Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Slides:



Advertisements
Similar presentations
WG 2 (data exchange) During the transitional period and till the Single Authorisation electronic information and communication system is implemented,
Advertisements

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.
The Data Protection (Jersey) Law 2005.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Regulatory Body MODIFIED Day 8 – Lecture 3.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Training on Data Protection Roles of the Data Protection Office.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
Data Protection for Church of Scotland Congregations
The Information Commissioner’s Office David Evans.
A User's Guide to Data Security and Control Copyright © 2010 Virya Technologies A Basic Guide to the Importance of Data Security and Control.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Information Sharing Sheila Logan Information Commissioner’s Office Employability Partnership Event Glasgow 13 August 2009.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
The Data Protection Act - Confidentiality and Associated Problems.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Regulatory Authority.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Safeguarding Adults Care Act 2014.
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
The Data Protection Act 1998
General Data Protection Regulation
The Data Protection Act 1998
Data Protection Legislation
Notifiable data breaches Roundtable
The Information Commissioner’s Office
GENERAL DATA PROTECTION REGULATION (GDPR)
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
Reporting personal data breaches to the ICO
Red Flags Rule An Introduction County College of Morris
G.D.P.R General Data Protection Regulations
Detecting, reporting & investigating data breaches under GDPR
Managing data breaches
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Data Security Breach Code of Practice

Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud providers Data Breach Scandals Evidence inadequate controls

DPA Security Provisions (S2 & 2C) Appropriate security measures" to prevent "unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data and against their accidental loss or destruction Provide a level of security appropriate to.. the harm that might result … and.. the nature of the data concerned May have regard to the state of technological development and the cost of implementing the measures

DPA Code of Practice (S 13) The Commissioner shall…where he or she considers it necessary or desirable to do so (after consultation) …prepare and arrange for the dissemination to such persons as he or she considers appropriate of, codes of practice for guidance as to good practice in dealing with personal data.. Any such code that is so approved of may be laid by the Minister before each House of the Oireachtas and, if each such House passes a resolution approving of it, then… it shall have the force of law in accordance with its terms

Why a Code? Protect Rights of Individuals..focus of the Office of the Data Protection Commissioner in such cases is on the rights of the affected data subjects in relation to the processing of their personal data.. (Code) Promote better Data Security Provide DPC with relevant Information to advise Organisations

Code Documentation Personal Data Security Breach Code of Practice Breach Notification Guidance Data Security Guidance (Updated) All on

What is Covered?..risk of unauthorised disclosure, loss, destruction or alteration of personal data..(Code)..It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals.. (Data Breach Guidance)

Informing Data Subjects Key focus of Code:..Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures....In appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc.. (Code) [May be delayed at Garda request]

Information to Data Subjects Nature of Breach Contact Point Advice to mitigate harm Channel of Communication depends on circumstances Individual Public

Initial Report by Data Controller to DPC Within 2 working days of incident by (preferably), telephone or fax Basic facts and measures being taken Must not include personal data

Detailed Report to DPC (if requested) the amount and nature of the personal data that has been compromised; the action being taken to secure and / or recover the personal data that has been compromised; the action being taken to inform those affected by the incident or reasons for the decision not to do so; the action being taken to limit damage or distress to those affected by the incident; a chronology of the events leading up to the loss of control of the personal data; and the measures being taken to prevent repetition of the incident

Reporting Exemptions (1) No need to notify Data Subjects or DPC …If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it … (Code) E.G. Laptop with strong password and disk encryption (Breach Notification Guidance)

Reporting Exemptions (2) No need to report to DPC if: Reported fully and promptly to Data Subjects and Does not affect more than 100 Data Subjects and Does not include sensitive or financial data Financial: last name plus account or card number If in doubt, report

Internal Record-Keeping Summary Report: Brief Description of Incident Why DPC not notified (if applicable) Available for inspection by DPC

Data Processors Must report to Data Controller Data Controller to act in accordance with Code

Action by DPC May carry out fuller investigation May recommend that Data Subjects be notified (if not already done) Use enforcement powers if necessary