Quantity of information put at risk? If your paper is 50 lines of 72 characters then a single 1.4MB floppy is about 400 sheets of (single-sided) paper.
The amount of paper represented by the original HMRC loss of 27M records doesn't bear thinking about - possibly why they didn't have a policy on "don't put it in the post" :(
Andrew
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
> Sent: 16 June 2011 13:19
> To: [log in to unmask]
> Subject: Re: HMRC and personal data
>
> Jane,
> Good question. My first guess is that paper cannot be encrypted but a
> disk can. If you fail to encrypt the disk, even though you know the
> need, then you can be seen not to have taken reasonable steps.
>
> If there was a way to encrypt paper, as paper, then that would need to
> be considered. Ideally, if the information is sensitive personal (as
> opposed to personal information) I would expect a courier service to
> demonstrate the reasonable steps to keep information secure.
>
> So far as I can see, the breaches and the fines have been around
> sensitive personal information rather than just personal information.
>
> Happy to be corrected.
>
> Best,
>
> Lawrence
>
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Jane Holden
> Sent: 16 June 2011 13:02
> To: [log in to unmask]
> Subject: Re: [data-protection] HMRC and personal data
>
> This is probably a really stupid question so forgive me but I'm at a
> loss to see what the difference is between sending personal data in
> paper format via post and an unencrypted disc?
>
>
> Jane Holden
> Corporate Services Officer
> Legal Services
> Barrow-in-Furness Borough Council
> Town Hall, Duke Street
> Barrow-in-Furness
> Cumbria LA14 2LD
> Tel: 01229 876452
> Fax: 01229 876515
>
>
>
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Bailey, Trish
> Sent: 16 June 2011 12:56
> To: [log in to unmask]
> Subject: Re: [data-protection] HMRC and personal data
>
> Phil
>
> Your obligation is to the organisation you are working for as in the
> "eyes" of the law your org is the Data Controller and responsible for
> the transfer. I would personally (as far as possible) insist on a form
> of encryption for the transfer of data or alternatively (send it via
> Gov Connect - which would not require the encryption of the actual
> information.
>
> I would also be inclined to speak to ICO and explain your situation and
> ask what they can advise. Either way an acceptable method of transfer
> needs to be reached (its not that you are not cooperating but your
> organisation has obligations under DPA as well as everyone else).
>
> I absolutely astonished that HRMC are operating in this manner - it
> would appear lessons have not be learned.
>
> Many thanks
> Trish
> Trish-louise Bailey
> Audit & Assurance (Information Governance)
> (IG covers: Data Protection & Privacy, FOI, Information Security,
> Information Sharing & Confidentiality, Information & Records
> Management, Information Quality & Assurance)
> Telford & Wrekin Council
> Civic Offices
> Coach Central
> Telford
> TF3 4HD
> www.telford.gov.uk
>
> em: [log in to unmask] or [log in to unmask]
> tel: 01952 382537
> mb: 07528 969455
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
> Sent: 15 June 2011 17:24
> To: [log in to unmask]
> Subject: HMRC and personal data
>
> I have been consulted by my payroll team.
>
> I am told that HMRC require us to export P11d information (which from a
> tax perspective is about mileage claims and includes staff personal
> data), and this gets placed on floppy disk (cd's not allowed !) and
> sent "via post" to HMRC. As far as can be discerned there is no
> encryption being used. The HMRC website says that the files must not be
> "compressed" - whatever that means - and why, since there should never
> be any issues with lossless compression or encryption as the "original"
> file can be duplicated.
>
> Has anyone come across this. I am amazed, in view of history, that HMRC
> sanction this. I am still trying to get chapter & verse from HMRC but
> they are rather unresponsive at the moment. I can of course use a
> traceable courier service if it would place us in breach of our tax
> obligations to delay the info. , but even that places me in breach of
> our own policy which is now quite clear : "where possible avoid the use
> of removable media for the storage or transfer of personal data and
> where this is not possible use an appropriate level of encryption ".
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> -----------------------------------------------------------------------
> ---------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you have received this email in error
> please notify the originator of the message.
>
> Any views expressed in this message are those of the individual
> sender, except where the sender specifies and with authority,
> states them to be the views of Telford & Wrekin Council.
>
> The content of this email has been automatically checked in
> conjunction with the relevant policies of Telford & Wrekin Council.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> Barrow Borough Council - Enhancing the economic and social future
> of the Borough.
>
> Think - UK businesses use 2 million tonnes of paper each year - do
> you really need to print this e-mail?
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is
> addressed. Any view or opinions presented are solely of the author
> and do not necessarily represent those of Barrow Borough Council.
> If you are not the intended recipient you may not use, disclose,
> distribute, copy, print or rely on this e-mail. If you have received
> this e-mail in error please contact the sender.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> Help protect our environment by only printing this email if absolutely
> necessary. The information it contains and any files transmitted with
> it are confidential and are only intended for the person or
> organisation to whom it is addressed. It may be unlawful for you to
> use, share or copy the information, if you are not authorised to do so.
> If you receive this email by mistake, please inform the person who sent
> it at the above address and then delete the email from your system.
> Durham County Council takes reasonable precautions to ensure that its
> emails are virus free. However, we do not accept responsibility for any
> losses incurred as a result of viruses we might transmit and recommend
> that you should use your own virus checking procedures.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|