We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byDavid Griffin
Modified over 3 years ago
Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM
© IT Governance Ltd 2006 Welcome Alan Calder – my background and perspective –Businessman, not a lawyer –First ISO accredited certification in 1999 –IT Governance: a Managers Guide to Data Security and ISO 27001/ISO 27002, 4 th Edition (Open University Text Book) One-stop-shop for IT governance, risk management, compliance and information security: –Data Breaches: Trends, Costs and Best Practices provides lnformation on data breaches together with worldwide legal overview and best-practice guidance for staying on the right side of the law
TM © IT Governance Ltd 2006 Agenda International Compliance Environment Overview of the DPA and current requirements Best Practice compliance actions Enforcement Data Breaches – the current environment A closer look at the UK ICO Whats going wrong Some proposals for improvement Questions and answers.
TM © IT Governance Ltd International Compliance Environment Global information economy Internet-based threats – international exposure Outsourcing, e-commerce EU Data Protection Directive National Data Protection Acts UK Data Protection Act 1998 – US Regulation EU Safe Harbor Regulations (SEC) HIPAA, GLBA, SOX SB 1386, OPPA, state-level breach laws – Canada PIPEDA – OECD – Japan, Australia, South Africa and emerging economies Public companies: SOX Contractual requirements –PCI DSS
TM © IT Governance Ltd Data Protection – Europe & UK EU Data Protection Directive 1995 Data Protection Act 1998 Deals with personal information – related to living individuals (data subjects) –Eight Data Protection Principles 1.Fairly and lawfully processed; 2.Fairly and lawfully obtained; 3.Adequate, relevant and not excessive; 4.Accurate and up-to-date; 5.Not kept longer than necessary; 6.Processed only in accordance with the data subjects rights; 7.Kept safe and secure (appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) 8.Not transferred to a country outside the EU unless there is at least a similar level of data protection available there. –7 th Principle compliance is critical for all EU organizations –8 th Principle affects any businesses with operations outside the EU US Safe Harbor regulations designed to assist, but very few US corporations meet the requirements Intersection with –Freedom of Information Act –Human Rights Act –Regulation of Investigatory Powers Act
TM Compliance Action & Best Practice Comply with the 8 principles of the DPA 1. Bring current practices into line with DPA a)Audit of current practices & analysis of gap between DPA and current practices a)The basics – is your registration up to date? b)Identify where information is stored, and how it is classified c)Ensure you can respond to an SAR d)Assess all mobile devices and extent of encryption e)Assess all technical & procedural aspects of data security management b)Remedial action 2. Maintain DPA compliance regime a)Internal audit plan b)Staff training and awareness c)Incident reporting and resolution 3. Develop an ISO27001 ISMS – demonstrates best practice in DPA compliance as well as achieving other business and information objectives 4. Prepare for BS10012 Specification for the Management of Personal Information in compliance with the DPA 6 © IT Governance Ltd 2005
TM Prepare for the worst Develop & test a data breach response plan a)Escalation and reporting procedures b)Breach response team c)Consider potential remedial measures d)Prepare PR and communications plan e)Review and learning points 7 © IT Governance Ltd 2005
TM All Time Top 10 Data Breaches 1. TJX – 94 million records – outside attack 2. US Dept of Veterans Affairs – 26.5 million records – outside attack 3. HMRC – 25 million records – internal incompetence 4. T-Mobile/Deutsche Telekom – 17 million records – lost disk 5. Archive Systems/Bank of New York – 12.5 million – lost backup tapes 6. GS Caltex – 11 million - lost CD 7. Dai Nippon Printing – 8.6 million – insider theft 8. Certegy Check Services/Fidelity Information Services – 8.5 million – insider theft 9. TD Ameritrade – 6.3 million – outside attack 10. Chilean Ministry of Education – 6 million – outside attack Source: 8 © IT Governance Ltd 2005
TM Data Breaches – the UK Breaches since the HMRC incident in Nov 07 (ICO Press release 23 April 08): –Almost 100 data breaches notified 66% Public sector 30% private sector 4% voluntary sector –1/3 rd in central govt and related agencies –1/5 th in NHS organisations –Private sector: 50% in financial institutions Missing information includes: –Unencrypted laptops, computer discs, memory sticks –Paper records –Stolen, lost in the mail and while in transit with a courier –Includes financial and health details ICO Investigations –16 organisations required to make procedural changes to improve security 9 © IT Governance Ltd 2005
TM Data Breaches - Ireland Bank of Ireland –Lost unencrypted memory stick with the personal details of nearly 1,000 customers (Nov 2008) Bank of Ireland –Four unencrypted laptops stolen with the personal records of 10,000 customers (April 2008) HSE –Two unencrypted laptops gone missing (Sept 2008) Dept of Social & Family Affairs –Laptop with details of 390,000 citizens lost or stolen at the bus stop 10 © IT Governance Ltd 2005
TM Number of Incidents - Trend 11
TM Types of Data Breach 12
TM The Poynter Report Two major institutional deficiencies at HMRC: –Information security simpy wasnt a management priority –HMRC has an organisational design...which did not clearly focus on management accountability 45 separate high-level recommendations –Stronger policy and procedures –Stronger authorisation requirements –Better internal communication –Education, training & awareness –new systems –hundreds of detailed recommendations y.gov.uk/d/poynter_review pdf © IT Governance Ltd 2008 – this slide is published strictly without liability of any sort and does not provide specific legal guidance or advice and any user must therefore seek legal advice on the DPA and any associated issues from their own professional advisers 13
TM Whats going on? DPA Compliance cannot be demonstrated, so there is no way of improving the brand by claiming compliance DPA non-compliance brings: –No penalties –Cost savings CEOs and Top Management simply dont care No clear accountability for data security Inadequate investment in data security management –Minimal procedures for fair processing –Minimal training for data controllers –Minimal awareness and education for all users –Inadequate security Unencrypted laptops Unencrypted removable media Inadequate perimeter security –Minimal supervision and audit of third parties, third party agreements –PCI non-compliance 14 © IT Governance Ltd 2005
TM Costs of Identify Theft/Fraud Cybercrime – international $150 billion + industry US Identity theft up 22% in 2008 (Javelin Strategy & Research 2009 Report) –9.9 million cases –Total Cost US$48 billion Success – CIFAS 2008 (www.cifas.org.uk)www.cifas.org.uk –214,000 Fraud cases identified –£848 million losses avoided 15 © IT Governance Ltd 2005
TM ICO Legal Powers The Information Commissioner's Office has the following powers for enforcing DPA: –conduct assessments to check organisations are complying with the Act; –serve information notices requiring organisations to provide the Information Commissioner's Office with specified information within a certain time period; –serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law; –prosecute those who commit criminal offences under the Act; –conduct audits to assess whether organisations processing of personal data follows good practice. © IT Governance Ltd
TM DPA – Criminal Offences Persistent breaches of the Act –A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court. –Steps: Breach reported, enforcement notice served, only then can failure to comply lead to prosecution and maximum £5k fine Notification offences –A data controller who fails to notify the Information Commissioner's Office of the processing being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse. Unlawful obtaining or disclosing of personal information –It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller. 17 © IT Governance Ltd 2005
TM ICO Data Protection Activity ICO Data Protection Case Load 2008: 25,000 cases The business areas generating the most complaints are: –Lenders 33% –Public sector 18% Policing and criminal records 5% Central government 5% Local government 4% Health 4% –Other 7% –General business 7% –Telecoms 5% –Direct marketing 4% –Internet 3% Source: ICO Annual Report © IT Governance Ltd 2009
TM Reporting of breaches No legal obligation for data controllers to report breaches the Information Commissioner believes serious breaches should be brought to the attention of his Office Serious breaches are not defined Criteria for assessing seriousness: –Potential harm to data subjects –Volume of personal data lost/released/corrupted –Sensitivity of the data lost/released/unlawfully corrupted 19 © IT Governance Ltd 2009
TM DPA Enforcement – ICO Response ICO published guidance 27 March 2008 What will the Information Commissioners Office do when a breach is reported? The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. The ICO may: –Record the breach and take no further action, or –Investigate the circumstances of the breach and any remedial action. –This could lead to: 1. no further action, or 2.a requirement on the data controller to undertake a course of action to prevent further breaches, and/or 3.formal enforcement action turning such a requirement into a legal obligation The Information Commissioner does not have the power to impose a fine or other penalty as punishment for a breach. The regulators powers only extend to imposing obligations as to future conduct. 20 © IT Governance Ltd 2009
TM ICO Approach to Enforcement ICO published guidance 27 March 2008 We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. However, the ICO may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. Where the Information Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. 21 © IT Governance Ltd 2009
TM ICO Achievements Enforcement notices for data protection breaches –Carphone Warehouse –Greater Manchester Police –Humberside Police –Lothian and Borders Police –Marks & Spencer –Northumbria Police –Staffordshire Police –Talk Talk Telecom –West Midlands Police. 9 Formal Undertakings not to breach the DPA –Dipesh Ltd – Littlewoods Shop Direct Home Shopping – Orange Personal Communications Services Limited – Phones 4 U – Skipton Financial Services – Sunfield – The Department of Health – The Foreign and Commonwealth Office – The Northern Ireland Office. 22 © IT Governance Ltd 2005
TM 23 ICO – New Enforcement Powers Criminal Justice and Immigration Act – royal assent in April 08 – two relevant clauses: 1. Increases penalties for data theft and trading in stolen information to a prison sentence –Requires a Ministerial order and resolutions from both Houses to come into force –ICO will have first have to prove that the trade in stolen information is widespread and pervasive. 2. Gives ICO powers to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the DPA. –Substantial: Nationwide £980k, Norwich Union £1.26m from FSA –Ministry of Justice now determining level of fines –Not retrospective –No custodial sentence (but Opposition parties narrowly averted from bringing this in!) © IT Governance Ltd 2005
TM Comparative budgets & resources HSEICO Front Line Staff1,325 Total Staff3, Total Annual Budget£214 million17 million (DPA & FOI) Date of report1 April © IT Governance Ltd 2005
TM What needs to happen? 1. ICO needs a real budget, with real resources - £200 million + 2. ICO needs powers to inspect and fine 3. BS10012 compliance should be explicitly recognised as DPA compliance 4. Loss of personal data on an unencrypted laptop or removable media should be prima facie evidence of reckless disregard of the DPA 5. Data Breach Legislation 1.With central notification 2.With cost indemnity and full support for victims 6. Custodial sentences for reckless breaches – for CEOs and senior civil servants 7. Custodial sentences for data theft and trading in stolen data. 25 © IT Governance Ltd 2009
TM 26 THANK YOU! Questions and Answers
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.
The Information Commissioner’s Office David Evans.
The Data Protection Act 1998 The Eight Principles.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Introduction to Data Protection Plan »Brief Introduction to Data Protection Example Principles P3, 4, 7 Sensitive Data Conditions for Processing.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Data Protection Overview Data Protection & Information Security Officer.
OCR Nationals Level 3 Unit 3. To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd.
Audiences NI Data Protection Workshop Rachael Gallagher Senior Policy Officer Information Commissioner’s Office 2 December 2014.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
The Data Protection (Jersey) Law 2005.
DIRECT WORKS FORUM 10 June 2008 Andy Ballard. COMMON LAW MANSLAUGHTER Effectively – Death by gross negligence Test – (a) was a (common law) duty of care.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Information Management in FSS: A Legal Perspective Paul Hinton Ian Mason Barlow Lyde & Gilbert LLP 17 September 2009.
Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.
Data protection—training materials [Name and details of speaker]
Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.
Data Protection in Financial Services Are you Seeing the Bigger Picture? 17 September 2008.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Practical Information Management. Privacy Notice (Principle 1 & 2) In general terms, a privacy notice should state: the purpose or purposes for which.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.
DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC.
Erasmus Work Placement Workshop: the risk & insurance implications Rachel Phillips Marsh UK HE Practice Leader Mary Murtagh – Marsh Risk.
© 2017 SlidePlayer.com Inc. All rights reserved.