I was asked an interesting question a while ago, which I hope this list may
be able to suggest answers to. So far noone else has!
Suppose you are an organisation which is committed to protecting the
personal data you hold, but also recognises the reality that all systems
involving humans are fallible. Therefore you wish to also put in place
appropriate procedures for recovering should personal data be accidentally
disclosed. Are there any guidelines or best practices for such procedures?
I'm not thinking of "engage a PR consultant" here, but how should a
responsible data controller act in these circumstances?
As a computer security person I'm continually reminding people to prepare
for things to go wrong, but so far I've not been able to find out anything
equivalent in the data protection area.
If anyone wishes their response to be private then please mail me direct
and I will summarise to the list.
Cheers,
Andrew
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: [log in to unmask]
Fax: 01235 822 398
|