1. Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office

2. Data Protection Act 1998 ‘An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information’ Personal data = any information relating to a living individual  including any expression of opinion about them  including any indication of the intentions of the data controller or anyone else towards the individual Data controller = the organisation processing the data  University as a whole but not the Colleges Key to compliance is adherence to the data protection principles

3. Principle 7: Information Security ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’ Must ensure an ‘appropriate’ level of security for the data in question Must take ‘reasonable’ steps to ensure reliability of employees Provisions on outsourcing to a data processor (external service provider)  must have a contract made or evidenced in writing  data processor must only operate on instructions from data controller  data processor must comply with obligations equivalent to Principle 7  data controller remains liable for any loss or damage

4. Role of University’s Information Compliance Office Advice, training and guidance on compliance with  DPA and related legislation  Freedom of Information Act 2000  records management best practice Handling access requests under DPA and FOI Act Liaison with Information Commissioner’s Office in case of complaint or breach

5. Role of Information Commissioner (ICO) Independent authority responsible for regulating DPA compliance and other matters Maintains a register of data controllers Promotes good practice Investigates complaints and has power to  conduct audits to assess compliance  issue undertakings committing a data controller to a course of action  issue enforcement notices instructing a data controller to a course of action  issue fines of up to £500k for breaches of DPA

6. ICO Ruling in ‘GhostShell’ Case ICO proactively approached University No formal regulatory action taken as no personal data involved ICO not interested in devolved nature of Cambridge IT provision – any weakness viewed as a weakness of the University as a whole ‘Action required’  technical advice about password hashing  general review of information security provisions to ensure adequacy  situation noted by ICO in case of any future breach

7. Further Information University Information Compliance Office http://www.admin.cam.ac.uk/univ/information/ ICO Information Security pages http://www.ico.org.uk/for_organisations/data_protection/the_guide/princi ple_7.aspx