property of common sense privacy - all rights reserved 01875340890 [email protected] the data...
TRANSCRIPT
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
THE DATA PROTECTION ACT 1998
A QUESTION OF PRINCIPLES
Sheelagh F M Keddie
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
THE ROLE OF IT AND THE IT PROFESSIONAL IN DATA PROTECTION
1987 Data Protection manager
• IT security manager/administrator
1980’s onwards shift in management of system development
• Business area orientated responsibilities
• User role in Project management
• Service Level Agreements
2005 Data Processor
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
British Computer Society Code of Conduct [Extracts]
The Public Interest
1. You shall carry out work with due care and diligence in accordance with the relevant authority’s requirements, and the interests of system users. If your professional judgement is overruled, you shall indicate the likely risks and consequences.
3. You shall have regard to the legitimate rights of third parties …includes..members of the ‘public’ who might be affected by an IS project without their being directly aware of its existence.
4. You shall ensure that within your professional field/s you have knowledge and understanding of relevant legislation, regulations and standards and that you comply with such requirements.
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
POLICY
GUIDELINES
PROCESSES
ORGANISATION
EDUCATION AND TRAINING
MANAGING DATA PROTECTION
INVENTORY
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
WHAT DOES GOOD DP PRACTICE LOOK LIKE?
• A clear, complete and relevant policy
• An inventory of personal data
• Controls to ensure that data are collected legally
• Only relevant data and sufficient data are collected
• Controls to ensure that data are only used in
accordance with how they were collected
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
WHAT DOES GOOD DP PRACTICE LOOK LIKE?
• A clear, complete and relevant policy
• An inventory of personal data
• Controls to ensure that data are collected legally
• Only relevant data and sufficient data are collected
• Controls to ensure that data are only used in
accordance with how they were collected
• Procedures to correct inaccurate data
• Procedures to delete data when the purpose is
completed
• Procedures to meet requests from individuals to see
their data within the legal time limit
• Staff understand their responsibilities and meet them
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
DATA PROTECTION POLICY
• Access rules reflect lawful use
• chinese walls within data controller reflecting different
purposes
• compartmentalised access v. hierarchical
• more than one logical id for some users
• clear policy on monitoring usage
• users rights to private use of e-mails, Internet , IT facilities,
telephones
• monitoring usage v content
• automated monitoring v human surveillance
• authorisation of specific investigations
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
INVENTORY OF PERSONAL DATA
• Broader base for inventory
• all automated personal data not just ‘processed by
reference’
• includes back-ups
• includes e-mails
• includes word-processing documents
• reflects logical business purposes not necessarily technical
data relationships - logical map underpinned by technical map
• reflects business ownership of personal data• is not limited to automated data
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
• Project initiation and specification
• Fair collection - Principle 1• specify which condition[s] in schedules 2 and 3 are being met
• eg the exact wording if consent is being sought• in document• in telephone script• on web-site
• the legal obligation which necessitates collection• the public function which necessitates the collection
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
• Project initiation and specification
• Lawful use - Principle 2
• ensure internal use reflects the information given to the data subject
• ensure any intended disclosures to any other legal entity also reflect this information
Principle 2 - only obtained for specified and lawful purposes
and not further processed in an incompatible manner [ including by an employee or a third-party recipient]
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
STORE
COLLECT
legal entity
purposes consent/objections
USE
CONTROLS - BUILDING COMPLIANT SYSTEMS
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
Systems design
• CRM or discrete data sets
• controls to
• reflect multiple purposes and multiple legal entities
• maintain accuracy
• record dissent
• support retention policies
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - BUILDING COMPLIANT SYSTEMS
Systems specification and design
• include reports to produce accessible copies of an individual’s data
• per legal entity
• per person
• explain codes
• omit clearly exempt material
• includes - e-mails, archives, back-up, possibly telephone calls
don’t give me - screen prints, multiple copies of call logs and e-mails, coded actions
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - BUILDING SECURE SYSTEMS
• Establish necessary, effective security controls
• Carry out and document impact assessments - likely harm to an individual of a security breach
• add control assessments - risk reduction
• establish joint ownership with business users of control strategy
Principle 7 - secured against unauthorised or unlawful processing, accidental loss or destruction, damage
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
CONTROLS - MANAGING THE DATA PROCESSOR RELATIONSHIP
• Data Processor
• Written statement regarding security controls
• policy
• staff training
• physical, procedural and technical controls
•Data Controller
• Part of the procurement process
• part of the management and audit processes
• clear documented instructions on processing of personal
data
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
• No covert collection mechanisms
• place collection information before collection action eg above the submit button in online forms
• get positive consent eg tick that you have read and accept the privacy information
• don’t bundle consent to various purposes
• enable choices to be made on-line
• opt -in via opt-out
• shun the passive opt-in - boxes already ticked
• remember placing personal data on the Internet is world-wide disclosure/ transfer
COLLECTION AND DISCLOSURE VIA WEB-SITES
Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]
Questions?