers’ mobile phone numbers emailed from one employee to
another
List of prospects’ database reference numbers emailed to a supplier
Customer services digital telephone recordings
Tapes containing CCTV footage outside your offices
Excel spread sheet containing your personal Christmas card list
Database of vehicle license plates passing through your property
Private notes written on a CV about an interview candidate
The Register of Data Controllers
Notification is the process by which a data controller gives the ICO
details about their processing of personal information.
The ICO publishes certain details in the register of data controllers,
which is available to the public for inspection.
8 principles - data must be...
1. Processed fairly and lawfully
2. Processed for specific purposes and in appropriate
ways
3. Adequate, relevant and sufficient in relation to the
purposes for which it is processed
4. Kept accurate and up-to-date
5. Kept only for as long as necessary
6. Processed in line with an individual’s rights
7. Protected by sufficient technical and organisational
measures
8. Only transmitted to countries that have sufficient
data protection controls
Principles of the DPA
1st Principle
Personal information must be FAIRLY and LAWFULLY processed
•
•
•
•
Legitimate use
Transparency
Privacy Notices
Fair processing
Principles of the DPA
2nd Principle
Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or purposes.
• Be clear as to your reasons
• Notify the ICO
• Ensure prior consent
Principles of the DPA
3rd Principle
Personal data shall be adequate, relevant and not excessive in
relation to the purposes for which they are processed
•
•
•
•
What is the data used for?
The nature of the information held
How was the data obtained?
Is all the data needed?
Principles of the DPA
4th Principle
Personal data shall be accurate, and where necessary, kept up to
date.
• Ensure clarity in where the data was obtained
• Consider if accuracy might be challenged
• Does this data need regularly updating?
Principles of the DPA
5th Principle
Personal data processed for any purpose or purposes shall not be
kept longer than is necessary for that purpose or those purposes.
•
•
•
•
Reviewing / auditing your data regularly
Establishing retention periods
Current and future value of your data
Keeping shared information
Principles of the DPA
6th Principle
Personal data shall be processed in accordance with the rights of
data subjects under this Act.
• Subject Access Requests
• Direct marketing
• Amend or destroy
Principles of the DPA
7th Principle
Appropriate technical or organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data.
• Who is responsible for your company’s data security?
• Physical and technical security measures, i.e. Locked
cupboards, data encryption
• Sharing data with 3rd parties
Principles of the DPA
8th Principle
Personal data shall not be transferred to a country or territory
outside of the EEA unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data.
• Does your data get processed outside of the UK?
• Adequate levels of protection outside the EEA:
Argentina
Canada
Guernsey
Isle of Man
Jersey
Switzerland
How The DPA Can Be Breached!
NB: These are not mutually exclusive!
• Sending personal information to the wrong recipient (emails and attachments)
• Failing to keep sensitive personal information secure
• Loss of unencrypted PCs/Laptops/Memory Sticks etc containing personal
information
• Loss of manual records containing personal information
• Illegally obtaining personal information
• Illegally selling-on personal information (or your staff selling it on)
• Inappropriate access to records containing personal information
• Inappropriate and inadequate security on systems, websites and transmitted data
• Inappropriate disposal of IT equipment, manual records etc
• Inadequate training of staff
• Inadequate policies and procedures
• Making unsolicited marketing calls
• Not having an up-to-date Notification
Privacy and Electronic Communications
Regulations (2011)
Sets out rules regarding the use of
• Cookies
• Traffic data
• Location data
• CLI (Calling Line Identification)
• ACD (Automated Call Distribution)
• Itemised billing
• Directory of subscribers (and ex-directory)
How The PECR Can Be Breached!
NB: These are not mutually exclusive!
• Unsolicited “cold” calling
• Unsolicited e-mail or SMS broadcasting
• Failure to gain consent to contact electronically
• Calling TPS or mailing MPS registered people
• Using cookies without first gaining consent
• Poor ACD settings, contact centre call handling
The ICO And Its Powers
•
•
•
•
•
•
•
•
Serve information notices requiring organisations to provide the ICO with
specified information within a certain time period;
Issue undertakings committing an organisation to a particular course of action in
order to improve its compliance;
Serve enforcement notices and ‘stop now’ orders where there has been a breach,
requiring organisations to take (or refrain from taking) specified steps in order to
ensure they comply with the law;
Conduct consensual assessments (audits) to check organisations are complying;
Serve assessment notices to conduct compulsory audits to assess whether
organisations processing of personal data follows good practice (data protection
only);
Issue monetary penalty notices, requiring organisations to pay up to £500,000 for
serious breaches of the Data Protection Act occurring on or after 6 April 2010 or
serious breaches of the Privacy and Electronic Communications Regulations;
Prosecute those who commit criminal offences under the Act; and
Report to Parliament on data protection issues of concern.
Example Actions
• Brighton and Sussex University Hospitals Trust £325,000 fine for the theft
of computer hard drives that were sold on ebay. June 2012.
• London Borough of Barnet £70,000 fine for theft of paper files from an
employees’ home. April 2012.
• Usha Patwal, given a two year conditional discharge and ordered to
pay £614 prosecution costs for unlawfully accessing sister-in-law’s medical
records. December 2011.
• Merfyn Pugh Estate Agents, given a conditional discharge of six months
and was ordered to pay £614 prosecution costs for failure to notify.
December 2011.
• Phoenix Nursery School, Wolverhampton, signed undertaking for losing a
backup tape containing the personal details of 70 pupils and their parents
or guardians. November 2011.
• ACS Law, Spectrum Housing, North Somerset Council, Newcastle Youth
Offending Team, Lush Cosmetics …
Other Cases
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Oliver Letwin - dumping papers
HMRC - loss of 25 million records
Sony - hacking of 77 million credit card records
A4E Ltd - theft of unencrypted laptop
T Mobile – theft of phone contract details
Marc Ben-Ezra - theft and re-sale of 65,000 gamblers’ records
HSBC bank - 2010 employee stole account details of 24,000 people –
Association of School and College Leaders - theft of laptop from home
Holly Park School - unencrypted laptop stolen from an unlocked office
Dartford and Gravesham NHS Trust - accidentally destroying 10,000
archived records
Zurich Financial Services £2.275 million fine 46k records
Google Inc – harvesting of WiFi Data
News of the World
Worcestershire County Council
What steps can I take in order to comply?
•
•
•
•
•
•
•
•
•
•
•
•
•
Appoint a senior person to be responsible;
Know what data you have, where it is, who has access to it;
Correct ICO Notification(s);
Think about and uphold the 8 Principles;
Privacy Notices;
Document key policies, procedures & processes (eg breach policy);
Audit data security - implement technical & organisational measures;
Staff Training and regular awareness raising – start a DP dialogue.
Integrate into business as normal;
Review, auditing & testing – monitor compliance;
Privacy by design;
System for information governance;
External accreditation – ISO27001 / BS10012;
Seek specialist help.
What’s In It For Me
•
•
•
•
•
•
•
•
•
•
Fines and regulatory action
Negative PR / reputational damage
Industrial espionage / theft by employees
Is data your biggest asset?
Risk management - a modern / better way of doing business
Build trust and loyalty of customers
Win B2B or government contracts
Positive point of difference from competitors
Staff morale
Plan for the 2014 Legislation
– Mandatory breach notification, European harmonisation, responsible
person, powers of inspection, prohibition orders, bigger fines,
custodial sentences.
Any Questions?
Philip Brining, Absolute Data Limited
philip.brining@absolute-data.co.uk
07775 660387
www.absolute-data.co.uk
THANK YOU
Case Studies
•
•
•
•
•
ACS Law
Spectrum Housing
Lush Cosmetics
North Somerset County Council
Newcastle Youth Offending Team
Case Study 1 – ACS Law
Which data protection principles have been compromised?
Principle 7:
The main issue highlighted in this case study is that ACS
Law did not have appropriate security measures in place
Principle 3,4:
Questions could be raised regarding the relevance and
accuracy of the data being used by the firm
Principle 6:
Due to the sensitive nature of the data in question, and
questions about how reliable the data was, Principle 6 was
compromised – was the data processed in accordance with
the data subjects?
ACS Law
Avoidance Measures
Recognise Risk: Know your enemy and recognise risk. Organised groups of
people with a lot to lose through ACS’ activities.
DP Procedures: Penetration testing and routine auditing of
arrangements would have flagged up serious issues.
DP
Know your data: Very sensitive personal data that would cause distress and
damage if were to be compromised.
Buy-in expertise: Third party specialist firms would have identified areas of
concern and helped ACS Law avoid issues or at least
mitigate the effects of a security incident.
Case Study 2 – Spectrum Housing
Which data protection principles have been compromised?
Principle 2:
The data should never have been emailed in an excel
spreadsheet format, thus the Act was automatically
breached.
Principle 7:
As well as the document being emailed in the wrong
format, it wasn’t encrypted either – meaning a
compromise of Principle 7.
Principle 1:
Both of the above has meant that the data wasn’t
processed fairly, or lawfully.
Case Study 2 – Spectrum Housing
Avoidance Measures
Training:
Staff should be aware that this practice is risky and to be
avoided and there is a safer procedure.
DP Procedures: Routine auditing of DP arrangements would have flagged
up poor practice and lack of awareness.
IT Measures:
Protecting excel sheets is easy and free! Consider other
means of transferring the data.
Buy-in expertise: Third party specialist firms would have identified areas of
concern and helped Spectrum Housing identify risks.
Case Study 3 – Lush
Which data protection principles have been compromised?
Principle 7:
The fact that the data wasn’t regularly security-checked
and staff were not trained in this area of data protection
sufficiently, meant that Principle 7 was compromised.
Principle 1:
The result of Principle 7 being compromised meant that
Principle 1 was compromised too because the data wasn’t
processed fairly or lawfully.
Principles 4,5:
Because Lush “failed to do regular security checks and did
not fully meet industry standards relating to card payment
security”, Questions need to be asked as to whether the
data was kept accurate, up to date, and only for as long as
necessary.
Case Study 3 – Lush
Avoidance Measures
Recognise Risk: It is easier and more efficient to steal credit card details
from retailers than consumers.
DP Procedures: Penetration testing, security incident logging, and routine
auditing of DP arrangements would have flagged up serious
issues.
Know your data: PCI DSS data is valuable and subject to criminal activity.
Buy-in expertise: Third party specialist firms would have identified areas of
concern and ensured that Lush avoided or at least
mitigated the effects of a security incident. The PCI DSS
standard sets out acceptable procedures.
Case Study 4 – Worcestershire and North
Somerset Councils
Which data protection principles have been compromised?
Principle 7:
Lack of encryption measures and staff training in the
communication of sensitive personal data meant that the
councils were left open to (a) breach(es).
Principle 1:
As a result of the lack of training / technical measures, the
data was not fairly nor lawfully processed, leading to a
compromise of this principle.
Principle 6:
Because both of the above principles were compromised, it
meant that principle 6 was also compromised – the data
subjects’ rights were not considered.
Case Study 4 – Worcestershire and North
Somerset Councils
Avoidance Measures
Training:
Train and undertake regular awareness raising with staff of
the key issues within your business and their job scope.
DP Procedures: Document the way to undertake certain tasks. Don’t leave
it to chance or “common sense”.
Know your data: Sensitive data needs special measures.
Buy-in expertise: Third party specialist firms would have identified repeated
procedural failures and heightened risk.
Case Study 5 – Newcastle Youth Offending
Team
Which data protection principles have been compromised?
Principle 7:
Lack of encryption measures and staff training in the
communication of sensitive personal data meant that the
Youth Offending Team were left open to (a) breach(es).
Principle 1:
As a result of the lack of training / technical measures, the
data was not fairly nor lawfully processed, leading to a
compromise of this principle.
Case Study 5 – Newcastle Youth Offending
Team
Avoidance Measures
DP Agreements: Ensure third parties are subject to data processor or data
sharing agreements.
Due Diligence:
Ensure that third parties also have sufficient measures in
place to protect data YOU are responsible for – and audit
them or have them audited by a specialist.
Awareness :
Ensure that all staff are aware of the risks and your
procedures.
Buy-in expertise: Third party specialist firms would have identified areas of
concern and/or undertaken a sub contractor inspection.