None

1
(No Transcript)
2
7th Data Protection Principle

• Appropriate technical and organisational
  measures shall be taken against unauthorised or
  unlawful processing of personal data and against
  accidental loss or destruction of, or damage to,
  personal data.
  
  

3
(No Transcript)
4
(No Transcript)
5
We are now in a different environment!
The genie is truly out of the bottle!
6
The Threat
7
(No Transcript)
8
(No Transcript)
9
Recent action disposal of customer information.

• 20th February 2008 Skipton Financial Services
  in breach of the DPA following theft of a laptop
  containing 14,000 customer details.
• 25 January 2008, enforcement action taken against
  Marks and Spencers, following theft of an
  unencrypted laptop with 26,000 employee details.
• 16 January 2008. Carphone Warehouse and Talk Talk
  in breach of the DPA.
• Wed 19th December 2007, Department of Health
  found in breach of the DPA following lapses in
  security with the Medical training Application
  Service

10
The fall-out!

• Cabinet Office bans movement of unencrypted
  laptops
• Secure data transfer to be the norm
• FIPS 140-2 encryption at IL2
• CAPS Baseline encryption for IL3
• Introduction of PROTECT
• Severe penalties for any further breaches in data
  security (including dismissal)

11
Data Security Report on the Data Protection
Review and wider UK context

• Review
• Instigated by Peter Robinson November 2007
• Conducted by DFP DID
• Completed 20 December 2007
• Report published and in NI Assembly Library

12
Data Security Report on the Data Protection
Review and wider UK context

• Review - Scope
• Covered 11 NICS Departments and 57 Agencies and
  NDPBs.
• Local Authorities and the Voluntary Community
  sectors not included.
• Primary focus on the policies, procedures and
  behaviours driving Management, Operational and,
  to a lesser degree, Technical capabilities
  defining the intra-organisational,
  inter-organisational and external exchange of
  personalised data.
• Self-assessment questionnaire - each organisation
  was asked to consider and assess their position
  against a capability model covering each of the
  three drivers.

13
Refresher
Events
Induction
Campaign
Awareness
Policies
Channels
Procedures
Devices
Governance
Technical
Risks
Laptops
Audit
Physical
The NI Data Protection Review
14
Data Security Report on the Data Protection
Review and wider UK context

• Review Key Findings
• Overall capability of the assessed organisations
  met overall maturity of 72
• Number of good practice areas
• Prevention and detection of fraud (83)
• Security of interconnects (78)
• Physical and environmental management (80)
• Handling complaints and incidents (82) and
• Physical security and access (78).

15
Data Security Report on the Data Protection
Review and wider UK context

• Review Key Findings
• The Review also indicated that several key
  drivers underpinning excellent levels of data
  protection maturity were open for improvement and
  included
• Awareness and training (53)
• Use and protection of media (53)
• Management of configuration changes (50)
• Business continuity (38)
• Outsourced technical competencies (35) and
• Information transfer and communication (31).

16
Data Security Report on the Data Protection
Review and wider UK context

• Report
• Content agreed by Minister Executive
• Highlights key findings from Review and future
  actions
• Published April 2008
• Online copy available shortly at www.dfpni.gov.uk

17
Data Security Report on the Data Protection
Review and wider UK context

• Recommendations
• Immediate 90-day Action Plan
• Improve governance arrangements with Board-level
  visibility of DP issues
• Encryption / password protection of laptops
  removable media
• Staff awareness training (May-Oct 08)
• Second reassessment exercise (late April 08)

18
Data Security Report on the Data Protection
Review and wider UK context

• Recommendations
• Embed data protection principles within best
  practice accreditation
• Develop NI public sector-wide DPA awareness
  campaign
• Introduce a Citizens Charter to reflect an
  agreement between government and the citizen on
  the effective custodianship of personal data
• Procurement of an accelerated laptop refresh
  programme
• Introduction of a secure file transfer capability
  for public sector organisations that are not
  connected to the GSI (including the majority of
  NDPBs)

19
Data Security Report on the Data Protection
Review and wider UK context

• Future Actions
• Recognise data protection challenges (technical
  increasing sophistication of threat)
• Need to maintain data sharing to provide improved
  services
• Need to maintain public confidence
• Organisational accountability responsibility

20
Data Security Report on the Data Protection
Review and wider UK context

• and across the rest of UK
• Similar Reviews underway in England, Scotland
  Wales to define roles responsibilities, set
  standards for handling personal data and examine
  reporting requirements with audit and compliance
• Immediate measures already put in place through
  correspondence with Permanent Secretaries
• Full Report likely to be published in next couple
  of months alongside
• ICO / Walport Review of Data Sharing
• Kieran Poynter examination of HMRC losses
• Edmund Burton examination of MOD losses

21
Data SecurityFollow Up Assessment Electronic
Assessment

• Electronic assessment tool
• Spreadsheet based
• Will be issued with original guidance documents
• Key benefits
• User friendly
• Summary of assessment results
• Facilitates consolidation and reporting
• Visibility of scoring impact (including
  weightings)
• Results easily stored/shared

22
Data SecurityFollow Up Review - Validation

• Validation exercise June/July 2008
• Key benefits
• Enhances credibility of self assessment/review
• Additional comfort for sampled organisations
• Determination of consistency in scoring
• Independent
• Basis
• Random sample of organisations
• Sample of assessment areas

23
Data SecurityFollow Up Review - Validation

• Validation exercise will consider
• Information processed relative to risk and
  scoring
• Scope of assessment scoring
• Evidence in support of scores (against guidance)
• Progress on implementation of recommendations
• Outputs will be included in a follow up
  assessment report
• Additional recommendations may be raised

24
Data SecurityFollow Up Review - Reporting

• Validation findings will be
• Contextualised against risk (information
  processed)
• Agreed with management at respective
  organisations
• Included in the follow up report
• Follow up report (Autumn 2008) will include
• Re-assessed, collated results
• Update on progress against generic
  recommendations
• Findings from validation exercise
• Any additional recommendations

25
7th principle

• Data Processors
• Are passwords known only to authorised persons
• Is the system able to check the data is valid,
  does it produce backup copies and how are they
  stored.
• Does the system keep an audit trail of users?
• Procedures for cleaning disks, are they reused or
  simply re-written?
• Is the Data Protection clause in the contract
  adequate?

26
Individual Rights

• Right of access to own personal data, known as
  subject access (section 7)
• Right to prevent processing likely to cause
  substantial damage or distress (section 10)
• Right to prevent processing for purposes of
  direct marketing (section 11)

27
Individuals rights (continued)

• Rights in relation to automated decision-making
  (section 12)
• Right to seek compensation for breaches of the
  Act. (section 13)
• Right to seek rectification, blocking, erasure or
  destruction of inaccurate personal data (section
  14).

28
Criminal Offences.

• Processing without notifying unless exempt sec
  21.
• Failure to notify changes sec 21
• Unauthorised disclosure sec 55 59
• Unauthorised obtaining or procuring a disclosure
  sec 55
• Failure to comply with a notice sec 47
• Enforced subject access.- sec 56 75(4)

29
The Section 55 Offence

• Section 55 states
• 55 (1) A person must not knowingly or
  recklessly, without the consent of the data
  controller
• Obtain or disclose personal data or the
  information contained in personal data, or
• Procure the disclosure to another person of the
  information contained in the personal data

30
Recent Developments

• Section 55 offence. ( section 76 of the Criminal
  Justice and Immigration Bill)
• Information Commissioner to receive new powers to
  spotcheck
• Greater powers with regard to breaches of data
  security.

31

• THINK PEOPLE NOT DATA
• THIS INVOLVES US ALL
• THERE IS A COST TO THIS STUFF
• THERE ARE SHORT, MEDIUM LONG-TERM WINS!

32
Two services available on 6 May 08!

• SecureDoxNI An approved secure online file
  transfer service for IL2 sensitive and personal
  data
• Contact mark.bennett_at_dfpni.gov.uk
• Online awareness training module
• Contact colin.cluney_at_dfpni.gov.uk