Dear Dorin and Graham, It is interesting to read the discussion in the UK where you have a 1998 law, while we in Israel have started in 1981 and implemented 1986 secondary legislation (regulations in our legal terms, enacted by the Minister in Charge of the Law implementation - Justice Min. in Israel). In 1996 we already amended the law for direct mailing, Service Bureaus (3rd party processing data from various Data Controllers), definition of responsibilities and recently we deal with Transborder Data Flow, the Supervisory unit of the Data Protection Officer and Credit Profiling Service regulation. The 1986 regulation already nominated the General Manager (Chief Operating Officer) as the person responsible for the data bases. In addition we have required by law to appoint a Data Protection Officer for the organizations or Data Processing Centers who give services to the public in general (commercial and governmental). The GM usually delegates (by his right in law) the responsibility for individual "departmental" data bases to the head figures - which is the closest to be responsible for the CONTENT, not the operation of the computing facility (IT CIO). The permission for access must be granted by the Data Controller, as he is the one aware of the contents, sensitivity and "needs to know" of the personnel, customers etc. This applies to University, Hospital etc. Electoral Rolls, Social Security, NHS clinics and the likes. These "Data Controller" are non technical persons - also, naturally busy buddies. So the Data Protection Officer comes into the picture. He IS an IT person, who understands the system, the main applications and is skilled enough to manage the security tools in the computing base (e.g., NT, Oracle RDBMS, UNIX OS). His main task is to actually do the following: 1. Install or supervise installation of the computing base security tools e.g., Openview network management and monitor, NT solution from HP Virtual Vault and ancillary tools, or the similar HP-UX tools (advanced). Similar tools allow the management for Novel networks, SOLARIS-SUN, Unisys NT and UNIX. If you have a mainframe of IBM, it is another "opera" and VERY expensive. 2. These tools enable the Data Security Officer (DSO) to allocate various profiles of usage to certain persons in accordance with the security policy established (in writing) by the Data Controller. This includes temp or permanent detachment of people away from duty (again notice from Data Controller). This is multi-level security ISO 15408 and BS (I forgot the no.). This is a new task removed from the application programmers once and for all. They are the greatest vulnerability of any system. 3. The other duty is to observe the behavior of users "on-line" and their activities to detect (with the tools) discrepancies, deviations from habits of use (hours, breaks, reported absent and still "on-line" locally, attempts to deviate from permitted usage). Also investigation of heavy output or input from workstation or cyberspace, which has no reasonable explanation. Slowdown of operations, search of junk and offensive data "hosted" illegitimately (by students or hackers) in the system. 4. Investigation of alerts and detected discrepancies and preparation o report to Data Controller, Head of Security and collection of computer residing evidence for the Police or other authority, with due diligence for Privacy and Security of the data bases. 5. During this year, I have run lecture series in the College of Management in Tel-Aviv for 3 classes of 40 students of the Data Protection syllabus. It seems that even highly skilled Systems Administrators and DBA s are not conversant with the tools they have or may obtain for security, nor of the obligations and liabilities of their management and the Data Controllers. 6. If you have a group interested, I do not mind visiting UK for a week and provide you with the course or a seminar on "train the trainers" basis for DPO s. In this opportunity there should be time allowed for UK officers of the leading firms e.g., Microsoft, Novel, Oracle, HP, Compaq, Unisys etc. to let people get acquainted as users with the potential tools. 7. As a member of the Council for Protection of Privacy, as of 1986 (when established), I have escorted the implementation of the law in Israel, since. Being also a Law Graduate, I have dealt with most legal aspects and comparative Privacy and Computer Crimes Law in Israel. I have also instructed in 1988, the first Israeli DSO s who practiced as Inspectors for our DP Registrar, under my tutorial guidance. So it seems to me I can share with UK DSO s whatever we gained in Israel in the practice of Data Protection - legal and administrative aspects. I fell no need to "brag" about the "Start-up" leaders in IT Security leaders like Checkpoint (Firewall), BRM and Eliashim (Virus), Algorithms Research (encryption) etc. I am not promoting them jointly or individually commercially, only relying on their research and the IT practices in Israel. 8. I hope this is helpful...and shall be glad to answer your questions directly too. Best regards Yosi Margalit LL.B., CISA 19 Vitkin street Tel-Aviv 63474 Tel:03-5464642, Mobile:058-804368 FAX: 03-5463152 -----Original Message----- From: [log in to unmask] [mailto:[log in to unmask]]On Behalf Of Broom, Doreen Sent: Monday, July 03, 2000 11:54 AM To: [log in to unmask] Cc: [log in to unmask] Subject: RE: Who is your Data Protection Officer? 1. At my Council I am the Data Admiistrator (my main duties are ensuring that Scottish Borders Council complies fully with the Data Protection Act. This entails notifying the Commissioner for any new systems etc. as well as dealing with any data protection issues which may arise, developing codes of practice etc. Ultimately though a Senior Officer holds overall responsibility. Previously it was our Director of Central Services (who as you state was Head of Legal Services) and IT. At the moment as we presently have no Director of Central Services the responsibility is now with our Head of IT. 2. My Council at present has 2 notifications - one for ERO and one for the rest of the Council which includes all other Departments. Hope this helps. Doreen > -----Original Message----- > From: [log in to unmask] [SMTP:[log in to unmask]] > Sent: 02 July 2000 09:21 > To: [log in to unmask] > Cc: [log in to unmask] > Subject: Who is your Data Protection Officer? > > > As some of you may know I allowed myself to get talked into standing > for the local Council last year. What is even worse is that I ended up > being elected to both the Town and District Councils ;-) > > I would therefore be grateful for any comments on the following: > > 1. Who should be the Council's Data Protection Officer? > The District Council is proposing to allocate responsibility as Data > Protection Officer to the Head of Legal and Member Services (i.e. the > District Solicitor). > > My own view is that there should be a direct line of control between > the senior officer allocated responsibility for Data Protection and the > people actually dealing with data management (who work in the IT Dept). > Do others agree? What does your Council do? > > 2. Should there be a single registration? > There are currently 15 entries (grouped under headings like Housing > Management, Collection of Rates, Personnel/Employee Adminstration). It > is being proposed that the Council needs to be registered as a whole. > > My own view is that registration should be by type of contact (so you'd > probably end up with five separate registrations dealing with Electoral > Registration, Taxpayers, Employees, Suppliers and Services provided). > What do other Councils do? > > Cheers > Graham Smith ________________________________________________________________ This e-mail is privileged, confidential and subject to copyright. Any unauthorised use or disclosure of its contents is prohibited. The views expressed in this communication may not necessarily be the views held by the Scottish Borders Council. _________________________________________________________________ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%