Download presentation
Presentation is loading. Please wait.
Published byDamian Williamson Modified over 9 years ago
1
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M Keddie
2
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com THE ROLE OF IT AND THE IT PROFESSIONAL IN DATA PROTECTION 1987 Data Protection manager IT security manager/administrator 1980’s onwards shift in management of system development Business area orientated responsibilities User role in Project management Service Level Agreements 2005 Data Processor
3
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com British Computer Society Code of Conduct [Extracts] The Public Interest 1. You shall carry out work with due care and diligence in accordance with the relevant authority’s requirements, and the interests of system users. If your professional judgement is overruled, you shall indicate the likely risks and consequences. 3. You shall have regard to the legitimate rights of third parties …includes..members of the ‘public’ who might be affected by an IS project without their being directly aware of its existence. 4. You shall ensure that within your professional field/s you have knowledge and understanding of relevant legislation, regulations and standards and that you comply with such requirements.
4
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com POLICY GUIDELINES PROCESSES ORGANISATION EDUCATION AND TRAINING MANAGING DATA PROTECTION INVENTORY
5
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com WHAT DOES GOOD DP PRACTICE LOOK LIKE? A clear, complete and relevant policy An inventory of personal data Controls to ensure that data are collected legally Only relevant data and sufficient data are collected Controls to ensure that data are only used in accordance with how they were collected
6
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com WHAT DOES GOOD DP PRACTICE LOOK LIKE? A clear, complete and relevant policy An inventory of personal data Controls to ensure that data are collected legally Only relevant data and sufficient data are collected Controls to ensure that data are only used in accordance with how they were collected Procedures to correct inaccurate data Procedures to delete data when the purpose is completed Procedures to meet requests from individuals to see their data within the legal time limit Staff understand their responsibilities and meet them
7
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com DATA PROTECTION POLICY Access rules reflect lawful use chinese walls within data controller reflecting different purposes compartmentalised access v. hierarchical more than one logical id for some users clear policy on monitoring usage users rights to private use of e-mails, Internet, IT facilities, telephones monitoring usage v content automated monitoring v human surveillance authorisation of specific investigations
8
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com INVENTORY OF PERSONAL DATA Broader base for inventory all automated personal data not just ‘processed by reference’ includes back-ups includes e-mails includes word-processing documents reflects logical business purposes not necessarily technical data relationships - logical map underpinned by technical map reflects business ownership of personal data is not limited to automated data
9
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - BUILDING COMPLIANT SYSTEMS Project initiation and specification Fair collection - Principle 1 specify which condition[s] in schedules 2 and 3 are being met eg the exact wording if consent is being sought in document in telephone script on web-site the legal obligation which necessitates collection the public function which necessitates the collection
10
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - BUILDING COMPLIANT SYSTEMS Project initiation and specification Lawful use - Principle 2 ensure internal use reflects the information given to the data subject ensure any intended disclosures to any other legal entity also reflect this information Principle 2 - only obtained for specified and lawful purposes and not further processed in an incompatible manner [ including by an employee or a third-party recipient]
11
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com STORE COLLECT legal entity purposesconsent/objections USE CONTROLS - BUILDING COMPLIANT SYSTEMS
12
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - BUILDING COMPLIANT SYSTEMS Systems design CRM or discrete data sets controls to reflect multiple purposes and multiple legal entities maintain accuracy record dissent support retention policies
13
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - BUILDING COMPLIANT SYSTEMS Systems specification and design include reports to produce accessible copies of an individual’s data per legal entity per person explain codes omit clearly exempt material includes - e-mails, archives, back-up, possibly telephone calls don’t give me - screen prints, multiple copies of call logs and e- mails, coded actions
14
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - BUILDING SECURE SYSTEMS Establish necessary, effective security controls Carry out and document impact assessments - likely harm to an individual of a security breach add control assessments - risk reduction establish joint ownership with business users of control strategy Principle 7 - secured against unauthorised or unlawful processing, accidental loss or destruction, damage
15
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com CONTROLS - MANAGING THE DATA PROCESSOR RELATIONSHIP Data Processor Written statement regarding security controls policy staff training physical, procedural and technical controls Data Controller Part of the procurement process part of the management and audit processes clear documented instructions on processing of personal data
16
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com No covert collection mechanisms place collection information before collection action eg above the submit button in online forms get positive consent eg tick that you have read and accept the privacy information don’t bundle consent to various purposes enable choices to be made on-line opt -in via opt-out shun the passive opt-in - boxes already ticked remember placing personal data on the Internet is world-wide disclosure/ transfer COLLECTION AND DISCLOSURE VIA WEB-SITES
17
Property of Common Sense Privacy - all rights reserved 01875340890 csprivacy@aol.com Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.