** Reply to note from Ian <[log in to unmask]> Tue, 29 Apr 2003 13:29:34 +0100
> I am sure the issue of DP compliance does not rest entirely with suppliers.
> In the example given, I have difficulty in identifying why any library
> management system is directly connected to an organisations financial
> database whilst allowing access to the clients financial database.
Not attemting to answer the part of should the librarian know or not know, it may
be possible that the Library legitimately uses the same financial system for
imposing its fines (late returns, lost books etc).
Which then becomes, how many details of your financial transactions were
disclosed to the librarian and which staff of the library could have access to the
same details, eg. the number of your credit card as opposed to whether you
paid by cheque or credit card
> Financial systems do normally have strong security controls, including user
> access; considering that any access wider than necessary for the purpose is
> more likely due to an oversight or other reason. There is an indication of
> a possible database security problem, as much as access control within the
> application.
<snip>
> > Those involved in specifying IT systems need to be clear that the
> > DPA must be complied with. It is not always easy, as data
> > protection officer, to get the level of involvement that one
> > would like at the specification stage - nor to get one's views
> > accepted if they cause complications for the project (in cost
> > and/or time).
> >
> > Too many systems still give too wide an access to too much data
> > simply because there are no practical means provided of limiting
> > that access.
> >
I am tempted to say I agree with John's view above. You will also find that
whilst systems are specified, the suppliers fall over in trying to follow the
complexity of wanting controlled access both horizontally and vertically in a
system. I've seen a few blank faces when the needs are explained.
Regards
Charles
==============================================
Charles Christacopoulos, Management Information Officer,
Planning & Information, University of Dundee, Dundee, DD1 4HN,
Scotland, United Kingdom. Tel: 44(0)1382-344891. Fax: 44(0)1382-201604.
http://www.somis.dundee.ac.uk/
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|