JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for DATA-PROTECTION Archives

DATA-PROTECTION Archives

DATA-PROTECTION Archives


data-protection@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Monospaced Font
LISTSERV Archives

LISTSERV Archives
DATA-PROTECTION Home

DATA-PROTECTION Home
DATA-PROTECTION 2000

DATA-PROTECTION 2000

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

CoP - Security

From:

Andrew Charlesworth <[log in to unmask]>

Reply-To:

[log in to unmask]

Date:

Thu, 1 Jun 2000 17:55:52 +0100

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (311 lines)

Request for comments

*Key*
<T> = title
<ST> = Subtitle
<R> = Recommendation

  
  <T> Security of data

<ST>InstitutionalFramework for Data Security

  A data subject may apply to the court for compensation if he/she
has suffered damage (financial loss or physical injury, and possibly
associated distress) because personal data have been lost or
destroyed or disclosed without the authority of the data user, or
access has been obtained to personal data without the authority of
the user. A court dealing with a claim for compensation will need to
consider if the institution has taken all reasonable care to prevent
the particular loss, destruction, disclosure or access.

HE and FE institutions are obliged under the 1998 Act to have in
place an institutional framework designed to ensure the security of
all personal data during the collection to destruction cycle. A key
current international benchmark for Information Security
Management Systems (ISMS) is BS7799. A framework that
meets this standard will provide a high level of compliance with the
1998 Act. Where complete compliance with BS7799 is infeasible
or unreasonable for all, or certain types of, institutional personal
data processing operations, certain minimum standards should still
be met.

Such standards should ensure:

 - a level of security appropriate to the risks represented by the
processing and the nature of the data to be protected.

 - that data security is assured no matter where or by whom data is
stored or processed and throughout the whole procedure, including
the transmission of data.

 - that there are clear lines of responsibility and the controller's
ultimate responsibility for data security is clearly understood.

<R>HE and FE institutions should, as a minimum, ensure that:

 - wherever possible, data are de-personalized, or coded, or
encrypted, with any key being kept securely.

 - Existing and proposed personal data processing operations are
evaluated to ascertain and evaluate all potential risks in order to
determine the cost, effectiveness and practicability of proposed
levels of security.

 - Appropriate levels of security are applied, commensurate with the
anticipated risks, and appropriate to the type of personal data held.

 - Agreed levels of security are applied, monitored and regularly
reported upon as regards their effectiveness

 - All staff are trained to take effective action to protect life, data
and equipment (in that order) in the event of disaster.

 - Competent people are assigned to be responsible for the
accuracy and integrity of personal data held in each part of an
institution’s personal data processing operations.

<ST>Employees and Student Security Training and Management

A primary part of any HE or FE institution’s personal data security
framework will be the effective training and management of its
employees and students in necessary security procedures. A
significant proportion of unauthorised disclosure of, and access to,
personal data occurs because employees and students are
unaware of, or fail to adhere to, existing institutional guidelines.
The potential consequences under the 1998 Act for institutions of
unauthorised disclosure of, and access to, personal data are such
that it is essential to both culture an institutional awareness of data
privacy rules, and to provide a verifiable mechanism for sanctions
for breach of those rules.

<R> HE and FE institutions should ensure that:

 - Employees and students dealing with personal data are aware of
the purposes for which the data has been collected, including the
parties to whom disclosure may legitimately be made, and are
aware that disclosure may not be made to other parties, unless
one of the exemptions in the Act applies.

 - Employees and students dealing with personal data have a
formal point of contact within the institution, such as a Data
Protection Officer, where they can refer requests for disclosure
under one of the exemptions in the Act (e.g. law enforcement)

 - Employees and students dealing with personal data are aware
that their access to personal data is for specified authorised
purposes only. Institutional regulations should provide that access
to personal data by employees and students for unauthorised
purposes (e.g. browsing of personal data) will be a disciplinary
offence

 - Employees and students are aware that casual access to
personal data by unauthorised persons (e.g. members of the
general public having access to personal data via VDU screens or
printouts), by act or omission, should not be permitted.
Institutional regulations should provide that acts or omission that
lead to unauthorised access or disclosure to unauthorised persons
will be a disciplinary offence.

 - Reasonable access control mechanisms, including where
appropriate the use of passwords, encryption, compartmentalised
access and access logs, are used to detect and prevent attempts
to access computer files through terminals or computer networks
without authorisation. Institutional regulations should provide that
failure to adhere to the correct use of applicable access control
mechanisms will be a disciplinary offence.

 - Basic security steps are taken to ensure that building perimeters
and internal sensitive areas are secure, and that the general public,
unescorted visitors, and unauthorized personnel be restricted from
areas where personal data is used.

 - Existing security controls are reviewed for improvement or
modification and that awareness programs, as well as policy and
guidelines be established to protect personal data.

<ST>Vendors, contractors, and suppliers

Vendors, contractors, and suppliers are often required to have
access to areas in which personal data may be stored or
processed. In certain circumstances, it may also be necessary to
allow contractors access to personal data (e.g. computer
engineers) in the course of maintenance or repair work.

<R> HE and FE institutions should ensure that contractors are:

 - Controlled, documented, and required to wear some form of
identification

 - Restricted from unnecessary admittance to areas where personal
data is held or processed

 - Required to sign nondisclosure agreements where access to
personal data is unavoidable
    
<R> HE and FE institutions should ensure that vendors and
suppliers are:

 - Controlled, documented, and required to wear some form of
identification

 - Escorted throughout the general premises by the person they are
visiting

 - Restricted from unnecessary admittance to areas where personal
data is held or processed

<R> Employees and students should be advised to challenge, or
report to security, individuals found in areas where personal data is
held or processed without proper credentials.

<ST> Transfer of personal data

Reasonable precautions must be taken when transferring personal
data in either hardcopy or electronic form. HE and FE institutions
should not assume that documents transferred by electronic
means (e.g. e-mail, WWW, FTP) are secure, and thus information
containing personal data, and in particular sensitive personal data,
should be encrypted before transmission.

<R> HE and FE institutions should ensure that personal data is
transferred under conditions of security commensurate with the
anticipated risks, and appropriate to the type of personal data held

<ST>Employee and student use of personal data on home
computers or at remote sites.

Employees and students should take particular care when laptop
computers or personal machines are used to process institutional
personal data at home or in other locations (e.g. in public places,
or on public transport) outside the institution.

<R> Employees and students should be required to ensure that
when processing institutional personal data at home or in other
locations:

 - they take reasonable precautions to ensure that the data is not
accessed, disclosed or destroyed as a result of act or omission on
their part.

 - they have an up-to-date virus scanning program installed on
laptop computers or personal machines and scan all disks for
viruses prior to loading.

 - they back up system hard drives to avoid loss of data.

 - they report all computer security incidents including virus
infections to the institution

 - when using laptops they:

 -- keep the laptop constantly in view when travelling, especially in
airports;

 -- store the laptop in the boot of an vehicle in which it is left
unattended

 -- do not check the laptop as baggage unless it is placed inside
luggage that has been locked

 -- record the model number and serial number of each hardware
component associated with the laptop and keep this information in
a separate location

 -- notify the institution immediately in the event of loss or theft

<ST>Back-upof personal data

  Loss or destruction of personal data may have severe
consequences for the operations of HE and FE institutions, in
addition to their incurring liability to individuals who have suffered
damage or distress as a result of the loss or destruction of their
personal data. Disaster recovery plans are thus an essential part
of any institutional data protection framework.

<R> HE and FE institutions should ensure that:

 - A workable disaster recovery mechanism is in place for all
personal data processing operations where it would be reasonable,
by virtue of the importance of the personal data, for such a
mechanism to be implemented.

 - There are provisions for frequent back-up or duplicate copies of
all personal data produced in personal data processing operations
at an institution to be made, and securely stored, in a location
wholly separate from that of primary data source (e.g. off-site).

 - There are designated personnel tasked with the responsibility of
ensuring the recovery of personal data, and establishing its
accuracy and integrity, within a reasonable time following any
disaster.

<ST>Migration or upgrade plans

  Changes to an institution’s hardware or software systems may
result in personal data becoming inaccessible or unreadable due to
incompatibility between data formats meaning that the institution
cannot properly ensure the data’s accuracy and integrity.

<R> HE and FE institutions should ensure that:

 - future migration or upgrade plans for institutional systems are
documented to address the potential effect of hardware, software
and operating system upgrades, or obsolescence, on personal
data processing operations.

 - Successful data transfer tests of existing personal data to new
systems or file formats are carried out before those systems go
live, and old systems are discarded

<ST>Disposal of Data

  The proper disposal of personal data should be the final element in
an institutional framework designed to ensure the security of
personal data. The method of disposal should be appropriate to
the sensitivity of the personal data to be destroyed. The minimum
standard for the destruction of paper and microfilm documentation
should be shredding; paper and microfilm documentation
containing sensitive personal data should be horizontally and
vertically shredded or incinerated. The minimum standard for the
destruction of data stored in electronic form should be reformatting
or overwriting, and electronic storage media containing sensitive
personal data should be overwritten to [what] standard or
destroyed.
    
<R> HE and FE institutions should ensure that:
    
 - All paper or microfilm documentation containing personal data is
permanently destroyed by shredding or incinerating, depending on
the sensitivity of the personal data.

 - All computer equipment or media to be sold or scrapped have
had all personal data completely destroyed, by re-formatting, over-
writing. or degaussing.

 - Employees and students are provided with guidance as to the
correct mechanisms for disposal of different types of personal data
and regular audits should be carried out to ensure that this
guidance is adhered to. In particular, employees and students
should be made aware that erasing electronic files does not equate
to destroying them.

<R> Where disposal of equipment or media is contracted to a third
party, HE and FE institutions should ensure that the contract
contains a term requiring the third party to ensure that all personal
data is completely destroyed, and permitting the institution to audit
the third party’s performance of that term at regular intervals



Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387 Fax: 01482 466388
E-mail: [log in to unmask]


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000
1999
1998


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager