Thanks to those who sent replies to my question:
"Suppose you are an organisation which is committed to protecting the
personal data you hold, but also recognises the reality that all systems
involving humans are fallible. Therefore you wish to also put in place
appropriate procedures for recovering should personal data be accidentally
disclosed. Are there any guidelines or best practices for such procedures?
I'm not thinking of "engage a PR consultant" here, but how should a
responsible data controller act in these circumstances?"
The replies I've received are below. I'm not sure I'm fully satisfied as a
result: we seem to be relying on "best efforts" at the moment rather than
"best practice". Maybe once we have finished implementing DPA1998 (only
joking!) this will get revisited.
All the best,
Andrew
======
I think I read somewhere that the data subject about whom the
accidental disclosure was made should be informed.
I note the Act states that data controllers should put in place
appropriate security measures with regard to "the harm that might result
from unauthorised or unlawful processing or from accidental loss or
destruction and damge of the personal data."
This suggests that you would know the consequences for the data
subject beforehand and not have to find out after the event!
======
The big problem with the DPA is that it is administrative law. There are
two difficulties with this. First, is the problem of definitions. It is
easy to define a theft (either you were caught with the stolen car or you
were not) but how do you define "fair processing"? Further, there is no
complementary case law to guide the practitioner. Given this situation,
you can only provide best practice guidance and hope you don't make a
#@*&^$-up!
However, lest that sounds too depressing, here are some practical points.
1. Staff at the front end of services are the first to encounter problems.
They must be trained in DPA practical applications and be aware that they
must resolve any user problems immediately. If they can, they will avoid
many later issues with the member of the public. Difficulties really
occur when problems are missed. So concentrate on them.
2. Managers must have a positive attitude to the DPA and to information
management. This concept takes the DPA a stage further. All
organisations use data (manual and electronic) and it's planning,
organisation, management and disposal are all part of information
management. If you manage your information well, you are unlikely to
encounter DPA problems (and possibly HRA ones as well).
3. You must have proper guidance in place. This will be on two levels;
high level management "directives" endorsed by your CX (or equivalent) and
low level ones that are written in words of one syllable that provide
something like a check list of points to remember. (A public statement to
your client group might also be an idea but beware of raising
expectations.)
4. Guidance is not the same a procedures and you must have these as well.
There are obvious topics like what to do if you have a subject access
request but you will need to look at your own operational requirements
carefully to understand where you might need to provide line-by-line
procedures. (Information disposal is one that I'm pursuing here.) Here,
there will probably be different procedures for different Departments as
their operational needs may differ.
Hope that helps. At the end of the day, that memorable phrase "decent,
legal, honest and truthful" is worth remembering. I'm drumming this in to
staff here. It's not difficult to be "decent, honest & truthful" with the
public (or what ever is your client group) and if do so while trying very
hard with policies and procedures aimed at keeping you within the DPA
rules, I don't think the Commissioner will be too displeased. At worst
you might get a wrap over the knuckles if somebody drops the proverbial
clanger.
======
Not sure if I have read your e mail correctly. Are you looking for advice
on disaster prevention and recovery. Information falling under the 1998
Data Protection Act needs to be protected whatever the format be it film,
paper, or electronic. BSI publish a book -
PD00113:199 Records Management - A Guide to Disaster Prevention and
Recovery. The Temperatures and humidity need updating in line with the
UNESCO recommendations but the rest is OK
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: [log in to unmask]
Fax: 01235 822 398
|