1. Data Protection Compliance Essentials
Philip Brining, Absolute Data
Data Protection Compliance Essentials
Up until a few weeks ago I hadn’t been back to LGS since 1985, the year after I left. It’s good to be here and thank you for the invitation.
Speaking with Helen Clapham she suggested that the GSAL network might find a session on Data Protection useful and interesting – that a title DP Compliance Essentials would be appropriate. Will it be more exciting than England v France? Here goes!

2. Agenda Welcome and Introductions Absolute Data
What is data protection?
The Data Protection Act (1998)
The Privacy and Electronic Communications Regulations (2011)
Overview of Breaches
Powers of the ICO
What You Can Do to Comply
WIIFM
Questions and Close

3. Welcome & Introductions
Names, Organisations, Roles
Expectations from this session
Too many people here to cover everyone:
Who has day to day responsibility for data protection?
Who has high level management responsibility for data protection?
Who is familiar with DP?
Anyone or their company had issues with DP Compliance?
Who is here to get a general awareness of DP?
Who is here for something specific relating to DP? – what is it?
Anyone here for any other reason?

4. Absolute Data Limited OUR BACKGROUND
10+ years experience of providing practical advice, information and guidance to a variety of organisations in the public, private and third sector in respect of information governance, data protection and privacy.
It’s all linked together – strategy determines appetite for risk and therefore approach to compliance - it sets a “where are we now” basal position including what data have we got, where is it, who has access to it, what state is it in etc.
Data strategy also determines IT strategy – how do we need to use data, where, access control etc – that determines tech platform etc.
Often it’s not even a consideration of companies – data work often falls out of and is a result of IT strategy, HR or marketing strategy – and that’s why many DP problems occur.
IT systems that are too lax with insufficient controls, marketing campaigns with non compliant data collection techniques, HR policies that don’t correlate with the requirements of DP law or guidance.
Enough said – moving on.
Data Strategy
Data Services
Data Systems
Data Compliance

5. Data Protection Compliance
Data Protection Act (1998)
Privacy and Electronic Communications Regulations (2011)
Freedom of Information Act (2000)
CCTV, Phone Monitoring, Human Rights Act
There are several legal instruments that set out data protection law – we’re going to concentrate on DPA - we’ll touch on PECR only really because of the recent changes about the use of cookies by web site operators. FOIA in the main only affects public bodies. State schools are covered – private schools are not covered.

6. Data Protection Compliance
Data Protection Act (1998)
Privacy and Electronic Communications Regulations (2011)
Freedom of Information Act (2000)
CCTV, Phone Monitoring, Human Rights Act

7. Overview DPA (1998) Public register of data controllers 8 Principles
Rights of data subjects
Defines “data” under the scope of the legislation
European-wide
PECR (2011)
Rules regarding e-comms (text, , phone etc.)
Suppression lists (opting out)
Cookies (educate, consent)
As a lightning overview key points about these two acts:
DPA – defines data within its scope, sets out obligations of those processing data and defines what sorts of “processing” are within its scope, and sets out the rights of individuals. It’s pan European but there are significant variances between the UK interpretation of the EU Data Protection Directive, and those of other member states..
In a recent survey, Britain came 21st out of 26 in terms of the toughness of its DP regime. I.E. we’re one of the easiest, most lenient regimes.
It’s a good model that has been adopted by other countries – Isle of Man, India
PECR - the purpose of including this is because of the revisions to the law regarding Cookies. Everyone know what cookies are?
Small text files placed on computer and smart phone HDDs used:
To remember settings and preferences
To record web site errors and visitor statistics
To track which web sites you visit, what you search for etc and to use this information to target specific advertising to you.

8. What exactly is the Data Protection Act?
“The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data.
The Information Commissioner’s Office (ICO) is the UK’s independent authority who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO, 2009).

9. What is classified as “Data”?
The Data Protection Act defines Data, and Personal Data, and further differentiates between Personal Data and Sensitive Personal Data.
Data means information which –
is being processed by means of equipment operating automatically in response to instructions given for that purpose,
is recorded with the intention that it should be processed by means of such equipment,
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
Personal data means Data which relate to a living individual who can be identified –
from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Organisations are prohibited from processing sensitive personal data unless they can prove why it is necessary and can satisfy the Act’s “Conditions for Processing” rules.
Data is all broadly defined
Processing is all encompassing

10. Examples of Personal Data?
Database containing names and addresses of UK customers
Paper files containing names and addresses of Japanese shareholders
Data capture forms
List of customers’ mobile phone numbers ed from one employee to another
List of prospects’ database reference numbers ed to a supplier
Customer services digital telephone recordings
Tapes containing CCTV footage outside your offices
Excel spread sheet containing your personal Christmas card list
Database of vehicle license plates passing through your property
Private notes written on a CV about an interview candidate 1
2 Paper forms are not exempt – esp if there is/was intent to capture into a database
3 Structured filing system – recent case of a lost paper file London Borough of
Barnet £70k – " it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. The ICO says they included "highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.“
4 &5coupled with other data
6 voices
7 images including photographs – JK Rowling case
8 what if you were a sole trader?
9 possibly but err on the side of caution
10 definitely – disclosable in an Subject Access Request (SAR)

11. The Register of Data Controllers
Notification is the process by which a data controller gives the ICO details about their processing of personal information.
The ICO publishes certain details in the register of data controllers, which is available to the public for inspection.
Not all orgs have to notify – some exemptions – but it’s an offence not to if you are not exempt.
Exemption is tightly defined.
Accounts and record keeping
Staff administration (including payroll)
Marketing, advertising and pr in connection with your own business activity
I find the ICO rather woolly on this point.
Not for Profit Orgs – eg sailing club – might be exempt but RYA advises to notify.
Exemption from notification does not mean exemption from complying with the DPA

12. 8 principles - data must be...
Processed fairly and lawfully
Processed for specific purposes and in appropriate ways
Adequate, relevant and sufficient in relation to the purposes for which it is processed
Kept accurate and up-to-date
Kept only for as long as necessary
Processed in line with an individual’s rights
Protected by sufficient technical and organisational measures
Only transmitted to countries that have sufficient data protection controls
Uses language like appropriate, adequate, proportionate, necessary, as long as necessary, sufficient
That’s great because it’s a matter of case law and opinion. Go through the correct process and there is a lot that you can do.
This is contrary to popular belief that DPA is a nightmare, complex, unhelpful, rigid set of rules etc.
But the word to focus on is PROCESS.
Again just as lack of strategy is a weakness so too is a lack of process around DP compliance. The ICO has published a framework for Privacy Impact Assessment, and internal audit of DP arrangements. There are few companies I have worked with or chatted to who have robust and well defined operating procedures relating to DP (we deal mainly with SMEs and many in sport) but at conferences local authorities, and large corporations admit to being poorly organised organisationally in this area. And one of my big frustrations is that many people think that Data Protection starts and stops with IT security.
Shall we zip through the 8 principles?

13. Personal information must be FAIRLY and LAWFULLY processed
Principles of the DPA
1st Principle
Personal information must be FAIRLY and LAWFULLY processed
Legitimate use
Transparency
Privacy Notices
Fair processing
Are you doing what you say you are doing?

14. Principles of the DPA 2nd Principle
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
Be clear as to your reasons
Notify the ICO
Ensure prior consent
One OR MORE – but you need to know what processing you are doing right across the org – you need to break down business process into data processes. You need to ensure you have notified the purposes, that the privacy policy covers this sort of processing, that people are informed at the point of data capture – and what if you introduce NEW processing to data already held? Eg new technology etc
PIA (Privacy Impact Assessment)
Perhaps provide an informational piece out to customers
Work out a comms strategy if you want to change what you do with people’s data
Plan ahead – maybe a 6 month programme to change:
Notification
Privacy policy
Fair Processing Notice(s)
Web sites
T&Cs
Comms out to customers with option to opt out (or in) to the new processing
ETC
Plan ahead – there is a LOT that is possible. The DPA is not designed to be restrictive to legitimate business practice – according to the ICO.

15. Principles of the DPA 3rd Principle
Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed
What is the data used for?
The nature of the information held
How was the data obtained?
Is all the data needed?
QUESTION:- What data is required for the process of profiling? Or segmentation?
Lifestyle data – newspaper readership, car driven, supermarket shopped at, MOSAIC, salary, credit rating ….? Is this relevant data?

16. Personal data shall be accurate, and where necessary, kept up to date.
Principles of the DPA
4th Principle
Personal data shall be accurate, and where necessary, kept up to date.
Ensure clarity in where the data was obtained
Consider if accuracy might be challenged
Does this data need regularly updating?
How do you police this? What if you are supplied inaccurate data? What strategies do you use to keep data accurate?
QAS, dedupe etc

17. Principles of the DPA 5th Principle
Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes.
Reviewing / auditing your data regularly
Establishing retention periods
Current and future value of your data
Keeping shared information
How long is necessary? Different types of data, different purposes etc – NO GUIDANCE ON THIS AT ALL. What about back ups – what about data you have sent out to others – eg data processors?

18. Principles of the DPA 6th Principle
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Subject Access Requests
Direct marketing
Amend or destroy
SARs – VERY BROAD – 30 calendar days, clock ticking. Depends on who has made the SAR? Employees will have a better oversight of data that might fall under the scope of an SAR.
Cynical view – how do they know you have supplied everything?
Need to be organised
Need to know where your data is – work out in advance SAR policy, procedure and scope.
Front line staff need to be able to recognise an SAR, and know what to do about it.
ANYONE HAD EXPERIENCE OF SARs?
£10 fee.
Right to stop you direct marketing them.
Right to have you amend or destroy data. – eg credit rating

19. Principles of the DPA 7th Principle
Appropriate technical or organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Who is responsible for your company’s data security?
Physical and technical security measures, i.e. Locked cupboards, data encryption
Sharing data with 3rd parties
Tech and Organisational
QUESTION:- Shout out some technical measures.
Tech = fire walls, virus scanning, server plan, encryption, back ups,
Organisational = doors locked, video monitoring, policies, training
Who is responsible?
Third parties – YOU are the data controller

20. Principles of the DPA 8th Principle
Personal data shall not be transferred to a country or territory outside of the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Does your data get processed outside of the UK?
Adequate levels of protection outside the EEA:
Argentina Guernsey Jersey
Canada Isle of Man Switzerland
QUESTION:- hands up if you export data or transfer data out of the EEA?
What sort of processing?
EEA = EU + Norway, Iceland & Lichenstein
Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
Everyone else is confident that their data does not leave the EEA?
Consider cloud computing, back ups, payroll processing, call centres, suppliers and customers, web sites, s … travel agents, flight bookings.
USA – Safe Harbor
India – call centres
Isle of Man

21. How The DPA Can Be Breached!
NB: These are not mutually exclusive!
Sending personal information to the wrong recipient ( s and attachments)
Failing to keep sensitive personal information secure
Loss of unencrypted PCs/Laptops/Memory Sticks etc containing personal information
Loss of manual records containing personal information
Illegally obtaining personal information
Illegally selling-on personal information (or your staff selling it on)
Inappropriate access to records containing personal information
Inappropriate and inadequate security on systems, websites and transmitted data
Inappropriate disposal of IT equipment, manual records etc
Inadequate training of staff
Inadequate policies and procedures
Making unsolicited marketing calls
Not having an up-to-date Notification

22. Privacy and Electronic Communications Regulations (2011)
Sets out rules regarding the use of
Cookies
Traffic data
Location data
CLI (Calling Line Identification)
ACD (Automated Call Distribution)
Itemised billing
Directory of subscribers (and ex-directory)
Really to look at cookies –
Obligations – 2003 educate people about cookies, allow people to opt out of cookies – browser based.
2011 – you now need to obtain consent before you place the cookie.
Exemptions,
4 types of cookies:
Strictly necessary
Perfomance – eg web stats, errors – annonomised data
Functionality – eg font size, remember settings
Tracking
Approach = audit what you have and what it does. Decide if cookies are necessary. Work out how you will gain consent. Publish sufficient plain English guidance to your web site users.

23. How The PECR Can Be Breached!
NB: These are not mutually exclusive!
Unsolicited “cold” calling
Unsolicited or SMS broadcasting
Failure to gain consent to contact electronically
Calling TPS or mailing MPS registered people
Using cookies without first gaining consent
Poor ACD settings, contact centre call handling

24. The ICO And Its Powers
Serve information notices requiring organisations to provide the ICO with specified information within a certain time period;
Issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
Conduct consensual assessments (audits) to check organisations are complying;
Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);
Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010 or serious breaches of the Privacy and Electronic Communications Regulations;
Prosecute those who commit criminal offences under the Act; and
Report to Parliament on data protection issues of concern.

25. Example Actions
Brighton and Sussex University Hospitals Trust £325,000 fine for the theft of computer hard drives that were sold on ebay. June 2012.
London Borough of Barnet £70,000 fine for theft of paper files from an employees’ home. April 2012.
Usha Patwal, given a two year conditional discharge and ordered to pay £614 prosecution costs for unlawfully accessing sister-in-law’s medical records. December 2011.
Merfyn Pugh Estate Agents, given a conditional discharge of six months and was ordered to pay £614 prosecution costs for failure to notify. December 2011.
Phoenix Nursery School, Wolverhampton, signed undertaking for losing a backup tape containing the personal details of 70 pupils and their parents or guardians. November 2011.
ACS Law, Spectrum Housing, North Somerset Council, Newcastle Youth Offending Team, Lush Cosmetics …
HDD were taken away by a contractor and not all were destroyed.
Paper files stolen
Sister in law who worked as a receptionist in a Surgery rang a hospital posing as a medical pracitioner to gain access to medication records. Texted her Sister in law – texts contained information that suggested a knowledge of the medication. Medical practice were held harmless.
One of two cases – ICO has target industries – estate agents, private care, telecoms, legal firms, insurance.
You don’t have to lose lots of data to fall foul.
ACS Law – victim of hacking
Spectrum - ing pension contributions to the wrong person
North Somerset’s £60,000 – the wrong HNS employee received highly sensitive and confidential information relating to a child’s serious case review. Having been informed of the error, the employee sending the s then continued to send s to the wrong recipient a further three times.
Newcastle Youth Offending – loss by a contractor of a laptop -
Lush – hacking of credit card details
MAINLY PROCESS FAILURE – EVEN THE TECH FAILURES ARE OFTEN UNDERLYING ORG CAUSES – EG NO TESTING OF PROCEDURES.

30. Other Cases Oliver Letwin - dumping papers
HMRC - loss of 25 million records
Sony - hacking of 77 million credit card records
A4E Ltd - theft of unencrypted laptop
T Mobile – theft of phone contract details
Marc Ben-Ezra - theft and re-sale of 65,000 gamblers’ records
HSBC bank employee stole account details of 24,000 people –
Association of School and College Leaders - theft of laptop from home
Holly Park School - unencrypted laptop stolen from an unlocked office
Dartford and Gravesham NHS Trust - accidentally destroying 10,000 archived records
Zurich Financial Services £2.275 million fine 46k records
Google Inc – harvesting of WiFi Data
News of the World
Worcestershire County Council
You will remember many of these
Also Vince Cable
HSBC – took 3 years to admit.
HMRC bought some of that data for £100k of people living in Lichenstein –
Breach notification – HSBC took 3 years to admit.
"We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy," said Alexandre Zeller, chief executive of HSBC Private Bank (Suisse). "We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts," he said. Mr Zeller said, however, that it was "still unclear how Falciani managed to steal the information". HSBC said that the account holders were based in several European countries, including Britain.
This is thought to have led to some bank employees stealing account data and passing it to tax authorities.
In Germany, an anonymous informer has offered to sell data stolen from an unnamed Swiss bank to tax officials.
Previously, Germany bought similar stolen data about clients of a bank in Liechtenstein. Some of this information was handed to tax authorities in the UK, which is also thought to have paid for the data.
French tax authorities are thought to be investigating up to 3,000 of its nationals using bank accounts outside the country.
Government authorities have defended paying for stolen data as in the public interest. However, the practice has been strongly criticised.
The UK's Revenue & Customs (HMRC) office paid around £100,000 for information about its taxpayers with bank accounts in Liechtenstein, according to accountants UHY Hacker Young.
"Paying criminals for data stolen from banks is highly questionable," said the firm's tax partner, Roy Maugham.
"If people know that there is a market for this data, they will steal it in expectation that HMRC or another tax authority will hand over a six figure sum," he said.

31. What steps can I take in order to comply?
Appoint a senior person to be responsible;
Know what data you have, where it is, who has access to it;
Correct ICO Notification(s);
Think about and uphold the 8 Principles;
Privacy Notices;
Document key policies, procedures & processes (eg breach policy);
Audit data security - implement technical & organisational measures;
Staff Training and regular awareness raising – start a DP dialogue. Integrate into business as normal;
Review, auditing & testing – monitor compliance;
Privacy by design;
System for information governance;
External accreditation – ISO27001 / BS10012;
Seek specialist help.

32. What’s In It For Me Fines and regulatory action
Negative PR / reputational damage
Industrial espionage / theft by employees
Is data your biggest asset?
Risk management - a modern / better way of doing business
Build trust and loyalty of customers
Win B2B or government contracts
Positive point of difference from competitors
Staff morale
Plan for the 2014 Legislation
Mandatory breach notification, European harmonisation, responsible person, powers of inspection, prohibition orders, bigger fines, custodial sentences.
Negative – top 4
Make it into a positive

33. Any Questions?

34. Thank you Philip Brining, Absolute Data Limited
Thank you

35. Case Studies ACS Law Spectrum Housing Lush Cosmetics
North Somerset County Council
Newcastle Youth Offending Team

36. Case Study 1 – ACS Law
Which data protection principles have been compromised?
Principle 7: The main issue highlighted in this case study is that ACS Law did not have appropriate security measures in place
Principle 3,4: Questions could be raised regarding the relevance and accuracy of the data being used by the firm
Principle 6: Due to the sensitive nature of the data in question, and questions about how reliable the data was, Principle 6 was compromised – was the data processed in accordance with the data subjects?

37. ACS Law Avoidance Measures
Recognise Risk: Know your enemy and recognise risk. Organised groups of people with a lot to lose through ACS’ activities.
DP Procedures: Penetration testing and routine auditing of DP arrangements would have flagged up serious issues.
Know your data: Very sensitive personal data that would cause distress and damage if were to be compromised.
Buy-in expertise: Third party specialist firms would have identified areas of concern and helped ACS Law avoid issues or at least mitigate the effects of a security incident.

38. Case Study 2 – Spectrum Housing
Which data protection principles have been compromised?
Principle 2: The data should never have been ed in an excel spreadsheet format, thus the Act was automatically breached.
Principle 7: As well as the document being ed in the wrong format, it wasn’t encrypted either – meaning a compromise of Principle 7.
Principle 1: Both of the above has meant that the data wasn’t processed fairly, or lawfully.

39. Case Study 2 – Spectrum Housing
Avoidance Measures
Training: Staff should be aware that this practice is risky and to be avoided and there is a safer procedure.
DP Procedures: Routine auditing of DP arrangements would have flagged up poor practice and lack of awareness.
IT Measures: Protecting excel sheets is easy and free! Consider other means of transferring the data.
Buy-in expertise: Third party specialist firms would have identified areas of concern and helped Spectrum Housing identify risks.

40. Case Study 3 – Lush
Which data protection principles have been compromised?
Principle 7: The fact that the data wasn’t regularly security-checked and staff were not trained in this area of data protection sufficiently, meant that Principle 7 was compromised.
Principle 1: The result of Principle 7 being compromised meant that Principle 1 was compromised too because the data wasn’t processed fairly or lawfully.
Principles 4,5: Because Lush “failed to do regular security checks and did not fully meet industry standards relating to card payment security”, Questions need to be asked as to whether the data was kept accurate, up to date, and only for as long as necessary.

41. Case Study 3 – Lush Avoidance Measures
Recognise Risk: It is easier and more efficient to steal credit card details from retailers than consumers.
DP Procedures: Penetration testing, security incident logging, and routine auditing of DP arrangements would have flagged up serious issues.
Know your data: PCI DSS data is valuable and subject to criminal activity.
Buy-in expertise: Third party specialist firms would have identified areas of concern and ensured that Lush avoided or at least mitigated the effects of a security incident. The PCI DSS standard sets out acceptable procedures.

42. Case Study 4 – Worcestershire and North Somerset Councils
Which data protection principles have been compromised?
Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the councils were left open to (a) breach(es).
Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle.
Principle 6: Because both of the above principles were compromised, it meant that principle 6 was also compromised – the data subjects’ rights were not considered.

43. Case Study 4 – Worcestershire and North Somerset Councils
Avoidance Measures
Training: Train and undertake regular awareness raising with staff of the key issues within your business and their job scope.
DP Procedures: Document the way to undertake certain tasks. Don’t leave it to chance or “common sense”.
Know your data: Sensitive data needs special measures.
Buy-in expertise: Third party specialist firms would have identified repeated procedural failures and heightened risk.

44. Case Study 5 – Newcastle Youth Offending Team
Which data protection principles have been compromised?
Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the Youth Offending Team were left open to (a) breach(es).
Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle.

45. Case Study 5 – Newcastle Youth Offending Team
Avoidance Measures
DP Agreements: Ensure third parties are subject to data processor or data sharing agreements.
Due Diligence: Ensure that third parties also have sufficient measures in place to protect data YOU are responsible for – and audit them or have them audited by a specialist.
Awareness : Ensure that all staff are aware of the risks and your procedures.
Buy-in expertise: Third party specialist firms would have identified areas of concern and/or undertaken a sub contractor inspection.