Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Published byBobby Dome Modified over 10 years ago

Similar presentations

Presentation on theme: "Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud."— Presentation transcript:

1 Data Security Breach Code of Practice

2 Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud providers Data Breach Scandals Evidence inadequate controls

3

4 DPA Security Provisions (S2 & 2C) Appropriate security measures" to prevent "unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data and against their accidental loss or destruction Provide a level of security appropriate to.. the harm that might result … and.. the nature of the data concerned May have regard to the state of technological development and the cost of implementing the measures

5 DPA Code of Practice (S 13) The Commissioner shall…where he or she considers it necessary or desirable to do so (after consultation) …prepare and arrange for the dissemination to such persons as he or she considers appropriate of, codes of practice for guidance as to good practice in dealing with personal data.. Any such code that is so approved of may be laid by the Minister before each House of the Oireachtas and, if each such House passes a resolution approving of it, then… it shall have the force of law in accordance with its terms

6 Why a Code? Protect Rights of Individuals..focus of the Office of the Data Protection Commissioner in such cases is on the rights of the affected data subjects in relation to the processing of their personal data.. (Code) Promote better Data Security Provide DPC with relevant Information to advise Organisations

7 Code Documentation Personal Data Security Breach Code of Practice Breach Notification Guidance Data Security Guidance (Updated) All on www.dataprotection.ie

8 What is Covered?..risk of unauthorised disclosure, loss, destruction or alteration of personal data..(Code)..It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals.. (Data Breach Guidance)

9 Informing Data Subjects Key focus of Code:..Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures....In appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc.. (Code) [May be delayed at Garda request]

10 Information to Data Subjects Nature of Breach Contact Point Advice to mitigate harm Channel of Communication depends on circumstances Individual Public

11 Initial Report by Data Controller to DPC Within 2 working days of incident by e-mail (preferably), telephone or fax Basic facts and measures being taken Must not include personal data

12 Detailed Report to DPC (if requested) the amount and nature of the personal data that has been compromised; the action being taken to secure and / or recover the personal data that has been compromised; the action being taken to inform those affected by the incident or reasons for the decision not to do so; the action being taken to limit damage or distress to those affected by the incident; a chronology of the events leading up to the loss of control of the personal data; and the measures being taken to prevent repetition of the incident

13 Reporting Exemptions (1) No need to notify Data Subjects or DPC …If the data concerned is protected by technological measures such as to make it unintelligible to any person who is not authorised to access it … (Code) E.G. Laptop with strong password and disk encryption (Breach Notification Guidance)

14 Reporting Exemptions (2) No need to report to DPC if: Reported fully and promptly to Data Subjects and Does not affect more than 100 Data Subjects and Does not include sensitive or financial data Financial: last name plus account or card number If in doubt, report

15 Internal Record-Keeping Summary Report: Brief Description of Incident Why DPC not notified (if applicable) Available for inspection by DPC

16 Data Processors Must report to Data Controller Data Controller to act in accordance with Code

17 Action by DPC May carry out fuller investigation May recommend that Data Subjects be notified (if not already done) Use enforcement powers if necessary

Download ppt "Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud."

Similar presentations

WG 2 (data exchange) 2.1 - During the transitional period and till the Single Authorisation electronic information and communication system is implemented,

WG 2 (data exchange) During the transitional period and till the Single Authorisation electronic information and communication system is implemented,
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November 2000. The Act will be fully in force by January.

Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.

EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.

Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Training on Data Protection Roles of the Data Protection Office.

Training on Data Protection Roles of the Data Protection Office.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act

Similar presentations

Ads by Google