Presentation on theme: "Data Protection Compliance Essentials"— Presentation transcript:
1Data Protection Compliance Essentials Philip Brining, Absolute DataData Protection Compliance EssentialsUp until a few weeks ago I hadn’t been back to LGS since 1985, the year after I left. It’s good to be here and thank you for the invitation.Speaking with Helen Clapham she suggested that the GSAL network might find a session on Data Protection useful and interesting – that a title DP Compliance Essentials would be appropriate. Will it be more exciting than England v France? Here goes!
2Agenda Welcome and Introductions Absolute Data What is data protection?The Data Protection Act (1998)The Privacy and Electronic Communications Regulations (2011)Overview of BreachesPowers of the ICOWhat You Can Do to ComplyWIIFMQuestions and Close
3Welcome & Introductions Names, Organisations, RolesExpectations from this sessionToo many people here to cover everyone:Who has day to day responsibility for data protection?Who has high level management responsibility for data protection?Who is familiar with DP?Anyone or their company had issues with DP Compliance?Who is here to get a general awareness of DP?Who is here for something specific relating to DP? – what is it?Anyone here for any other reason?
4Absolute Data Limited OUR BACKGROUND 10+ years experience of providing practical advice, information and guidance to a variety of organisations in the public, private and third sector in respect of information governance, data protection and privacy.It’s all linked together – strategy determines appetite for risk and therefore approach to compliance - it sets a “where are we now” basal position including what data have we got, where is it, who has access to it, what state is it in etc.Data strategy also determines IT strategy – how do we need to use data, where, access control etc – that determines tech platform etc.Often it’s not even a consideration of companies – data work often falls out of and is a result of IT strategy, HR or marketing strategy – and that’s why many DP problems occur.IT systems that are too lax with insufficient controls, marketing campaigns with non compliant data collection techniques, HR policies that don’t correlate with the requirements of DP law or guidance.Enough said – moving on.Data StrategyData ServicesData SystemsData Compliance
6Data Protection Compliance Data Protection Act (1998)Privacy and Electronic Communications Regulations (2011)Freedom of Information Act (2000)CCTV, Phone Monitoring, Human Rights Act
7Overview DPA (1998) Public register of data controllers 8 Principles Rights of data subjectsDefines “data” under the scope of the legislationEuropean-widePECR (2011)Rules regarding e-comms (text, , phone etc.)Suppression lists (opting out)Cookies (educate, consent)As a lightning overview key points about these two acts:DPA – defines data within its scope, sets out obligations of those processing data and defines what sorts of “processing” are within its scope, and sets out the rights of individuals. It’s pan European but there are significant variances between the UK interpretation of the EU Data Protection Directive, and those of other member states..In a recent survey, Britain came 21st out of 26 in terms of the toughness of its DP regime. I.E. we’re one of the easiest, most lenient regimes.It’s a good model that has been adopted by other countries – Isle of Man, IndiaPECR - the purpose of including this is because of the revisions to the law regarding Cookies. Everyone know what cookies are?Small text files placed on computer and smart phone HDDs used:To remember settings and preferencesTo record web site errors and visitor statisticsTo track which web sites you visit, what you search for etc and to use this information to target specific advertising to you.
8What exactly is the Data Protection Act? “The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data.The Information Commissioner’s Office (ICO) is the UK’s independent authority who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO, 2009).
9What is classified as “Data”? The Data Protection Act defines Data, and Personal Data, and further differentiates between Personal Data and Sensitive Personal Data.Data means information which –is being processed by means of equipment operating automatically in response to instructions given for that purpose,is recorded with the intention that it should be processed by means of such equipment,is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, oris recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).Personal data means Data which relate to a living individual who can be identified –from those data, orfrom those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.Organisations are prohibited from processing sensitive personal data unless they can prove why it is necessary and can satisfy the Act’s “Conditions for Processing” rules.Data is all broadly definedProcessing is all encompassing
10Examples of Personal Data? Database containing names and addresses of UK customersPaper files containing names and addresses of Japanese shareholdersData capture formsList of customers’ mobile phone numbers ed from one employee to anotherList of prospects’ database reference numbers ed to a supplierCustomer services digital telephone recordingsTapes containing CCTV footage outside your officesExcel spread sheet containing your personal Christmas card listDatabase of vehicle license plates passing through your propertyPrivate notes written on a CV about an interview candidate12 Paper forms are not exempt – esp if there is/was intent to capture into a database3 Structured filing system – recent case of a lost paper file London Borough ofBarnet £70k – " it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. The ICO says they included "highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.“4 &5coupled with other data6 voices7 images including photographs – JK Rowling case8 what if you were a sole trader?9 possibly but err on the side of caution10 definitely – disclosable in an Subject Access Request (SAR)
11The Register of Data Controllers Notification is the process by which a data controller gives the ICO details about their processing of personal information.The ICO publishes certain details in the register of data controllers, which is available to the public for inspection.Not all orgs have to notify – some exemptions – but it’s an offence not to if you are not exempt.Exemption is tightly defined.Accounts and record keepingStaff administration (including payroll)Marketing, advertising and pr in connection with your own business activityI find the ICO rather woolly on this point.Not for Profit Orgs – eg sailing club – might be exempt but RYA advises to notify.Exemption from notification does not mean exemption from complying with the DPA
128 principles - data must be... Processed fairly and lawfullyProcessed for specific purposes and in appropriate waysAdequate, relevant and sufficient in relation to the purposes for which it is processedKept accurate and up-to-dateKept only for as long as necessaryProcessed in line with an individual’s rightsProtected by sufficient technical and organisational measuresOnly transmitted to countries that have sufficient data protection controlsUses language like appropriate, adequate, proportionate, necessary, as long as necessary, sufficientThat’s great because it’s a matter of case law and opinion. Go through the correct process and there is a lot that you can do.This is contrary to popular belief that DPA is a nightmare, complex, unhelpful, rigid set of rules etc.But the word to focus on is PROCESS.Again just as lack of strategy is a weakness so too is a lack of process around DP compliance. The ICO has published a framework for Privacy Impact Assessment, and internal audit of DP arrangements. There are few companies I have worked with or chatted to who have robust and well defined operating procedures relating to DP (we deal mainly with SMEs and many in sport) but at conferences local authorities, and large corporations admit to being poorly organised organisationally in this area. And one of my big frustrations is that many people think that Data Protection starts and stops with IT security.Shall we zip through the 8 principles?
13Personal information must be FAIRLY and LAWFULLY processed Principles of the DPA1st PrinciplePersonal information must be FAIRLY and LAWFULLY processedLegitimate useTransparencyPrivacy NoticesFair processingAre you doing what you say you are doing?
15Principles of the DPA 3rd Principle Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processedWhat is the data used for?The nature of the information heldHow was the data obtained?Is all the data needed?QUESTION:- What data is required for the process of profiling? Or segmentation?Lifestyle data – newspaper readership, car driven, supermarket shopped at, MOSAIC, salary, credit rating ….? Is this relevant data?
16Personal data shall be accurate, and where necessary, kept up to date. Principles of the DPA4th PrinciplePersonal data shall be accurate, and where necessary, kept up to date.Ensure clarity in where the data was obtainedConsider if accuracy might be challengedDoes this data need regularly updating?How do you police this? What if you are supplied inaccurate data? What strategies do you use to keep data accurate?QAS, dedupe etc
17Principles of the DPA 5th Principle Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes.Reviewing / auditing your data regularlyEstablishing retention periodsCurrent and future value of your dataKeeping shared informationHow long is necessary? Different types of data, different purposes etc – NO GUIDANCE ON THIS AT ALL. What about back ups – what about data you have sent out to others – eg data processors?
18Principles of the DPA 6th Principle Personal data shall be processed in accordance with the rights of data subjects under this Act.Subject Access RequestsDirect marketingAmend or destroySARs – VERY BROAD – 30 calendar days, clock ticking. Depends on who has made the SAR? Employees will have a better oversight of data that might fall under the scope of an SAR.Cynical view – how do they know you have supplied everything?Need to be organisedNeed to know where your data is – work out in advance SAR policy, procedure and scope.Front line staff need to be able to recognise an SAR, and know what to do about it.ANYONE HAD EXPERIENCE OF SARs?£10 fee.Right to stop you direct marketing them.Right to have you amend or destroy data. – eg credit rating
19Principles of the DPA 7th Principle Appropriate technical or organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.Who is responsible for your company’s data security?Physical and technical security measures, i.e. Locked cupboards, data encryptionSharing data with 3rd partiesTech and OrganisationalQUESTION:- Shout out some technical measures.Tech = fire walls, virus scanning, server plan, encryption, back ups,Organisational = doors locked, video monitoring, policies, trainingWho is responsible?Third parties – YOU are the data controller
20Principles of the DPA 8th Principle Personal data shall not be transferred to a country or territory outside of the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.Does your data get processed outside of the UK?Adequate levels of protection outside the EEA:Argentina Guernsey JerseyCanada Isle of Man SwitzerlandQUESTION:- hands up if you export data or transfer data out of the EEA?What sort of processing?EEA = EU + Norway, Iceland & LichensteinAustria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.Everyone else is confident that their data does not leave the EEA?Consider cloud computing, back ups, payroll processing, call centres, suppliers and customers, web sites, s … travel agents, flight bookings.USA – Safe HarborIndia – call centresIsle of Man
21How The DPA Can Be Breached! NB: These are not mutually exclusive!Sending personal information to the wrong recipient ( s and attachments)Failing to keep sensitive personal information secureLoss of unencrypted PCs/Laptops/Memory Sticks etc containing personal informationLoss of manual records containing personal informationIllegally obtaining personal informationIllegally selling-on personal information (or your staff selling it on)Inappropriate access to records containing personal informationInappropriate and inadequate security on systems, websites and transmitted dataInappropriate disposal of IT equipment, manual records etcInadequate training of staffInadequate policies and proceduresMaking unsolicited marketing callsNot having an up-to-date Notification
22Privacy and Electronic Communications Regulations (2011) Sets out rules regarding the use ofCookiesTraffic dataLocation dataCLI (Calling Line Identification)ACD (Automated Call Distribution)Itemised billingDirectory of subscribers (and ex-directory)Really to look at cookies –Obligations – 2003 educate people about cookies, allow people to opt out of cookies – browser based.2011 – you now need to obtain consent before you place the cookie.Exemptions,4 types of cookies:Strictly necessaryPerfomance – eg web stats, errors – annonomised dataFunctionality – eg font size, remember settingsTrackingApproach = audit what you have and what it does. Decide if cookies are necessary. Work out how you will gain consent. Publish sufficient plain English guidance to your web site users.
23How The PECR Can Be Breached! NB: These are not mutually exclusive!Unsolicited “cold” callingUnsolicited or SMS broadcastingFailure to gain consent to contact electronicallyCalling TPS or mailing MPS registered peopleUsing cookies without first gaining consentPoor ACD settings, contact centre call handling
24The ICO And Its PowersServe information notices requiring organisations to provide the ICO with specified information within a certain time period;Issue undertakings committing an organisation to a particular course of action in order to improve its compliance;Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;Conduct consensual assessments (audits) to check organisations are complying;Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010 or serious breaches of the Privacy and Electronic Communications Regulations;Prosecute those who commit criminal offences under the Act; andReport to Parliament on data protection issues of concern.
25Example ActionsBrighton and Sussex University Hospitals Trust £325,000 fine for the theft of computer hard drives that were sold on ebay. June 2012.London Borough of Barnet £70,000 fine for theft of paper files from an employees’ home. April 2012.Usha Patwal, given a two year conditional discharge and ordered to pay £614 prosecution costs for unlawfully accessing sister-in-law’s medical records. December 2011.Merfyn Pugh Estate Agents, given a conditional discharge of six months and was ordered to pay £614 prosecution costs for failure to notify. December 2011.Phoenix Nursery School, Wolverhampton, signed undertaking for losing a backup tape containing the personal details of 70 pupils and their parents or guardians. November 2011.ACS Law, Spectrum Housing, North Somerset Council, Newcastle Youth Offending Team, Lush Cosmetics …HDD were taken away by a contractor and not all were destroyed.Paper files stolenSister in law who worked as a receptionist in a Surgery rang a hospital posing as a medical pracitioner to gain access to medication records. Texted her Sister in law – texts contained information that suggested a knowledge of the medication. Medical practice were held harmless.One of two cases – ICO has target industries – estate agents, private care, telecoms, legal firms, insurance.You don’t have to lose lots of data to fall foul.ACS Law – victim of hackingSpectrum - ing pension contributions to the wrong personNorth Somerset’s £60,000 – the wrong HNS employee received highly sensitive and confidential information relating to a child’s serious case review. Having been informed of the error, the employee sending the s then continued to send s to the wrong recipient a further three times.Newcastle Youth Offending – loss by a contractor of a laptop -Lush – hacking of credit card detailsMAINLY PROCESS FAILURE – EVEN THE TECH FAILURES ARE OFTEN UNDERLYING ORG CAUSES – EG NO TESTING OF PROCEDURES.
30Other Cases Oliver Letwin - dumping papers HMRC - loss of 25 million recordsSony - hacking of 77 million credit card recordsA4E Ltd - theft of unencrypted laptopT Mobile – theft of phone contract detailsMarc Ben-Ezra - theft and re-sale of 65,000 gamblers’ recordsHSBC bank employee stole account details of 24,000 people –Association of School and College Leaders - theft of laptop from homeHolly Park School - unencrypted laptop stolen from an unlocked officeDartford and Gravesham NHS Trust - accidentally destroying 10,000 archived recordsZurich Financial Services £2.275 million fine 46k recordsGoogle Inc – harvesting of WiFi DataNews of the WorldWorcestershire County CouncilYou will remember many of theseAlso Vince CableHSBC – took 3 years to admit.HMRC bought some of that data for £100k of people living in Lichenstein –Breach notification – HSBC took 3 years to admit."We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of HSBC Private Bank (Suisse). "We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts," he said. Mr Zeller said, however, that it was "still unclear how Falciani managed to steal the information". HSBC said that the account holders were based in several European countries, including Britain.This is thought to have led to some bank employees stealing account data and passing it to tax authorities.In Germany, an anonymous informer has offered to sell data stolen from an unnamed Swiss bank to tax officials.Previously, Germany bought similar stolen data about clients of a bank in Liechtenstein. Some of this information was handed to tax authorities in the UK, which is also thought to have paid for the data.French tax authorities are thought to be investigating up to 3,000 of its nationals using bank accounts outside the country.Government authorities have defended paying for stolen data as in the public interest. However, the practice has been strongly criticised.The UK's Revenue & Customs (HMRC) office paid around £100,000 for information about its taxpayers with bank accounts in Liechtenstein, according to accountants UHY Hacker Young."Paying criminals for data stolen from banks is highly questionable," said the firm's tax partner, Roy Maugham."If people know that there is a market for this data, they will steal it in expectation that HMRC or another tax authority will hand over a six figure sum," he said.
31What steps can I take in order to comply? Appoint a senior person to be responsible;Know what data you have, where it is, who has access to it;Correct ICO Notification(s);Think about and uphold the 8 Principles;Privacy Notices;Document key policies, procedures & processes (eg breach policy);Audit data security - implement technical & organisational measures;Staff Training and regular awareness raising – start a DP dialogue. Integrate into business as normal;Review, auditing & testing – monitor compliance;Privacy by design;System for information governance;External accreditation – ISO27001 / BS10012;Seek specialist help.
32What’s In It For Me Fines and regulatory action Negative PR / reputational damageIndustrial espionage / theft by employeesIs data your biggest asset?Risk management - a modern / better way of doing businessBuild trust and loyalty of customersWin B2B or government contractsPositive point of difference from competitorsStaff moralePlan for the 2014 LegislationMandatory breach notification, European harmonisation, responsible person, powers of inspection, prohibition orders, bigger fines, custodial sentences.Negative – top 4Make it into a positive
34Thank you Philip Brining, Absolute Data Limited Thank you
35Case Studies ACS Law Spectrum Housing Lush Cosmetics North Somerset County CouncilNewcastle Youth Offending Team
36Case Study 1 – ACS LawWhich data protection principles have been compromised?Principle 7: The main issue highlighted in this case study is that ACS Law did not have appropriate security measures in placePrinciple 3,4: Questions could be raised regarding the relevance and accuracy of the data being used by the firmPrinciple 6: Due to the sensitive nature of the data in question, and questions about how reliable the data was, Principle 6 was compromised – was the data processed in accordance with the data subjects?
37ACS Law Avoidance Measures Recognise Risk: Know your enemy and recognise risk. Organised groups of people with a lot to lose through ACS’ activities.DP Procedures: Penetration testing and routine auditing of DP arrangements would have flagged up serious issues.Know your data: Very sensitive personal data that would cause distress and damage if were to be compromised.Buy-in expertise: Third party specialist firms would have identified areas of concern and helped ACS Law avoid issues or at least mitigate the effects of a security incident.
38Case Study 2 – Spectrum Housing Which data protection principles have been compromised?Principle 2: The data should never have been ed in an excel spreadsheet format, thus the Act was automatically breached.Principle 7: As well as the document being ed in the wrong format, it wasn’t encrypted either – meaning a compromise of Principle 7.Principle 1: Both of the above has meant that the data wasn’t processed fairly, or lawfully.
39Case Study 2 – Spectrum Housing Avoidance MeasuresTraining: Staff should be aware that this practice is risky and to be avoided and there is a safer procedure.DP Procedures: Routine auditing of DP arrangements would have flagged up poor practice and lack of awareness.IT Measures: Protecting excel sheets is easy and free! Consider other means of transferring the data.Buy-in expertise: Third party specialist firms would have identified areas of concern and helped Spectrum Housing identify risks.
40Case Study 3 – LushWhich data protection principles have been compromised?Principle 7: The fact that the data wasn’t regularly security-checked and staff were not trained in this area of data protection sufficiently, meant that Principle 7 was compromised.Principle 1: The result of Principle 7 being compromised meant that Principle 1 was compromised too because the data wasn’t processed fairly or lawfully.Principles 4,5: Because Lush “failed to do regular security checks and did not fully meet industry standards relating to card payment security”, Questions need to be asked as to whether the data was kept accurate, up to date, and only for as long as necessary.
41Case Study 3 – Lush Avoidance Measures Recognise Risk: It is easier and more efficient to steal credit card details from retailers than consumers.DP Procedures: Penetration testing, security incident logging, and routine auditing of DP arrangements would have flagged up serious issues.Know your data: PCI DSS data is valuable and subject to criminal activity.Buy-in expertise: Third party specialist firms would have identified areas of concern and ensured that Lush avoided or at least mitigated the effects of a security incident. The PCI DSS standard sets out acceptable procedures.
42Case Study 4 – Worcestershire and North Somerset Councils Which data protection principles have been compromised?Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the councils were left open to (a) breach(es).Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle.Principle 6: Because both of the above principles were compromised, it meant that principle 6 was also compromised – the data subjects’ rights were not considered.
43Case Study 4 – Worcestershire and North Somerset Councils Avoidance MeasuresTraining: Train and undertake regular awareness raising with staff of the key issues within your business and their job scope.DP Procedures: Document the way to undertake certain tasks. Don’t leave it to chance or “common sense”.Know your data: Sensitive data needs special measures.Buy-in expertise: Third party specialist firms would have identified repeated procedural failures and heightened risk.
44Case Study 5 – Newcastle Youth Offending Team Which data protection principles have been compromised?Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the Youth Offending Team were left open to (a) breach(es).Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle.
45Case Study 5 – Newcastle Youth Offending Team Avoidance MeasuresDP Agreements: Ensure third parties are subject to data processor or data sharing agreements.Due Diligence: Ensure that third parties also have sufficient measures in place to protect data YOU are responsible for – and audit them or have them audited by a specialist.Awareness : Ensure that all staff are aware of the risks and your procedures.Buy-in expertise: Third party specialist firms would have identified areas of concern and/or undertaken a sub contractor inspection.