Dear Dorin and Graham,
It is interesting to read the discussion in the UK where you have a 1998
law, while we in Israel have started in 1981 and implemented 1986 secondary
legislation (regulations in our legal terms, enacted by the Minister in
Charge of the Law implementation - Justice Min. in Israel). In 1996 we
already amended the law for direct mailing, Service Bureaus (3rd party
processing data from various Data Controllers), definition of
responsibilities and recently we deal with Transborder Data Flow, the
Supervisory unit of the Data Protection Officer and Credit Profiling Service
regulation.
The 1986 regulation already nominated the General Manager (Chief Operating
Officer) as the person responsible for the data bases. In addition we have
required by law to appoint a Data Protection Officer for the organizations
or Data Processing Centers who give services to the public in general
(commercial and governmental).
The GM usually delegates (by his right in law) the responsibility for
individual "departmental" data bases to the head figures - which is the
closest to be responsible for the CONTENT, not the operation of the
computing facility (IT CIO). The permission for access must be granted by
the Data Controller, as he is the one aware of the contents, sensitivity and
"needs to know" of the personnel, customers etc. This applies to University,
Hospital etc. Electoral Rolls, Social Security, NHS clinics and the likes.
These "Data Controller" are non technical persons - also, naturally busy
buddies. So the Data Protection Officer comes into the picture. He IS an IT
person, who understands the system, the main applications and is skilled
enough to manage the security tools in the computing base (e.g., NT, Oracle
RDBMS, UNIX OS). His main task is to actually do the following:
1. Install or supervise installation of the computing base security tools
e.g., Openview network management and monitor, NT solution from HP Virtual
Vault and ancillary tools, or the similar HP-UX tools (advanced). Similar
tools allow the management for Novel networks, SOLARIS-SUN, Unisys NT and
UNIX. If you have a mainframe of IBM, it is another "opera" and VERY
expensive.
2. These tools enable the Data Security Officer (DSO) to allocate various
profiles of usage to certain persons in accordance with the security policy
established (in writing) by the Data Controller. This includes temp or
permanent detachment of people away from duty (again notice from Data
Controller). This is multi-level security ISO 15408 and BS (I forgot the
no.). This is a new task removed from the application programmers once and
for all. They are the greatest vulnerability of any system.
3. The other duty is to observe the behavior of users "on-line" and their
activities to detect (with the tools) discrepancies, deviations from habits
of use (hours, breaks, reported absent and still "on-line" locally, attempts
to deviate from permitted usage). Also investigation of heavy output or
input from workstation or cyberspace, which has no reasonable explanation.
Slowdown of operations, search of junk and offensive data "hosted"
illegitimately (by students or hackers) in the system.
4. Investigation of alerts and detected discrepancies and preparation o
report to Data Controller, Head of Security and collection of computer
residing evidence for the Police or other authority, with due diligence for
Privacy and Security of the data bases.
5. During this year, I have run lecture series in the College of Management
in Tel-Aviv for 3 classes of 40 students of the Data Protection syllabus. It
seems that even highly skilled Systems Administrators and DBA s are not
conversant with the tools they have or may obtain for security, nor of the
obligations and liabilities of their management and the Data Controllers.
6. If you have a group interested, I do not mind visiting UK for a week and
provide you with the course or a seminar on "train the trainers" basis for
DPO s. In this opportunity there should be time allowed for UK officers of
the leading firms e.g., Microsoft, Novel, Oracle, HP, Compaq, Unisys etc. to
let people get acquainted as users with the potential tools.
7. As a member of the Council for Protection of Privacy, as of 1986 (when
established), I have escorted the implementation of the law in Israel,
since. Being also a Law Graduate, I have dealt with most legal aspects and
comparative Privacy and Computer Crimes Law in Israel. I have also
instructed in 1988, the first Israeli DSO s who practiced as Inspectors for
our DP Registrar, under my tutorial guidance. So it seems to me I can share
with UK DSO s whatever we gained in Israel in the practice of Data
Protection - legal and administrative aspects. I fell no need to "brag"
about the "Start-up" leaders in IT Security leaders like Checkpoint
(Firewall), BRM and Eliashim (Virus), Algorithms Research (encryption) etc.
I am not promoting them jointly or individually commercially, only relying
on their research and the IT practices in Israel.
8. I hope this is helpful...and shall be glad to answer your questions
directly too.
Best regards
Yosi Margalit LL.B., CISA
19 Vitkin street
Tel-Aviv 63474
Tel:03-5464642, Mobile:058-804368
FAX: 03-5463152
-----Original Message-----
From: [log in to unmask]
[mailto:[log in to unmask]]On Behalf Of Broom, Doreen
Sent: Monday, July 03, 2000 11:54 AM
To: [log in to unmask]
Cc: [log in to unmask]
Subject: RE: Who is your Data Protection Officer?
1. At my Council I am the Data Admiistrator (my main duties are ensuring
that Scottish Borders Council complies fully with the Data Protection Act.
This entails notifying the Commissioner for any new systems etc. as well as
dealing with any data protection issues which may arise, developing codes of
practice etc. Ultimately though a Senior Officer holds overall
responsibility. Previously it was our Director of Central Services (who as
you state was Head of Legal Services) and IT. At the moment as we presently
have no Director of Central Services the responsibility is now with our Head
of IT.
2. My Council at present has 2 notifications - one for ERO and one for the
rest of the Council which includes all other Departments.
Hope this helps.
Doreen
> -----Original Message-----
> From: [log in to unmask] [SMTP:[log in to unmask]]
> Sent: 02 July 2000 09:21
> To: [log in to unmask]
> Cc: [log in to unmask]
> Subject: Who is your Data Protection Officer?
>
>
> As some of you may know I allowed myself to get talked into standing
> for the local Council last year. What is even worse is that I ended up
> being elected to both the Town and District Councils ;-)
>
> I would therefore be grateful for any comments on the following:
>
> 1. Who should be the Council's Data Protection Officer?
> The District Council is proposing to allocate responsibility as Data
> Protection Officer to the Head of Legal and Member Services (i.e. the
> District Solicitor).
>
> My own view is that there should be a direct line of control between
> the senior officer allocated responsibility for Data Protection and the
> people actually dealing with data management (who work in the IT Dept).
> Do others agree? What does your Council do?
>
> 2. Should there be a single registration?
> There are currently 15 entries (grouped under headings like Housing
> Management, Collection of Rates, Personnel/Employee Adminstration). It
> is being proposed that the Council needs to be registered as a whole.
>
> My own view is that registration should be by type of contact (so you'd
> probably end up with five separate registrations dealing with Electoral
> Registration, Taxpayers, Employees, Suppliers and Services provided).
> What do other Councils do?
>
> Cheers
> Graham Smith
________________________________________________________________
This e-mail is privileged, confidential and subject to copyright.
Any unauthorised use or disclosure of its contents is prohibited.
The views expressed in this communication may not necessarily
be the views held by the Scottish Borders Council.
_________________________________________________________________
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
