JISCMail - DATA-PROTECTION Archives

Thanks to those who sent replies to my question:

"Suppose you are an organisation which is committed to protecting the
personal data you hold, but also recognises the reality that all systems
involving humans are fallible. Therefore you wish to also put in place
appropriate procedures for recovering should personal data be accidentally
disclosed. Are there any guidelines or best practices for such procedures?
I'm not thinking of "engage a PR consultant" here, but how should a
responsible data controller act in these circumstances?"

The replies I've received are below. I'm not sure I'm fully satisfied as a
result: we seem to be relying on "best efforts" at the moment rather than
"best practice". Maybe once we have finished implementing DPA1998 (only
joking!) this will get revisited.

All the best,
Andrew

======
         I think I read somewhere that the data subject about whom the
accidental disclosure was made should be informed.

         I note the Act states that data controllers should put in place
appropriate security measures  with regard to "the harm that might result
from unauthorised or unlawful processing or from accidental loss or
destruction and damge of the personal data."

         This suggests that you would know the consequences for the data
subject beforehand and not have to find out after the event!

======
  The big problem with the DPA is that it is administrative law. There are
  two difficulties with this.  First, is the problem of definitions.  It is
  easy to define a theft (either you were caught with the stolen car or you
  were not) but how do you define "fair processing"?  Further, there is no
  complementary case law to guide the practitioner.  Given this situation,
  you can only provide best practice guidance and hope you don't make a
  #@*&^$-up!

  However, lest that sounds too depressing, here are some practical points.

  1. Staff at the front end of services are the first to encounter problems.
  They must be trained in DPA practical applications and be aware that they
  must resolve any user problems immediately.  If they can, they will avoid
  many later issues with the member of the public.  Difficulties really
  occur when problems are missed.  So concentrate on them.

  2. Managers must have a positive attitude to the DPA and to information
  management.  This concept takes the DPA a stage further.  All
  organisations use data (manual and electronic) and it's planning,
  organisation, management and disposal are all part of information
  management.  If you manage your information well, you are unlikely to
  encounter DPA problems (and possibly HRA ones as well).

  3. You must have proper guidance in place.  This will be on two levels;
  high level management "directives" endorsed by your CX (or equivalent) and
  low level ones that are written in words of one syllable that provide
  something like a check list of points to remember.  (A public statement to
  your client group might also be an idea but beware of raising
  expectations.)

  4. Guidance is not the same a procedures and you must have these as well.
  There are obvious topics like what to do if you have a subject access
  request but you will need to look at your own operational requirements
  carefully to understand where you might need to provide line-by-line
  procedures.  (Information disposal is one that I'm pursuing here.) Here,
  there will probably be different procedures for different Departments as
  their operational needs may differ.

  Hope that helps.  At the end of the day, that memorable phrase "decent,
  legal, honest and truthful" is worth remembering.  I'm drumming this in to
  staff here.  It's not difficult to be "decent, honest & truthful" with the
  public (or what ever is your client group) and if do so while trying very
  hard with policies and procedures aimed at keeping you within the DPA
  rules, I don't think the Commissioner will be too displeased.  At worst
  you might get a wrap over the knuckles if somebody drops the proverbial
  clanger.

======
Not sure if I have read your e mail correctly.  Are you looking for advice
on disaster prevention and recovery.  Information falling under the 1998
Data Protection Act needs to be protected whatever the format be it film,
paper, or electronic.  BSI publish a book -

PD00113:199 Records Management - A Guide to Disaster Prevention and
Recovery.  The Temperatures and humidity need updating in line with the
UNESCO recommendations but the rest is OK
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS

Phone:  01235 822 302    E-mail: [log in to unmask]
Fax:    01235 822 398