Are you a prisoner of outdated data handling processes?

DATA PROTECTION SEMINAR – THURSDAY 30 JULY 2015

Data Protection: Maximum Security

Shauna DunlopNI Group Manager30 July 2015

Data Protection Act1998

Why comply?

Legal requirement

Financial implications

Reputational implications

Data Protection Act 1998

• Principles & Privacy

• Key Definitions

• Principles in Detail

• What the Act says about Security

• Individual Rights

• Latest from Europe

Personal Data

Personal data is not just a person’s name

It is any information that relates to or identifies a person and:

Is held on a computer

Is intended to be held on computer

Forms part of a ‘relevant filing system’

Forms part of an ‘accessible record’ (information relating to health or education)

Category ‘e’ data (Public Authorities only)

Information Rights Affects Us All

Fair and lawful

Adequate, relevant and not excessive

Accurate and up to date

Kept for no longer than necessary

Individuals rights

Security

How does it go wrong?

Transfers outside EEA

!CAUTION:

Prevent a data breach

Privacy and Electronic Communications Regulations

Doing ‘Big Data’ is possible,legal compliance is essential, inspiring public trust and confidence is indispensable

FOI and open data – adding value together

http://greatbritishpublictoiletmap.rca.ac.uk/

Data Protection Regulation

Update from Europe

Key factors

Plan ahead Compliance Reputation

Contact us:

ICO 3rd Floor

14 Cromac PlaceBelfast BT7 2JB

0303 123 1114ni@ico.org.uk

www.ico.org.uk

A ‘Get Out of Jail Card’ - How to Prevent Data Breaches

Clare Bates30th July 2015

Introduction

•Imprisoned by bad habits?

•Practical examples

•What went wrong?

ChanceTHIS CARD MAY BE KEPT UNTIL NEEDED OR SOLD.GET OUT OF JAIL FREE

ChanceTHIS CARD MAY BE KEPT UNTIL NEEDED OR SOLD.GET OUT OF JAIL FREE

• How to set yourself free!

Recent Press Coverage

Human Error

Mistakes can happen:

• Wrong address

• Documents left behind

What moves can you make:

•Culture of awareness - training

•Proper policies

•Recruit the right people

Reliable employees?

• Client data

• Disgruntled employees

What moves can you make:

• Risk based approach to levels of security

• Ensure correct physical and technical security

Insider Attack

How do you manage your technology?

• External access to your network

• BYOD

• Encryption

What moves can you make:

• IT and internet use policy

• BYOD policy

Technology

What is the risk?

• Appropriate storage

• What is the retention period? - no longer than is necessary

• Sensitive personal data on waste ground

What moves can you make:

• Clear guidelines for different data

• Test your policy - audit compliance

Data Retention & Destruction

Potential consequences:

•Adverse publicity

•Criminal liability

•Regulatory action

•Missed opportunities and wasted resources

•Protracted litigation

Consequences of Breach?

Assemble the breach team and determine -

• The nature and cause of the breach

• The extent of the damage/harm

• How to stop or mitigate the breach

• Any breach of contract/disciplinary issues?

• Audit for improvement

Breach Management

A ‘Get Out of Jail Card’ - How to prevent Data Breaches

Any questions?

clare.bates@carson-mcdowell.com

Choosing The Right Partnerfor Data Protection Compliance Services

Alistair DickenCorporate Sales Director – PHS Data Solutions

Crumlin Road Gaol, BelfastThursday 30th July 2015

1. Credibility2. Compliance3. Culture

The 3 “C”s

1. Are they a recognised brand? Have you, or someone in you know used them before?

2. Do they service similar size/type customers? References?

3. Are they Registered? Companies House, VAT Registered etc

4. Do they have a physical facility for you to visit?

Credibility

Trade Body Memberships (Examples)

Credibility

Records Management Services

1.ISO IEC 27001 – Information Security ManagementIncludes Data, Documents, Messages, Communications,

Conversations, Transmissions, Recordings, Drawings, and Photographs2.ISO 9001 – Quality Management3.ISO 14001 – Environmental Management

Compliance

Shredding Services

1.BS EN15713 – Code of Practice for Secure Destruction of Confidential Material

Staff Vetting, Premises Security, Vehicle Security, Handling and Processing

Agreement in Writing, Collection Certificates, Destruction Certificates

2.CPNI Approved ShreddingGovernment Approval for handling & shredding TOP SECRET Classified

documents – higher staff vetting, smaller shred size etc

Compliance

1. Strong Customer Service Ethos

2. Scope of Service Provision

3. Health & Safety Focus

4. Staff Vetting, Training & Development

5. Investors in Technology & Innovation

Culture

Any Questions