JISC BS7799 Pilot - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

JISC BS7799 Pilot

Description:

There is a Commissioner who has powers to pursue offences under the Act. ... OFFENCES UNDER THE ACT. Processing without notification ... OFFENCES UNDER THE ACT ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 25
Provided by: pack156
Category:
Tags: jisc | bs7799 | offences | pilot

less

Transcript and Presenter's Notes

Title: JISC BS7799 Pilot


1
SURVIVING the DATA PROTECTION ACT with ICT
2
DATA PROTECTION ACT
  • Barry Kelly
  • Data Protection Co-ordinator

3
DATA PROTECTION ACT 1998
  • Became law on 1 March 2000
  • Only applies to the use of personal data i.e. an
    identifiable living individual, the data subject,
    and which
  • is being processed by computer or other automatic
    equipment
  • or is recorded with the intention that it should
    be so processed
  • or forms part of a relevant filing system or
    accessible record.

4
DATA PROTECTION PRINCIPLES
  • The 1998 Act defines eight principles covering
    the way in which personal data must be processed.

5
DATA PROTECTION PRINCIPLES
  • Personal data shall be processed fairly and
    lawfully and in particular, shall not be
    processed unless specified conditions are met.
  • Personal data shall be obtained only for
    specified and lawful purposes, and shall not be
    further processed in any manner incompatible with
    those purposes.

6
DATA PROTECTION PRINCIPLES
  • Personal data shall be adequate, relevant and not
    excessive in relation to the purposes for which
    it is processed.
  • Personal data shall be accurate, and where
    necessary, kept up to date.
  • Personal data shall not be kept for longer than
    is necessary, for the purposes for which it is
    being processed.

7
DATA PROTECTION PRINCIPLES
  • Personal data shall be processed in accordance
    with the rights of data subjects under this Act.
  • Appropriate security measures shall be taken
    against the unauthorised or unlawful processing,
    accidental loss, destruction, or damage of
    personal data.

8
DATA PROTECTION PRINCIPLES
  • Personal data shall not be transferred outside
    the European Economic Area (EEA) unless that
    country / territory ensures an adequate level of
    protection for the rights and freedoms of data
    subjects in relation to the processing of
    personal data.
  • There is a Commissioner who has powers to pursue
    offences under the Act.

9
INDIVIDUAL RIGHTS
  • Access to data
  • Can prevent processing likely to cause damage or
    distress
  • Can prevent processing for the purposes of direct
    marketing
  • Rights in relation to automated decision-taking
  • Individuals can take action for compensation
  • Can take action to rectify, block, erase or
    destroy inaccurate data
  • Can make a request for an assessment as to
    whether any provision of the Act has been
    contravened

10
EXEMPTIONS
  • Confidential references given by the University
  • Management forecasts/management planning
  • Negotiations
  • Examination scripts
  • Examination marks
  • Research, History and Statistics
  • Special purposes exemption
  • the purposes of journalism,
  • artistic purposes,
  • literary purposes

11
THE COMMISSIONER
  • POWERS AND DUTIES
  • Enforcement Notices
  • Information Notices
  • Provide Assistance
  • Determination of Assessable Processing
  • Powers of Entry and Inspection

12
TRANSITIONAL PROVISIONS
  • 1st Transitional Period
  • 1 March 2000 23 October 2001
  • Eligible Automated Data
  • Eligible Manual Data (all manual data)
  • 2nd Transitional Period
  • 24 October 2001 23 October 2007
  • Eligible Manual Data Only (pre September 1998)

13
OFFENCES UNDER THE ACT
  • Processing without notification
  • Failure to notify Commissioner of changes to a
    register entry
  • Failure to comply with written request for
    particulars
  • Failure to comply with Commissioner Notices
  • Making a false statement in compliance with a
    notice

14
OFFENCES UNDER THE ACT
  • Intentional obstruction / failure to give
    reasonable assistance in the execution of a
    warrant
  • Unlawful obtaining of personal data
  • Unlawful selling of personal data
  • Enforced subject access

15
UNIVERSITYS RESPONSE
  • Create post of Data Protection Co-ordinator
  • Establish Taskforce
  • Produce a personal information strategy
  • Conduct an Audit of Personal Information Systems
  • Create policies and procedures to ensure
    compliance with the 1998 Act
  • By 23rd October 2001 all procedures and
    documentation will be in place in QUB

16
AUDIT
  • Not meant to be a form filling exercise.
  • You have to ensure that all personal data you
    continue to hold will comply with the 8
    Principles
  • Have you obtained consent where required?
  • Is personal data only being used for specified
    purposes?
  • Is all personal information, accurate, relevant,
    up to date?
  • Will personal information conform with the rights
    of data subjects ?
  • Is personal data safeguarded?

17
FURTHER INFORMATION
  • DPA items in your Pack
  • Examples of dealing with Personal Information
  • Proforma for References
  • Proforma for Queries
  • Useful WWW addresses

18
DATA PROTECTION ACT IT
  • Cathy McKeown
  • Training Accreditation Programme
  • Information Services

19
IT FRIEND OR FOE?
  • The updated 1998 Data Protection Act was partly a
    result of the increasing storage of electronic
    personal data.
  • Electronic Storage of data has made it easier for
    organisations to store details
  • Electronic storage made it easier to use this
    data for a variety of purposes
  • People were increasingly finding that they were
    on mailing lists without being given the
    opportunity to object

20
IT FRIEND OR FOE?
  • IT can be used to help you comply with the DPA
  • Password protection of files/computers
  • Using BCC (Blind Carbon Copy) when sending mails
  • Keeping information up-to-date is easier
    electronically than on paper can avoid
    duplication
  • WWW forms are easily created and can help you
    receive permission to hold personal data from
    people concerned

21
PASSWORD PROTECTION
  • Computers should all be password protected
  • Each file can also be individually password
    protected
  • Note when you create a password, write it down
    and keep it in a secure place. If you lose the
    password, you cannot open or gain access to the
    password protected document
  • Make sure another authorised person has a list of
    the passwords you use (e.g. in case you are away
    on holiday)

22
PASSWORD PROTECTION
  • Password Protection of individual files
  • Process is slightly different for each package
  • Information on how to password protect you files
    in Word, Excel and Access are included in your
    pack

23
EMAILS
  • Make use of Blind Carbon Copy (Bcc)
  • Allows you to send emails to many users without
    anybody but yourself being aware of who else has
    been sent the email (e.g. emails sent to you from
    TAP about this event)
  • Use Carbon Copy (cc) when you want the person to
    know who else is receiving the mail e.g. cc to
    your team leader/supervisor when you want an
    external recipient to know that somebody else is
    also involved in the matter

24
ACCURATE DATA
  • Keeping information up-to-date is easier
    electronically than on paper can avoid
    duplication
  • If you have an electronic database you should not
    print out and keep lists of personal data unless
    you do this each time you make a change. All
    copies must be the latest up-to-date information.
    Keep one electronic Master copy back this file
    onto another drive.
  • Data must be accurate so you must keep backup
    copies in case a machine crashes

25
NEXT BRIEFING
  • June or September
  • Security
  • Backup procedures

26
WWW Forms
  • Collecting data can be done electronically
  • Remember to give the user the right to object to
    the data being used for any of the purposes you
    have specified or to any group specified
  • If collecting personal data, ask for an email
    address. Send an email to this address confirming
    that you have received the data and tell them
    they may have their details removed.
  • This is important in case somebody has filled in
    the form maliciously for somebody else.

27
FURTHER INFORMATION
  • Your Information Services Pack
  • Guidelines on how to Password Protect
  • Checklist for Personal Information (yellow)
  • Individual Comment sheet on WWW pages
  • Prototype WWW page
  • Evaluation sheet

28
Case Scenarios - Discussion
29
CASE SCENARIOS
  • 4 Different Case Scenarios
  • 10-15 minutes group discussion on the scenarios
  • Model answers will be provided and B. Kelly will
    take you through these answers
  • Questions
Write a Comment
User Comments (0)
About PowerShow.com