I am sure the issue of DP compliance does not rest entirely with suppliers.
In the example given, I have difficulty in identifying why any library
management system is directly connected to an organisations financial
database whilst allowing access to the clients financial database.
Financial systems do normally have strong security controls, including user
access; considering that any access wider than necessary for the purpose is
more likely due to an oversight or other reason. There is an indication of
a possible database security problem, as much as access control within the
application.
Whilst recognising that the financial sector have specific difficulties in
recognising DP compliance themselves, unless, the same as many, their own
vested interests are concerned, it does seem unnecessary for that type of
sectorial wide access to client financial data to be spread into other
sectors.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of J F Hitches
> Sent: Tuesday, April 29, 2003 11:56 AM
> To: [log in to unmask]
> Subject: A higher education finance query
>
>
> The whole question of access to financial, and other information,
> on IT systems highlights the widespread difficulty that still
> exists in getting systems suppliers to recognise that they need
> to take the DPA into account in developing systems.
>
> I am seeing greater recognition of the need for DPA functionality
> in order to meet Subject Access Requests but ask about DPA
> compliancy in other aspects and blank looks still come to the
> fore!
>
> Those involved in specifying IT systems need to be clear that the
> DPA must be complied with. It is not always easy, as data
> protection officer, to get the level of involvement that one
> would like at the specification stage - nor to get one's views
> accepted if they cause complications for the project (in cost
> and/or time).
>
> Too many systems still give too wide an access to too much data
> simply because there are no practical means provided of limiting
> that access.
>
> John Hitches
> John Hitches
> General Administrative Manager
> Kingston University
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|