Lesson 3 Protecting ICT systems Data Protection Act 1998

Protecting ICT systems Why protect computer systems ? Q and A

Internal threats to data security Disk crash – when data literally turns to dust Faulty procedures – staff training inadequate leading to data corruption Natural disasters Staff working from home – disk, data Dishonest employees (& students)

External threats Unauthorised access to data (see Computer Misuse Act) by ‘Hackers’ Virus’ loaded from outside sources Thought: Ask a bank how many times their security has been breached ? What would happen if they responded truthfully ?

Computing and the NHSnet Government spending watchdog, the National Audit Office, is to investigate a £6.2bn programme to install a computer system at the NHS. (31/08/04) What will be the benefits ? Q & A

Worries Can anyone look at my records ? Policed by Access on a need basis only Policed by Audit and monitoring will enforce

Benefits (NHSnet) The system is designed to link every GP's surgery and hospital in England and provide online records for up to 50 million patients. The government hopes every patient will have their own online record by 2010. NHS IT director general Richard Granger says people will start to feel the benefits of the system by 2005. According to health officials, the system will allow information about patients to be mobile for the first time.

Disadvantages (NHS) How much is the data worth ? Insurance companies Anti-abortionists Blackmailers Personal records Lawyers Drug companies Funeral parlours

System Protection Q & A How can I protect my system ?

System Protection Methods Physical User id + Password Restriction by user / location / time Audit and accounting Data encryption pre-transmission http://www.sygnusdata.co.uk/2_part_fetest_wanxl.htm

Encryption for security How safe is my 512-bit RSA encryption key ? http://www.rsasecurity.com/ Cracked by Dutch National Research for Mathematics and Computer Science in 1999 but it took scientists at 11 sites, in 6 countries, with 292 computers and 35 years of processing time

Encryption for personal use Q and A Is strong encryption (512) a good idea ? http://www.des-rsa-encryption-software-cryptography-group.com/

Data Safety (Types of backup) Online backup (disk shadowing, RAID – Redundant Array of Inexpensive Disks) Standalone backups Incremental backups Periodic backups

Data Safety (Protection) Anti-virus software Staff vetting Staff training Hardware pre-installation survey

Test 1 Describe four separate measures that can be taken to prevent accidental or deliberate misuse of data on a stand-alone computer.

Data Protection Act Became law in 1984 In-line with European Data Protection Directive (Data Protection Act 1998 – implemented March 2000) See also Freedom of Information Act 2000 The Telecommunications (Data Protection and Privacy) Regulations 1999 www.hmso.gov.uk

Data Protection Key Words Personal data – name, address Automatically processed – processed on a computer system. Are paper records covered ? Data users – Sole trader to multi-national Data subjects – you and me

Data Protection Act 1984, 1998 8 Principles Personal data must be obtained and processed fairly and lawfully Held for the lawful purposes described in the data user’s register entry Used for those purposes and disclosed only to those people described in the register entry Adequate, relevant and not excessive in relation to the purposes for which they are held

DPA 1984, 1998 contd 5 Accurate and where necessary up-to-date Held no longer than necessary for the designated purpose. Accessible to the individual concerned who, where appropriate, has the right to have information about themselves corrected or erased. Surrounded by proper security

The Data Protection Registrar Duties include register of data users Disseminating information regarding the DPA Promoting compliance with the Data Protection Principles Encourage Codes of Practice Consider complaints under Act or Principles

DPR contd 6 Prosecute offenders

Data User’s Registry Entry Must show their name, address etc Whose personal data they store Items of data held Purpose of holding data Source whereby data obtained Disclosed to whom Any overseas transfer of data

DPA 1984, 1998 Exemptions Payroll, pensions, accounts nor addresses for distribution Personal, family data Data subjects may be prevented from viewing data collated for research Data may be provided to subject’s agent (lawyer etc)

DPA 1984, 1998 Exemption In connection with National Security For prevention of crime For the collection of Tax and Duty

DPA – Rights of Data Subjects Civil court rights Compensation for unauthorised disclosure Compensation for inaccurate data Access to data and apply for corrections Compensation for unauthorised access, loss or destruction of data

Test 2 A company is storing details of its customers on a database. Describe three obligations the company has under the DPA.