Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.

Information Commissioner’s OfficeInformation Commissioner’s Office

Sheila LoganOperations and Policy Manager

Information Commissioner’s Office

Business Matters20 May 2008

The Data Protection PrinciplesThe Data Protection Principles

All data controllers must comply with the Data Protection Act 1998

The 8 PrinciplesThe 8 Principles

• Fair and lawful.• Only used for specified purposes.• Adequate, relevant and not excessive.• Accurate and up to date.• Not kept longer than necessary.• Individual rights.• Kept secure.• Not transferred outside European

Economic Area without adequate protection.

Information SecurityInformation Security

The Data Protection Act 1998 requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss destruction or damage.

Principle 7

7th Data Protection Principle7th Data Protection Principle

Security contraventions can have BIG implications

• Potential harm to individuals when things go wrong.

• Damage to business reputation.

Risk based assessmentRisk based assessment

Information is an organisation’s second most important asset.

Do you know what information the organisation possesses?

Do you have detailed security procedures?

Does your asset register include hard wear and portable media?

How valuable or sensitive is the information?How valuable or sensitive is the information?

What effect would a security breach have on your organisation?

In costs?

To your reputation?

To the trust of your customers, clients and stakeholders?

What damage or distress could be caused to individuals if there were a security breach?

Who is responsible?Who is responsible?

Day to day responsibility for security.

Written procedures for staff to follow.

Excellent staff training.

Regular audits.

Monitoring changes.

Investigating a security incident.

Organisational measuresOrganisational measures

Has a risk assessment been carried

out?

How effective are your current

security measures?

Where are the weaknesses?

Organisational measuresOrganisational measures

Senior management commitment.

Making resources available.

Know where responsibility lies.

Do staff understand security the procedures?

Are changes required?

StaffStaff

High proportion of security incidents are staff

related.

What background checks are carried out?

Valid qualifications.

Disclosures - accidental, procured or deliberate?

Contract of employment.

Access to internet and email policies.

Examples of good practiceExamples of good practice

• Transparent and appropriate vetting procedures.

• Risk assessment for staff who have access to large volumes of customer data.

• Not wearing company passes outside the workplace.

• Changing computer access when changing roles.

Physical securityPhysical security

Physical securityPhysical security

General vulnerability – isolated, ground

floor, poor lighting, previous incidents.

Entry and exit points.

Laptops and external devices.

Paper – including disposal of

confidential waste.

Examples of good practiceExamples of good practice

Configure equipment so data cannot

be copied.

Disable drives so corrupt data cannot be

introduced to your system.

Restrict access to areas of high risk.

Visitor policy for ALL visitors.

A key register.

Lockers for staff use.

Examples of good practiceExamples of good practice

Portable Media:

Genuine business need to have device.

Encryption for customer information.

Safe storage.

Who has these devices? What happens

when they leave the organisation.

Company mobile phones.

Examples of good practiceExamples of good practice

Disposal of personal information

Using contractor to dispose of paper and

computer equipment.

Guidance for home workers and mobile

staff.

Audits and spot checks.

Storage in secure and controlled area.

What are the real benefits?What are the real benefits?

• Organisational efficiency.

• Fewer complaints and less compensation.

• Business reputation.

• Customer confidence.

• Overall reduction in costs.

Information Commissioner’s Office28 Thistle StreetEdinburghEH2 1EN

Telephone - 0131 225 6341

Website – www.ico.gov.uk

Email – [email protected]

CONTACT DETAILSCONTACT DETAILS