2. This presentation is intended to help you
understand aspects of the Data Protection
Act 1998 and related legislation.
It is not intended to provide detailed advice
on specific points, and is not necessarily a full
statement of the law.
3. Data Protection overview
∗ Prevent harm to the individuals whose data we hold,
or other people (How?)
∗ Reassure people that we use their information
responsibly, so that they trust us (How?)
∗ Comply with specific legal requirements (Such as?)
3
4. Preventing harm
∗ Keep information only in the right hands
∗ Hold accurate, good quality data
4
5. Reassuring people so that they
trust us
∗ Be transparent – open and honest, don’t hide things
or go behind people’s back
∗ Offer people a reasonable choice over how you use
their data, and what for
5
6. Additional legal obligations
∗ Right to opt out of direct marketing
∗ Right of Subject Access
∗ Notification
∗ (And others)
6
7. The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal
2. You must limit your use of data to the purpose(s) you
obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects’ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
7
8. Security (Principle 7)
Security is about ensuring that the boundaries set by your
confidentiality policies are protected, so that information
does not fall into the wrong hands.
The Data Protection Act says you must prevent:
∗ unauthorised access to personal data
∗ accidental loss or damage of personal data
The security measures must be appropriate.
They must also be technical and organisational.
The Information Commissioner can impose a penalty of up
to £500,000 for gross breaches of security.
8
9. Penalties for security breaches
∗ Herts. County Council twice faxed details of child abuse cases to the
wrong people
∗ Ealing & Hounslow councils were jointly responsible for the theft of an
unencrypted laptop containing 1700 clients’ details from an employee’s
house
∗ Worcs. County Council e-mailed highly sensitive data about a large
number of vulnerable people to 23 unintended recipients
∗ Powys County Council mixed up two child protection reports and
posted part of one to someone who recognised the people involved
∗ A lawyer’s website was hacked and details of at least 6000 people
leaked
10. Lessons from security breaches
∗ ‘Data in transit’ is where most serious breaches occur
∗ Simple mistakes are usually the cause:
∗ Sending things to the wrong people – by fax, e-mail or in
the post – or losing laptops, USB sticks, etc.
∗ Disclosing confidential material, even about only one
or two people is serious
∗ Laptops must be encrypted
∗ Your website security is your responsibility
11. Cloud computing
ISP
E-mail
Web site
Backup
Word
processing
Database
? Photos
12. Cloud computing
ISP
E-mail
Web site
Backup
?
Word Photos
processing
Database
13. Cloud computing characteristics
Cheap and flexible, especially for small organisations:
∗ Standard offering
∗ Available anywhere there is an internet connection
∗ Suppliers claim good security and service levels
Based on:
∗ Shared facilities
∗ Location of data irrelevant (and may be obscure)
∗ May be layers of sub-contract
14. Cloud examples
∗ Office programs (Microsoft 365, Google Apps)
∗ Storage & processing capacity (Amazon)
∗ Contact management database (Salesforce, CiviCRM)
∗ Photo/video storage and sharing (Picasa, YouTube)
∗ Online meetings & phone calls (GoToMeeting, Skype)
∗ Social networking sites when used by organisations
15. Security and the cloud
∗ Breaches do occur
∗ Standard terms and conditions often non-negotiable
∗ Due diligence
∗ Understand what you are checking
∗ International standards
∗ ISO 27000 series (from British Standards Institute)
∗ self-assessed less reliable than certified
∗ check credentials of certifying company
∗ relevance & scope (ISO 27000 Statement of Applicability)
∗ HMG Security Framework substantially based on ISO 27000
∗ SAS70 (US) – auditing process, not security
16. What else can go wrong?
∗ Loss of service
∗ at their end
∗ at your end
∗ Retrieving your data if the service ceases or you get
into a dispute
∗ Contract terms which allow the supplier to make use
of your data (mainly consumer-oriented services)
∗ Unclear ownership/location of data and the
equipment it is stored on (within Europe, no problem)
∗ Unilateral changes in policy by provider
17. And finally …
∗ Most countries have laws allowing authorities to
access data
∗ US Patriot Act ostensibly anti-terrorist
∗ has also been used in non-terrorist cases
∗ supplier may not agree (or even be allowed) to inform
customer of access
∗ Include in risk assessment
18. So what do you need to do?
∗ Check the contract (or standard terms and conditions) very
carefully on areas like:
∗ security
∗ location of data (especially if it could be outside the EEA)
∗ liability/sub contractors
∗ back-up/access
∗ copyright (e.g. Google)
∗ Use your findings to make and record a risk assessment and get
authorisation to proceed
∗ Be transparent with your Data Subjects
19. The new cookie law
∗ Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2011 came into force on
26th May 2011
∗ Information Commissioner announced a year’s grace
before enforcement action would be taken
∗ Information Commissioner issued guidance in
December 2011, updated May 2012
20. What the Regulations say
∗ You must not store information (e.g. through a
cookie) on someone else’s computer unless:
∗ they have clear information about the purpose; and
∗ they have given consent
∗ You only have to ask them the first time
∗ They can consent through browser settings (but …)
∗ You don’t need consent for cookies that are ‘strictly
necessary’ for the functioning of a website
21. What the Information
Commissioner says
∗ He wants ‘good solutions rather than rushed ones’.
∗ No ‘wave of knee-jerk formal enforcement action’ as
long as people are making the effort to comply.
∗ There are ‘pockets of good practice’ and while he
‘cannot endorse specific products or services’, there
are ‘people going about this the right way’.
∗ Analytics cookies are covered, but not a priority.
22. What do we need to do?
∗ Document what cookies we have
∗ Assess how intrusive they are
∗ Decide whether we really need them all
∗ Provide appropriate information
∗ In the privacy statement
∗ At appropriate points on the website
∗ Decide what we need consent for and how to get it
∗ Work out how people can withdraw consent