property of common sense privacy - all rights reserved 01875340890 [email protected] the data...

Property of Common Sense Privacy - all rights reserved 01875340890 [email protected]

THE DATA PROTECTION ACT 1998

A QUESTION OF PRINCIPLES

Sheelagh F M Keddie


THE ROLE OF IT AND THE IT PROFESSIONAL IN DATA PROTECTION

1987 Data Protection manager

• IT security manager/administrator

1980’s onwards shift in management of system development

• Business area orientated responsibilities

• User role in Project management

• Service Level Agreements

2005 Data Processor


British Computer Society Code of Conduct [Extracts]

The Public Interest

1. You shall carry out work with due care and diligence in accordance with the relevant authority’s requirements, and the interests of system users. If your professional judgement is overruled, you shall indicate the likely risks and consequences.

3. You shall have regard to the legitimate rights of third parties …includes..members of the ‘public’ who might be affected by an IS project without their being directly aware of its existence.

4. You shall ensure that within your professional field/s you have knowledge and understanding of relevant legislation, regulations and standards and that you comply with such requirements.


POLICY

GUIDELINES

PROCESSES

ORGANISATION

EDUCATION AND TRAINING

MANAGING DATA PROTECTION

INVENTORY


WHAT DOES GOOD DP PRACTICE LOOK LIKE?

• A clear, complete and relevant policy

• An inventory of personal data

• Controls to ensure that data are collected legally

• Only relevant data and sufficient data are collected

• Controls to ensure that data are only used in

accordance with how they were collected


WHAT DOES GOOD DP PRACTICE LOOK LIKE?

• A clear, complete and relevant policy

• An inventory of personal data

• Controls to ensure that data are collected legally

• Only relevant data and sufficient data are collected

• Controls to ensure that data are only used in

accordance with how they were collected

• Procedures to correct inaccurate data

• Procedures to delete data when the purpose is

completed

• Procedures to meet requests from individuals to see

their data within the legal time limit

• Staff understand their responsibilities and meet them


DATA PROTECTION POLICY

• Access rules reflect lawful use

• chinese walls within data controller reflecting different

purposes

• compartmentalised access v. hierarchical

• more than one logical id for some users

• clear policy on monitoring usage

• users rights to private use of e-mails, Internet , IT facilities,

telephones

• monitoring usage v content

• automated monitoring v human surveillance

• authorisation of specific investigations


INVENTORY OF PERSONAL DATA

• Broader base for inventory

• all automated personal data not just ‘processed by

reference’

• includes back-ups

• includes e-mails

• includes word-processing documents

• reflects logical business purposes not necessarily technical

data relationships - logical map underpinned by technical map

• reflects business ownership of personal data• is not limited to automated data


CONTROLS - BUILDING COMPLIANT SYSTEMS

• Project initiation and specification

• Fair collection - Principle 1• specify which condition[s] in schedules 2 and 3 are being met

• eg the exact wording if consent is being sought• in document• in telephone script• on web-site

• the legal obligation which necessitates collection• the public function which necessitates the collection



• Project initiation and specification

• Lawful use - Principle 2

• ensure internal use reflects the information given to the data subject

• ensure any intended disclosures to any other legal entity also reflect this information

Principle 2 - only obtained for specified and lawful purposes

and not further processed in an incompatible manner [ including by an employee or a third-party recipient]


STORE

COLLECT

legal entity

purposes consent/objections

USE




Systems design

• CRM or discrete data sets

• controls to

• reflect multiple purposes and multiple legal entities

• maintain accuracy

• record dissent

• support retention policies



Systems specification and design

• include reports to produce accessible copies of an individual’s data

• per legal entity

• per person

• explain codes

• omit clearly exempt material

• includes - e-mails, archives, back-up, possibly telephone calls

don’t give me - screen prints, multiple copies of call logs and e-mails, coded actions


CONTROLS - BUILDING SECURE SYSTEMS

• Establish necessary, effective security controls

• Carry out and document impact assessments - likely harm to an individual of a security breach

• add control assessments - risk reduction

• establish joint ownership with business users of control strategy

Principle 7 - secured against unauthorised or unlawful processing, accidental loss or destruction, damage


CONTROLS - MANAGING THE DATA PROCESSOR RELATIONSHIP

• Data Processor

• Written statement regarding security controls

• policy

• staff training

• physical, procedural and technical controls

•Data Controller

• Part of the procurement process

• part of the management and audit processes

• clear documented instructions on processing of personal

data


• No covert collection mechanisms

• place collection information before collection action eg above the submit button in online forms

• get positive consent eg tick that you have read and accept the privacy information

• don’t bundle consent to various purposes

• enable choices to be made on-line

• opt -in via opt-out

• shun the passive opt-in - boxes already ticked

• remember placing personal data on the Internet is world-wide disclosure/ transfer

COLLECTION AND DISCLOSURE VIA WEB-SITES


Questions?

property of common sense privacy - all rights reserved 01875340890 [email protected] the data...

Documents