Top 10 Tips for Data Protection Compliance William
- Slides: 22
Top 10 Tips for Data Protection Compliance William Malcolm, Senior Associate
Overview • What I will cover: – Ten high risk areas to address in order to mitigate the risk of enforcement action. • What I won’t cover – What to do when it all goes wrong – this will be covered elsewhere today.
1. Check your encryption programme • Portable and mobile devices used to store and transmit personal data should be suitably encrypted. • Where encryption software has not been used to protect the data – ICO will take enforcement action • Recommendation: approved encryption software • Encryption standards always evolving • ICO recommends the current standard
In the News PRIVACY WATCHDOG TAKES ACTION AFTER THOUSANDS OF HEALTH RECORDS ARE STOLEN Theft of an unencrypted laptop containing sensitive personal information in a retinal screening vehicle. BIRMINGHAM SCHOOL TO IMPROVE DATA PROTECTION Theft of an unencrypted laptop containing the personal data of 984 pupils and 186 members of staff, including sensitive personal data. ACTION TAKEN AFTER DETAILS OF 110, 000 INDIVIDUALS ARE STOLEN Theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110, 000 individuals and the bank details of around 18, 000 individuals.
2. Manage Your Supply Chain • Review existing high risk / high value contracts with suppliers • Insist on supplier best practice • Project-specific information security plans more common • More internal and external security audits
The 7 th Principle State of technology Cost “appropriate technical and organisational measures” Nature of the data Harm
3. Put in Place A Breach Management Plan • Investigate • Notify regulators? • Notify customers? • PR management • Response plan
4. Check Status of Group Notifications • Organisations that process personal information must notify the Information Commissioner’s Office. – A £ 500 notification fee applies to data controllers with a turnover of over £ 25. 9 m and 250 or more members of staff, or a public authority with 250 or more members of staff. – All other data controllers must pay £ 35 per annum unless they are exempt. • It is a criminal offence to process personal data without having notified the Information Commissioner. • Fines for failing to notify can be unlimited.
In the News RECRUITMENT FIRMS PAY THE PRICE FOR NON-NOTIFICATION The failure to pay a £ 35 fee has led two recruitment firms to incur costs and fines of over £ 2, 500 after they were successfully prosecuted by the ICO for offences under the Data Protection Act. ACCOUNTANCY FIRM HIT FOR £ 1776. 40 The prosecution follows the firm’s failure to notify as a data controller despite repeated reminders from the ICO of its obligations under the Data Protection Act. NEW NOTIFICATION FEES INTRODUCED From 1 October 2009 a new notification fee of £ 500 will apply to some large organisations to register as a data controller. The new rate applies to data controllers with a turnover of £ 25. 9 million and 250 or more members of staff.
5. Check Privacy Policy/DP Notices • Before you collect: – Who wants to use the data? • Joint ventures • Legal/regulatory bodies • Other third parties – What do they want to use the data for? • Providing products/service • Employing staff • Marketing • Fraud prevention • Data aggregation and profiling
Fair Processing Notice • How does the customer provide the data? • Information must be given at the point of collection: – Data protection notice – Privacy policy – Telephone scripts – Application forms
6. Look Critically at Data Sharing Projects • Analyse the proposal - what are the key issues? – Notice to individuals – Data quality – Governance and control – Individual rights – Retention – Safeguards • Establish standards and mechanisms to deliver governance for the life of the project
Use of Protocols • Check that the protocol covers all the essential areas of concern • Carry out a risk assessment/due diligence – Do both parties have powers to share? – Have compliance obligations been met? • Agree specifically those matters which involve compliance with Data Protection obligations and Human Rights Act matters • Consider data quality • Audit controls • New datasets emerging • Remember the purpose of the protocol is to provide an effective administrative and governance regime
• Who benefits most from the data-sharing initiative? The State or the individual whose data are shared? • Who are the parties involved? • What do they wish to be able to do with the information? • How will the system work? (e. g. will the third party want to keep the data? How many people will have access to it? ) • Will there be a new dataset? • What will the governance arrangements be?
7. Ensure Regular Audit Process • Regular audit of compliance is key to ensuring compliance with existing privacy laws • An audit will: – Confirm compliance with the data protection laws and your inhouse data protection policies – Identify potential gaps and weaknesses in your policies – Increase data protection awareness amongst management and staff – Provide information for continued review of data protection policies – Improve customer satisfaction and confidence – Reduce the likelihood of complaints
8. Consider Use of National Standards • BS 10012: 2009 Data Protection – Specification for a personal information management system. • The objective is to enable organisations to put in place a personal information management system • Framework for maintaining and improving compliance • Focuses on: – organisational culture, – audit, – continuous improvement
An International Standard? • The Conference of Privacy and Data Protection Commissioners 2008 mandated the establishment of a working group, composed of data protection authorities, to draft and submit a Joint proposal for setting international standards on privacy and personal data protection. • This proposal is to draw on the principles and rights related to the protection of personal data in the different geographic environments of the world • Reference to legal and other texts that have attracted a wide degree of consensus in regional and international forums.
9. Staff Training • Highlight individual and collective responsibilities • Improve overall awareness of Data Protection procedure • Induction training and refreshers to cover applicable standards
What to Cover • Data Protection Principles • Who is responsible for DP? • Relevant rules and policies • Practical Application: – What to record – How to record – Why record – How to validate data – How to update data
10. Use Privacy Impact Assessments • Toolkits on ICO Website • Need not take long/ be complex • Mainstream with existing processes
Any Questions?
Working hard to make it easier LONDON DUBAI BEIJING SHANGHAI HONG KONG SINGAPORE OTHER UK LOCATIONS: BIRMINGHAM BRISTOL EDINBURGH GLASGOW LEEDS MANCHESTER Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC 333653) and regulated by the Solicitors Regulation Authority. The word 'partner', used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm who is a lawyer with equivalent standing and qualifications. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP's registered office: City. Point, One Ropemaker Street, London, EC 2 Y 9 AH, United Kingdom. We use 'Pinsent Masons' to refer to Pinsent Masons LLP and affiliated entities that practise under the name 'Pinsent Masons' or a name that incorporates those words. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those affiliated entities as the context requires. For important regulatory information please visit: www. pinsentmasons. com. © Pinsent Masons LLP 2008 www. pinsentmasons. com