1 / 19

Data Protection Principles and Information Security

Learn about the 8 principles of the Data Protection Act 1998 and the importance of information security to protect personal data. Discover risk assessments, organizational measures, staff procedures, and physical security practices to ensure compliance.

rsadie
Download Presentation

Data Protection Principles and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008

  2. The Data Protection Principles All data controllers must comply with the Data Protection Act 1998

  3. The 8 Principles • Fair and lawful. • Only used for specified purposes. • Adequate, relevant and not excessive. • Accurate and up to date. • Not kept longer than necessary. • Individual rights. • Kept secure. • Not transferred outside European Economic Area without adequate protection.

  4. Information Security The Data Protection Act 1998 requires all organisations to have appropriate security to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss destruction or damage. Principle 7

  5. 7th Data Protection Principle Security contraventions can have BIG implications • Potential harm to individuals when things go wrong. • Damage to business reputation.

  6. Risk based assessment Information is an organisation’s second most important asset. Do you know what information the organisation possesses? Do you have detailed security procedures? Does your asset register include hard wear and portable media?

  7. How valuable or sensitive is the information? What effect would a security breach have on your organisation? In costs? To your reputation? To the trust of your customers, clients and stakeholders? What damage or distress could be caused to individuals if there were a security breach?

  8. Who is responsible? Day to day responsibility for security. Written procedures for staff to follow. Excellent staff training. Regular audits. Monitoring changes. Investigating a security incident.

  9. Organisational measures Has a risk assessment been carried out? How effective are your current security measures? Where are the weaknesses?

  10. Organisational measures Senior management commitment. Making resources available. Know where responsibility lies. Do staff understand security the procedures? Are changes required?

  11. Staff High proportion of security incidents are staff related. What background checks are carried out? Valid qualifications. Disclosures - accidental, procured or deliberate? Contract of employment. Access to internet and email policies.

  12. Examples of good practice • Transparent and appropriate vetting procedures. • Risk assessment for staff who have access to large volumes of customer data. • Not wearing company passes outside the workplace. • Changing computer access when changing roles.

  13. Physical security

  14. Physical security General vulnerability – isolated, ground floor, poor lighting, previous incidents. Entry and exit points. Laptops and external devices. Paper – including disposal of confidential waste.

  15. Examples of good practice Configure equipment so data cannot be copied. Disable drives so corrupt data cannot be introduced to your system. Restrict access to areas of high risk. Visitor policy for ALL visitors. A key register. Lockers for staff use.

  16. Examples of good practice Portable Media: Genuine business need to have device. Encryption for customer information. Safe storage. Who has these devices? What happens when they leave the organisation. Company mobile phones.

  17. Examples of good practice Disposal of personal information Using contractor to dispose of paper and computer equipment. Guidance for home workers and mobile staff. Audits and spot checks. Storage in secure and controlled area.

  18. What are the real benefits? • Organisational efficiency. • Fewer complaints and less compensation. • Business reputation. • Customer confidence. • Overall reduction in costs.

  19. CONTACT DETAILS Information Commissioner’s Office 28 Thistle Street Edinburgh EH2 1EN Telephone - 0131 225 6341 Website – www.ico.gov.uk Email – Scotland@ico.gsi.gov.uk

More Related