Identifying and mitigating risks to avoid any...
Transcript of Identifying and mitigating risks to avoid any...
Identifying and mitigating risks toavoid any pitfalls!
November 23rd 2011
Dawn Monaghan, ICO Group Manager Public
Services
The view from the ICO
• Our role is becoming ever more central as technology, public
opinion, and policy move further into the ICO’s territory.
• Technology offers exciting opportunities to the public sector
and commercial providers of services.
• Speed, access, efficiency and choice.
• With opportunities come challenges – not least that gains will
be bought at the cost of individual privacy and identity
security.
The view from the ICO
• The Information Commissioner’s Office (ICO) is at the heart
of the action and the centre of debate around new
possibilities and new policies.
• There is always a balance to be struck between
transparency and privacy.
• Service providers must think privacy, plan for privacy, and
communicate clear information rights choices.
Key Messages
• Data Protection is not a barrier but an enabler
• Competent information governance can improve
effectiveness, efficiency, trust and credibility
• Professional information governance may facilitate customer
service and improve employee engagement thereby
enabling support for change
Myth and Legend
• Information security issues are solely the domain of IT
specialists
• Information Governance is solely the domain of
information managers
• The Information Commissioner will not use his powers
ICO Observations
• There continues to be an increase in reported breaches and complaints to ICO
• The analysis behind the statistics requires careful consideration; things are not always as they seem!
• Most of the problems occur because of behavioural and or cultural failings
• If unchecked problems may increase, mountains grow from molehills!
Possible causes of poor information governanceLack of;
• Clarity of structure/roles/responsibilities
• Senior management ‘buy in’
• Respect for those driving IG
• Consistency of policy, procedure and practices
• Day to day management of IG
• Clarity over data sharing relationships
• Data sharing Agreements
• Staff engagement/training/understanding
• Security measures internally and with suppliers
The Reality
• Responsibilities, policies, procedures and practices merge and change frequently
• Sharing of data with new partners, the acquisition of new data and the decommissioning of data are constants
• Changed purposes for processing can occur more regularly than you think
• The sharing of data globally is becoming increasingly come
• Records management in Public and private bodies is inherently bad
Key principles DPA
Principle 7 (P7) Security
• Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of,
or damage to, personal data
Compliance with principle 7
P7 - Specifics
• State of technological development
• Cost of implementing measures
The measures in place must ensure a level of security
appropriate to the;
• Harm that may result
• Nature of the data
Compliance with principle 7
P7 - Specifics
• Data Controller (DC) take reasonable steps to ensure
reliability of staff
• If the data is being processed by a third party to be
complaint with P7 the DC must choose a processor who can
give sufficient guarantees in respect of security measures
• Ensure reasonable steps are taken to ensure compliance
• DC needs a written contract with the data processor
• The processor can only act under instruction and must
comply with the 7th Principle
Compliance with Principle 7
P7 What that means in practice
• You must indentify your relationship to the data
• You should have an awareness of what is available at a
reasonable cost for you organisation
• Your technology must meet the needs of the nature of the
data and the harm that maybe caused if used incorrectly,
lost, damaged or destroyed
• Your staff should be checked, inducted, trained to an
appropriate level
Compliance with principle 7
P7 Specifics
• If sharing data consult the Data Sharing Code (DSC)
• When choosing a processor check their knowledge
• Check their security policies, procedures and practice
• If necessary check their premises
• Do Not rely on the fact that they are a ‘large’ company or
they are another public sector body
• Have a written contract in place
• Put in place an appropriate data sharing agreement
(Chapter 14 DSC)
• Monitor the processors compliance on regular basis
Other Issues
Not solely P7• (P6) Rights of the Data subject - in particular answering subject
access requests
• (P5) Retention - who keeps what, where and why
• (P2) Fair processing - have changes been recognised and acted upon
• (P4) Accuracy - are checks in place
• (P8) Transfers out of the EEA - in a global environment is this principle understood?
• If changes have occurred have you Notified the Commissoner?
The Rights of the Data Subject
s7 Access to a copy of the personal data processed and information concerning the processing
s10, s11, s12 Objections to processing;
• which cause unwarranted substantial distress or damage
• for marketing purposes
• for automated decision making
s13 Compensation from DC if damage results from a breach
s14 Right to rectification, blocking, erasure or destruction
The Rights of the Data Subject
S7 Subject Access Requests
• Entitled to be told if you are processing data about them• If that is the case to be given a description of the personal data of
which the individual is the subject• The purpose for why the data is being processed• The people or types of people the data is or maybe given to.• Given information which constitutes personal data • The source of that data• Whether or not it is processed automatically• A fee can be charged (max £10)• Can check identity • Answered in 40 days
What can help?
• Thinking through the implications Privacy by Design
• Going back to first principles•• Talking to peers and networking groups
• Using ICO Privacy Impact Assessment guidance to identify and mitigate risks
• Using ICO Data sharing Code of Practice to understand obligations and put in place data sharing agreements
• Making ICO aware of any overarching concerns or obstructions
Subscribe to our e-newsletterat www.ico.gov.uk
Follow us on Twitterat www.twitter.com/iconews
Data ProtectionMike Bradford
www.regulatorystrategies.co.uk
How not to approach data protection
What would we not expect?
“The data had clearly been disclosed by
the insurance company and obtained unlawfully by the accident managementcompany without...consent.
“The insurance example is a clear breachof the Act, but perhaps worse than that isthe total disregard for what individualswould expect from any organisationthat holds their data.”
Data Protection Law & PolicyAugust 2011
What would we expect?
“To me good privacy provides a
framework of protection to give me the confidence to make informed decisions and lifestyle choices as to how I use and to whom I disclose my information for my benefit as a consumer;
“and ensures transparency over the legitimate uses and disclosures of my personal information in respect of my rights, obligations and protection as a citizen.”
Data Protection Law & PolicyJune 2011
Data Protection myths and realities
“Data protection law reinforces common sense rules of information handling, which most organisations try to follow anyway. It is there to ensure that organisations manage the personal information they hold in a sensible way...
“...Some organisations understandably err on the side of caution and do not release information when they could do so.
“Unfortunately, some organisations continue to use the Data Protection Act 1998 as an excuse not to do something, rather than seeing it as good business sense to treat their customers and their information with respect.”
Christopher GrahamInformation Commissioner
Two core ‘customer’ obligations...
1. Protection and respect for the individual and their data
2. Facilitating and enabling them to transact and engage with other organisations as consumers or citizens where the data you hold may benefit them in this process –addressing the ‘exclusion’ challenges• Obtaining goods and services
• Accessing mainstream and more affordable credit
• Obtaining cheaper utility prices
• Streamlining access to legitimate welfare benefits and entitlements
...and both are compatible with your obligations and responsibilities under the Data Protection Act
An example• Sharing social housing rent data on circa 5m tenants
with credit reference agencies and the lending industry would have benefits for low-income social housing tenants
• Rent-payment data has a significant uplift from typical ‘thin-file’ credit scores
• Integration of rent data into scoring models would make mainstream credit more accessible and affordable to a significant number of social housing tenants
• It would also result in less lending to those unable to support more credit and so reduce over-indebtedness and support responsible borrowing
• Lenders would see reduction in bad debt losses of circa £20m pa coupled with circa 6% annual increase in new lending
• Housing market benefits of some tenants accessing mortgages and shared ownership schemes more easily as lenders refine their underwriting criteria – detailed and up-to-date rent-payment histories could facilitate more objective and faster decisions
• Government initiatives would benefit bringing tenants into mainstream markets and helping to tackle problems of social, financial and digital exclusion
Our starting point
• 89% of people are aware of their data protection rights, compared to the baseline of 74% in 2004
• Young people in particular are aware (95%) - and the Information Commissioner is targeting increased awareness and education
• Almost 30,000 complaints were received by the Information Commissioner’s Office, 23% of which were likely breaches
• There is an immediate need to review your websites to ensure changes are made to comply with new cookie regulations which are already in effect. The Information Commissioner expects you to be doing this now
• And the Information Commissioner can now fine up to £500k for breach of the data protection Principles, recently extended to cover breaches of the electronic marketing regulations - there are also criminal offences under the Act that should not be taken lightly
ICO Annual Track Survey 2011
A cheery thought...?!
• 72% managers say protecting company data is more stressful than getting a divorce, managing personal debt, or being in a minor car accident
• 14% say losing their job would be less stressful than staying in their current role
Dynamic Markets survey of 1,000 IT managers and 1,000 non-IT employees in the U.S., UK, Canada, and Australia
Our track record
“The housing sector needs to wake up.
“Social Housing is very much on our radar.
“It seems to us that there is very little awareness of data
protection within the sector, with a few honourable exceptions.”
Lessons from the ICO on handling portable devices
• Use encryption – password protection is not sufficient
• Use security devices eg Kensington lock on laptop
• Delete data properly
• Implement appropriate internal procedures – policy and checks
• When outsourcing get a written contract
Breach reporting and management
• All data controllers have a responsibility...to ensure appropriate and proportionate technical and organisational security of the personal data they hold
• Generally no organisations have an obligation to report data breaches to the ICO under the Data Protection Act. From 26 May 2011 public electronic communications service providers are required to notify the Commissioner, and in some cases individuals themselves, of personal data security breaches
• Although there is no legal obligation in the DPA for data controllers to report breaches of security the Information Commissioner believes serious breaches should be brought to the attention of his Officeand, where appropriate, to the attention of the individuals involved
• We believe that some form of compulsory notification for serious security breaches would be a useful addition to any new legislation
Incident and data breach management
• Numerous high profile breaches have led to regulator and media focus
• Information Commissioner has outlined his clear expectation of organisations
• Regulators understand that no organisation is immune but need to see clear steps taken to avoid and manage incidents
ASSESSMENT OF ONGOING RISK
CONTAINMENT AND RECOVERY
NOTIFICATION OF BREACH
EVALUATION AND RESPONSE
Incident Management Matrix
A tool to determine which member of a nominated incident management team is responsible for which activities
All members of the team should be kept informed throughout the incident
F = facilitateA = advise I = informedR = responsible
Incid
en
t M
an
ag
er
Info
rmati
on
Tech
no
log
y
Pu
blic R
ela
tio
ns
Co
mp
lian
ce T
eam
Leg
al
Hu
man
Reso
urc
es
Acco
un
t M
an
ag
em
en
t
Cu
sto
mer
Serv
ices
Sen
ior
Man
ag
em
en
t
Overall Management of the Incident R I I I I I I I I
Internal communication R I A I I A I I I
Investigation / amendment / coordination of
systems
F R I I I I I R I
Managing supplier / data processor / outsourced
relationships
F I I I A I R R I
Employee management / disciplinary etc. F I I I A R I I I
Contractual or legal proceedings / reporting to
police
F I I I R I I I I
Decision to escalate and notification of regulators F I I A I I I I R
Customer communication F I A I I I R R I
Preparation of PR statement and media / press
communication
F I R I I I I I I
Rules for effective incident management
Planned, documented, tested and well-communicated process
Clear ownership and accountability
Consistent messaging
Effective reporting
Speed and containment
Post-incident review
Evolve, adapt and re-test your plan
A word about audits...
“I simply can’t understand why you wouldn’taccept a free audit from the Information Commissioner...I think it is very short sighted of private companies not to engage with the Information Commissioner”.
Christopher Graham
Information Commissioner
Evidence to the Justice Committee on the Workings of the Information Commissioner
13 September 2011
Breakdown of areas reviewed (last 12 months)
Sound familiar...?!
• Policies - The Council’s policies and procedures do not show the date of production, date of last review and responsible owner. Some appeared to be out of date
• Governance - The Council collected very few statistics on data protection compliance and there was no reporting on these figures to function or group leaders
• Privacy Impact Assessments - There was no requirement for departments to conduct a privacy impact assessment
• Technology - The Council allows staff to scan and upload documents from their desktop computer to the central system. However, this process does not automatically delete the copy of the document stored on the local desktop computer
Data Protection Principles
Transparency1. Fair and lawful processing
2. Specified and lawful purposesInformation Standards
3. Adequate, relevant and not excessive
4. Accurate, and where necessary kept up to date
5. Not kept for longer than necessaryConsumer rights
6. Rights of data subjectsSecurity
7. Technical, physical and organisational security of dataGlobal protection
8. Data transfers outside the EEA
Your business-critical decision points
• Data collection, uses and applications - now and in the future
• Third party outsourcing – suitabilityand contracts
• Data transfers overseas
• Accuracy, updates, retention anddeletion
• Storage, security and access controls
• Staff vetting, monitoring and training
• Documented controls and procedures
• Website compliance
• Marketing compliance by channel
Regulation/Legislation/Codes of Practice
Data Protection Act Privacy and Electronic Communications Regulations Sector-specific regulations
Policy and guidelines
C
O
M
P
L
I
A
N
C
E
A
U
D
I
T
Operational Interpretation
What it means in practice
Application
Procedures
Working practices
Training and Awareness
Induction
Established staff
Refresher training
Training when there are changes to process/procedure/policy or regulation
An integrated business process
A quick checklist
Who is your data protection officer?
Are they visible and support your business objectives?
How aware are your staff of what data protection means to them and your organisation?
Is your ICO registration up-to-date?
Are your fair obtaining clauses sufficient and transparent?
How do you ensure data is secure?
How do you keep your data accurate and up-to-date?
How long do you keep your data and how do you destroy it?
A quick checklist
What do you do if data is lost or stolen – and how quickly can you do this?
Do your staff know what to do if you get a subject access request?
How do you comply with marketing opt-outs?
Is your website compliant – privacy statements and new cookie requirements?
Are you contractors vetted and do you have robust contracts?
Are you covered for any overseas processing?
Do you factor changes and developments into your strategic planning?
A closing message
Protecting personal privacy makes good business sense
It should bring real and significant benefits that far outweigh the effort privacy protection requires
The alternative, of ignoring privacy and leaving personal information inadequately protected, hassignificant downsides
Christopher GrahamInformation Commissioner
www.regulatorystrategies.co.uk
“I don’t want a lawyer to tell me what I cannot do;
I hire him to tell me how to do what I want to do.”
John Pierpont "Jack" Morgan, Jr. (1867-1943)