Philip Brining, Absolute Data DATA PROTECTION COMPLIANCE ESSENTIALS Agenda 1. Welcome and Introductions 2. Absolute Data 3. What is data protection? 4. The Data Protection Act (1998) 5. The Privacy and Electronic Communications Regulations (2011) 6. Overview of Breaches 7. Powers of the ICO 8. What You Can Do to Comply 9. WIIFM 10. Questions and Close Welcome & Introductions 1. Names, Organisations, Roles 2. Expectations from this session Absolute Data Limited OUR BACKGROUND • 10+ years experience of providing practical advice, information and guidance to a variety of organisations in the public, private and third sector in respect of information governance, data protection and privacy. Data Strategy Data Services Data Systems Data Compliance Data Protection Compliance • • • • Data Protection Act (1998) Privacy and Electronic Communications Regulations (2011) Freedom of Information Act (2000) CCTV, Phone Monitoring, Human Rights Act Data Protection Compliance • Data Protection Act (1998) • Privacy and Electronic Communications Regulations (2011) • • Freedom of Information Act (2000) CCTV, Phone Monitoring, Human Rights Act Overview • DPA (1998) – Public register of data controllers – 8 Principles – Rights of data subjects – Defines “data” under the scope of the legislation – European-wide • PECR (2011) – Rules regarding e-comms (text, e-mail, phone etc.) – Suppression lists (opting out) – Cookies (educate, consent) What exactly is the Data Protection Act? “The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The Information Commissioner’s Office (ICO) is the UK’s independent authority who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO, 2009). What is classified as “Data”? The Data Protection Act defines Data, and Personal Data, and further differentiates between Personal Data and Sensitive Personal Data. Data means information which – a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, b) is recorded with the intention that it should be processed by means of such equipment, c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d). Personal data means Data which relate to a living individual who can be identified – a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Organisations are prohibited from processing sensitive personal data unless they can prove why it is necessary and can satisfy the Act’s “Conditions for Processing” rules. Examples of Personal Data? • • • • • • • • • • Database containing names and addresses of UK customers Paper files containing names and addresses of Japanese shareholders Data capture forms List of customers’ mobile phone numbers emailed from one employee to another List of prospects’ database reference numbers emailed to a supplier Customer services digital telephone recordings Tapes containing CCTV footage outside your offices Excel spread sheet containing your personal Christmas card list Database of vehicle license plates passing through your property Private notes written on a CV about an interview candidate The Register of Data Controllers Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection. 8 principles - data must be... 1. Processed fairly and lawfully 2. Processed for specific purposes and in appropriate ways 3. Adequate, relevant and sufficient in relation to the purposes for which it is processed 4. Kept accurate and up-to-date 5. Kept only for as long as necessary 6. Processed in line with an individual’s rights 7. Protected by sufficient technical and organisational measures 8. Only transmitted to countries that have sufficient data protection controls Principles of the DPA 1st Principle Personal information must be FAIRLY and LAWFULLY processed • • • • Legitimate use Transparency Privacy Notices Fair processing Principles of the DPA 2nd Principle Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. • Be clear as to your reasons • Notify the ICO • Ensure prior consent Principles of the DPA 3rd Principle Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed • • • • What is the data used for? The nature of the information held How was the data obtained? Is all the data needed? Principles of the DPA 4th Principle Personal data shall be accurate, and where necessary, kept up to date. • Ensure clarity in where the data was obtained • Consider if accuracy might be challenged • Does this data need regularly updating? Principles of the DPA 5th Principle Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes. • • • • Reviewing / auditing your data regularly Establishing retention periods Current and future value of your data Keeping shared information Principles of the DPA 6th Principle Personal data shall be processed in accordance with the rights of data subjects under this Act. • Subject Access Requests • Direct marketing • Amend or destroy Principles of the DPA 7th Principle Appropriate technical or organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. • Who is responsible for your company’s data security? • Physical and technical security measures, i.e. Locked cupboards, data encryption • Sharing data with 3rd parties Principles of the DPA 8th Principle Personal data shall not be transferred to a country or territory outside of the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. • Does your data get processed outside of the UK? • Adequate levels of protection outside the EEA: Argentina Canada Guernsey Isle of Man Jersey Switzerland How The DPA Can Be Breached! NB: These are not mutually exclusive! • Sending personal information to the wrong recipient (emails and attachments) • Failing to keep sensitive personal information secure • Loss of unencrypted PCs/Laptops/Memory Sticks etc containing personal information • Loss of manual records containing personal information • Illegally obtaining personal information • Illegally selling-on personal information (or your staff selling it on) • Inappropriate access to records containing personal information • Inappropriate and inadequate security on systems, websites and transmitted data • Inappropriate disposal of IT equipment, manual records etc • Inadequate training of staff • Inadequate policies and procedures • Making unsolicited marketing calls • Not having an up-to-date Notification Privacy and Electronic Communications Regulations (2011) Sets out rules regarding the use of • Cookies • Traffic data • Location data • CLI (Calling Line Identification) • ACD (Automated Call Distribution) • Itemised billing • Directory of subscribers (and ex-directory) How The PECR Can Be Breached! NB: These are not mutually exclusive! • Unsolicited “cold” calling • Unsolicited e-mail or SMS broadcasting • Failure to gain consent to contact electronically • Calling TPS or mailing MPS registered people • Using cookies without first gaining consent • Poor ACD settings, contact centre call handling The ICO And Its Powers • • • • • • • • Serve information notices requiring organisations to provide the ICO with specified information within a certain time period; Issue undertakings committing an organisation to a particular course of action in order to improve its compliance; Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law; Conduct consensual assessments (audits) to check organisations are complying; Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only); Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010 or serious breaches of the Privacy and Electronic Communications Regulations; Prosecute those who commit criminal offences under the Act; and Report to Parliament on data protection issues of concern. Example Actions • Brighton and Sussex University Hospitals Trust £325,000 fine for the theft of computer hard drives that were sold on ebay. June 2012. • London Borough of Barnet £70,000 fine for theft of paper files from an employees’ home. April 2012. • Usha Patwal, given a two year conditional discharge and ordered to pay £614 prosecution costs for unlawfully accessing sister-in-law’s medical records. December 2011. • Merfyn Pugh Estate Agents, given a conditional discharge of six months and was ordered to pay £614 prosecution costs for failure to notify. December 2011. • Phoenix Nursery School, Wolverhampton, signed undertaking for losing a backup tape containing the personal details of 70 pupils and their parents or guardians. November 2011. • ACS Law, Spectrum Housing, North Somerset Council, Newcastle Youth Offending Team, Lush Cosmetics … Other Cases • • • • • • • • • • • • • • Oliver Letwin - dumping papers HMRC - loss of 25 million records Sony - hacking of 77 million credit card records A4E Ltd - theft of unencrypted laptop T Mobile – theft of phone contract details Marc Ben-Ezra - theft and re-sale of 65,000 gamblers’ records HSBC bank - 2010 employee stole account details of 24,000 people – Association of School and College Leaders - theft of laptop from home Holly Park School - unencrypted laptop stolen from an unlocked office Dartford and Gravesham NHS Trust - accidentally destroying 10,000 archived records Zurich Financial Services £2.275 million fine 46k records Google Inc – harvesting of WiFi Data News of the World Worcestershire County Council What steps can I take in order to comply? • • • • • • • • • • • • • Appoint a senior person to be responsible; Know what data you have, where it is, who has access to it; Correct ICO Notification(s); Think about and uphold the 8 Principles; Privacy Notices; Document key policies, procedures & processes (eg breach policy); Audit data security - implement technical & organisational measures; Staff Training and regular awareness raising – start a DP dialogue. Integrate into business as normal; Review, auditing & testing – monitor compliance; Privacy by design; System for information governance; External accreditation – ISO27001 / BS10012; Seek specialist help. What’s In It For Me • • • • • • • • • • Fines and regulatory action Negative PR / reputational damage Industrial espionage / theft by employees Is data your biggest asset? Risk management - a modern / better way of doing business Build trust and loyalty of customers Win B2B or government contracts Positive point of difference from competitors Staff morale Plan for the 2014 Legislation – Mandatory breach notification, European harmonisation, responsible person, powers of inspection, prohibition orders, bigger fines, custodial sentences. Any Questions? Philip Brining, Absolute Data Limited [email protected] 07775 660387 www.absolute-data.co.uk THANK YOU Case Studies • • • • • ACS Law Spectrum Housing Lush Cosmetics North Somerset County Council Newcastle Youth Offending Team Case Study 1 – ACS Law Which data protection principles have been compromised? Principle 7: The main issue highlighted in this case study is that ACS Law did not have appropriate security measures in place Principle 3,4: Questions could be raised regarding the relevance and accuracy of the data being used by the firm Principle 6: Due to the sensitive nature of the data in question, and questions about how reliable the data was, Principle 6 was compromised – was the data processed in accordance with the data subjects? ACS Law Avoidance Measures Recognise Risk: Know your enemy and recognise risk. Organised groups of people with a lot to lose through ACS’ activities. DP Procedures: Penetration testing and routine auditing of arrangements would have flagged up serious issues. DP Know your data: Very sensitive personal data that would cause distress and damage if were to be compromised. Buy-in expertise: Third party specialist firms would have identified areas of concern and helped ACS Law avoid issues or at least mitigate the effects of a security incident. Case Study 2 – Spectrum Housing Which data protection principles have been compromised? Principle 2: The data should never have been emailed in an excel spreadsheet format, thus the Act was automatically breached. Principle 7: As well as the document being emailed in the wrong format, it wasn’t encrypted either – meaning a compromise of Principle 7. Principle 1: Both of the above has meant that the data wasn’t processed fairly, or lawfully. Case Study 2 – Spectrum Housing Avoidance Measures Training: Staff should be aware that this practice is risky and to be avoided and there is a safer procedure. DP Procedures: Routine auditing of DP arrangements would have flagged up poor practice and lack of awareness. IT Measures: Protecting excel sheets is easy and free! Consider other means of transferring the data. Buy-in expertise: Third party specialist firms would have identified areas of concern and helped Spectrum Housing identify risks. Case Study 3 – Lush Which data protection principles have been compromised? Principle 7: The fact that the data wasn’t regularly security-checked and staff were not trained in this area of data protection sufficiently, meant that Principle 7 was compromised. Principle 1: The result of Principle 7 being compromised meant that Principle 1 was compromised too because the data wasn’t processed fairly or lawfully. Principles 4,5: Because Lush “failed to do regular security checks and did not fully meet industry standards relating to card payment security”, Questions need to be asked as to whether the data was kept accurate, up to date, and only for as long as necessary. Case Study 3 – Lush Avoidance Measures Recognise Risk: It is easier and more efficient to steal credit card details from retailers than consumers. DP Procedures: Penetration testing, security incident logging, and routine auditing of DP arrangements would have flagged up serious issues. Know your data: PCI DSS data is valuable and subject to criminal activity. Buy-in expertise: Third party specialist firms would have identified areas of concern and ensured that Lush avoided or at least mitigated the effects of a security incident. The PCI DSS standard sets out acceptable procedures. Case Study 4 – Worcestershire and North Somerset Councils Which data protection principles have been compromised? Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the councils were left open to (a) breach(es). Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle. Principle 6: Because both of the above principles were compromised, it meant that principle 6 was also compromised – the data subjects’ rights were not considered. Case Study 4 – Worcestershire and North Somerset Councils Avoidance Measures Training: Train and undertake regular awareness raising with staff of the key issues within your business and their job scope. DP Procedures: Document the way to undertake certain tasks. Don’t leave it to chance or “common sense”. Know your data: Sensitive data needs special measures. Buy-in expertise: Third party specialist firms would have identified repeated procedural failures and heightened risk. Case Study 5 – Newcastle Youth Offending Team Which data protection principles have been compromised? Principle 7: Lack of encryption measures and staff training in the communication of sensitive personal data meant that the Youth Offending Team were left open to (a) breach(es). Principle 1: As a result of the lack of training / technical measures, the data was not fairly nor lawfully processed, leading to a compromise of this principle. Case Study 5 – Newcastle Youth Offending Team Avoidance Measures DP Agreements: Ensure third parties are subject to data processor or data sharing agreements. Due Diligence: Ensure that third parties also have sufficient measures in place to protect data YOU are responsible for – and audit them or have them audited by a specialist. Awareness : Ensure that all staff are aware of the risks and your procedures. Buy-in expertise: Third party specialist firms would have identified areas of concern and/or undertaken a sub contractor inspection.