Transcript Document

Protecting personal data
Victoria Cetinkaya, Senior Policy Officer, Information
Commissioner’s Office
13 November 2013, LMN IT Board Security Seminar, London
Our mission
The ICO’s mission is to uphold information rights
in the public interest,
promoting openness by public bodies
and data privacy for individuals.
The role of the ICO
• Enforce and regulate
–
–
–
–
Freedom of Information Act
Data Protection Act
Environmental Information Regulations
Privacy and Electronic Communications Regulations
•
Provide information to individuals and organisations
•
Adjudicate on complaints
•
Promote good practice
Our performance
225,138 – calls to our helplines
c 5,200,000 – visits to our website
Data protection
• 13,802 – data protection cases received
• 14,042 – data protection cases closed
• 372,369 – organisations notifying
Freedom of information
• 4,693 – freedom of information cases received
• 4,697 – freedom of information cases closed
Introduction and contents
- Why data protection matters
- The data protection principles
- Data security
- Breaches and their consequences
Public social concerns
Source: ICO Annual Track 2012/13
Consequences of data protection failures
- Increased public anxiety
- Critical reports in the media
- Risks to reputation and business
- Risk of ICO enforcement action
–
–
–
Undertakings and enforcement notices
Increased inspection and audit
Monetary penalties of up to £500,000
The eight principles of the DPA98
1. Fair and lawful processing
2. Processed for limited & specified purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than necessary
6. Processed in line with individuals’ rights
7. Kept secure
8. Not transferred outside the EEA without adequate protection
The 1st principle: fair and lawful
- Be open and honest about how you use personal
information
- Handle people’s information only in ways they
would reasonably expect
- Handle sensitive personal data appropriately
- Give appropriate privacy notices when collecting
personal information
- Is your processing necessary?
Integrity of data
(3rd, 4th and 5th principles)
- Ensure data is adequate, relevant and not
excessive (3rd)
- Make sure data is kept up to date and
accurate (4th)
- Don’t keep personal data longer than is
necessary (5th)
Subject access
- Individuals have a right of access to their personal
information held by the university or college (students, staff
or others)
- Requests must be dealt with within 40 days
- Maximum charge £10.00
- New ICO code of practice
Data security
- look at the ICO website’s list of DPA enforcement
action – any common themes?
- loss/theft of unencrypted laptops and memory sticks
- insecure disposal (both paper and IT)
- lost records
- information sent to the wrong recipient
- lack of staff training and proper procedure
Examples – breaches in the education
sector
- Theft / loss of unencrypted laptops / devices - undertakings
obtained
– Sensitive personal data of 80 students dumped in a skip in
unsecured bin bags – undertaking obtained
- Use of unprotected live student data in training manuals /
systems
- Student assessment transcripts and exam results
inadvertently posted online
- no monetary penalties yet, but they have been served in
other sectors
Avoiding the pitfalls: security
- “appropriate” security
– consider the nature of the data and the potential
harm from its misuse
- physical, technological and management /
organisational measures
- data processors – YOU are still responsible
Consequences of data mishandling
- Complaints, followed by a “compliance unlikely”
assessment
– Undertaking
- Enforcement notice
- Increased level of audit
- Criminal prosecution
- Monetary penalty
Civil monetary penalty criteria
•There has been a serious contravention of data protection
principles by the data controller,
•The contravention was of a kind likely to cause substantial
damage or substantial distress and either…
•The contravention was deliberate or,
•The data controller knew or ought to have known that there
was a risk that the contravention would occur, and that this
would be of a kind likely to cause substantial damage or
substantial distress, but failed to take reasonable steps to
prevent the contravention.
Monetary penalties
• Predominantly principle 7 issues to date (security), however
elements of principle 4 (accuracy) and principle 5
(retention)
• The ‘breach’ may be the failure of the data controller to take
appropriate technical or organisational steps to protect data,
rather than the incident itself
• 48 monetary penalty notices issued to date:
– Primarily local councils and NHS so far, but other
organisations feature too
Self reported breaches
Themes emerging:
– Loss or theft of unencrypted devices (highest penalty
£150,000 to date)
– Loss or theft of paper records (highest penalty £100,000
to date)
– Insecure disposal, both paper and electronic (highest
penalty £325,000 to date)
– Email errors (highest penalty £140,000 to date)
– Fax errors (highest penalty £100,000 to date)
– Postal errors (highest penalty £140,000 to date)
– Insecure websites (highest penalty £1000 to date)
Managing (and anticipating) an
incident - what the ICO expects…
- Have a breach management plan in place, including
containment and recovery. Address immediate and ongoing
risks
- Appropriate to inform affected data subjects and offer
support?
- Notification of breach to the ICO. Failure to report may be
considered an aggravating factor
To summarise..
- Good records management makes compliance easier and
prevents complaints and ICO regulatory action
- Know what personal data you hold, how and where
- Policies and procedures in place; staff properly trained and
aware
- Technical security – encryption; firewalls; access settings;
strong passwords
Advice and guidance
- ICO guidance – www.ico.org.uk
- general data security
- IT asset disposal
- deleting personal data
- cloud computing
- BYOD
Keep in touch
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…
www.twitter.com/iconews