Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008
The Data Protection Principles All data controllers must comply with the Data Protection Act 1998
The 8 Principles Fair and lawful. Only used for specified purposes. Adequate, relevant and not excessive. Accurate and up to date. Not kept longer than necessary. Individual rights. Kept secure. Not transferred outside European Economic Area without adequate protection.
Information Security The Data Protection Act 1998 requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss destruction or damage. Principle 7
7th Data Protection Principle Security contraventions can have BIG implications Potential harm to individuals when things go wrong. Damage to business reputation.
Risk based assessment Information is an organisation’s second most important asset. Do you know what information the organisation possesses? Do you have detailed security procedures? Does your asset register include hard wear and portable media?
How valuable or sensitive is the information? What effect would a security breach have on your organisation? In costs? To your reputation? To the trust of your customers, clients and stakeholders? What damage or distress could be caused to individuals if there were a security breach?
Who is responsible? Day to day responsibility for security. Written procedures for staff to follow. Excellent staff training. Regular audits. Monitoring changes. Investigating a security incident.
Organisational measures Has a risk assessment been carried out? How effective are your current security measures? Where are the weaknesses?
Organisational measures Senior management commitment. Making resources available. Know where responsibility lies. Do staff understand security the procedures? Are changes required?
Staff High proportion of security incidents are staff related. What background checks are carried out? Valid qualifications. Disclosures - accidental, procured or deliberate? Contract of employment. Access to internet and policies.
Examples of good practice Transparent and appropriate vetting procedures. Risk assessment for staff who have access to large volumes of customer data. Not wearing company passes outside the workplace. Changing computer access when changing roles.
Physical security
General vulnerability – isolated, ground floor, poor lighting, previous incidents. Entry and exit points. Laptops and external devices. Paper – including disposal of confidential waste.
Examples of good practice Configure equipment so data cannot be copied. Disable drives so corrupt data cannot be introduced to your system. Restrict access to areas of high risk. Visitor policy for ALL visitors. A key register. Lockers for staff use.
Examples of good practice Portable Media: Genuine business need to have device. Encryption for customer information. Safe storage. Who has these devices? What happens when they leave the organisation. Company mobile phones.
Examples of good practice Disposal of personal information Using contractor to dispose of paper and computer equipment. Guidance for home workers and mobile staff. Audits and spot checks. Storage in secure and controlled area.
What are the real benefits? Organisational efficiency. Fewer complaints and less compensation. Business reputation. Customer confidence. Overall reduction in costs.
Information Commissioner’s Office 28 Thistle Street Edinburgh EH2 1EN Telephone Website – – CONTACT DETAILS