JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for DATA-PROTECTION Archives

DATA-PROTECTION Archives

DATA-PROTECTION Archives


data-protection@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font
LISTSERV Archives

LISTSERV Archives
DATA-PROTECTION Home

DATA-PROTECTION Home
DATA-PROTECTION 2000

DATA-PROTECTION 2000

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

CoP - Security

From:

Andrew Charlesworth <[log in to unmask]>

Reply-To:

[log in to unmask]

Date:

Thu, 1 Jun 2000 17:55:52 +0100

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (311 lines) 

Request for comments 

*Key* 
<T> = title 
<ST> = Subtitle 
<R> = Recommendation

  
  <T> Security of data

<ST>InstitutionalFramework for Data Security

  A data subject may apply to the court for compensation if he/she 
has suffered damage (financial loss or physical injury, and possibly 
associated distress) because personal data have been lost or 
destroyed or disclosed without the authority of the data user, or 
access has been obtained to personal data without the authority of 
the user. A court dealing with a claim for compensation will need to 
consider if the institution has taken all reasonable care to prevent 
the particular loss, destruction, disclosure or access.

HE and FE institutions are obliged under the 1998 Act to have in 
place an institutional framework designed to ensure the security of 
all personal data during the collection to destruction cycle. A key 
current international benchmark for Information Security 
Management Systems (ISMS) is BS7799.  A framework that 
meets this standard will provide a high level of compliance with the 
1998 Act.  Where complete compliance with BS7799 is infeasible 
or unreasonable for all, or certain types of, institutional personal 
data processing operations, certain minimum standards should still 
be met.

Such standards should ensure:

 - a level of security appropriate to the risks represented by the 
processing and the nature of the data to be protected.

 - that data security is assured no matter where or by whom data is 
stored or processed and throughout the whole procedure, including 
the transmission of data.

 - that there are clear lines of responsibility and the controller's 
ultimate responsibility for data security is clearly understood. 

<R>HE and FE institutions should, as a minimum, ensure that:

 - wherever possible, data are de-personalized, or coded, or 
encrypted, with any key being kept securely. 

 - Existing and proposed personal data processing operations are 
evaluated to ascertain and evaluate all potential risks in order to 
determine the cost, effectiveness and practicability of proposed 
levels of security.

 - Appropriate levels of security are applied, commensurate with the 
anticipated risks, and appropriate to the type of personal data held.

 - Agreed levels of security are applied, monitored and regularly 
reported upon as regards their effectiveness 

 - All staff are trained to take effective action to protect life, data 
and equipment (in that order) in the event of disaster.

 - Competent people are assigned to be responsible for the 
accuracy and integrity of personal data held in each part of an 
institution’s personal data processing operations.

<ST>Employees and Student Security Training and Management

A primary part of any HE or FE institution’s personal data security 
framework will be the effective training and management of its 
employees and students in necessary security procedures.  A 
significant proportion of unauthorised disclosure of, and access to, 
personal data occurs because employees and students are 
unaware of, or fail to adhere to, existing institutional guidelines.  
The potential consequences under the 1998 Act for institutions of 
unauthorised disclosure of, and access to, personal data are such 
that it is essential to both culture an institutional awareness of data 
privacy rules, and to provide a verifiable mechanism for sanctions 
for breach of those rules. 

<R> HE and FE institutions should ensure that:

 - Employees and students dealing with personal data are aware of 
the purposes for which the data has been collected, including the 
parties to whom disclosure may legitimately be made, and are 
aware that disclosure may not be made to other parties, unless 
one of the exemptions in the Act applies.  

 - Employees and students dealing with personal data have a 
formal point of contact within the institution, such as a Data 
Protection Officer, where they can refer requests for disclosure 
under one of the exemptions in the Act (e.g. law enforcement)

 - Employees and students dealing with personal data are aware 
that their access to personal data is for specified authorised 
purposes only.  Institutional regulations should provide that access 
to personal data by employees and students for unauthorised 
purposes (e.g. browsing of personal data) will be a disciplinary 
offence 

 - Employees and students are aware that casual access to 
personal data by unauthorised persons (e.g. members of the 
general public having access to personal data via VDU screens or 
printouts), by act or omission, should not be permitted.  
Institutional regulations should provide that acts or omission that 
lead to unauthorised access or disclosure to unauthorised persons 
will be a disciplinary offence.

 - Reasonable access control mechanisms, including where 
appropriate the use of passwords, encryption, compartmentalised 
access and access logs, are used to detect and prevent attempts 
to access computer files through terminals or computer networks 
without authorisation. Institutional regulations should provide that 
failure to adhere to the correct use of applicable access control 
mechanisms will be a disciplinary offence.

 - Basic security steps are taken to ensure that building perimeters 
and internal sensitive areas are secure, and that the general public, 
unescorted visitors, and unauthorized personnel be restricted from 
areas where personal data is used. 

 - Existing security controls are reviewed for improvement or 
modification and that awareness programs, as well as policy and 
guidelines be established to protect personal data.

<ST>Vendors, contractors, and suppliers

Vendors, contractors, and suppliers are often required to have 
access to areas in which personal data may be stored or 
processed.  In certain circumstances, it may also be necessary to 
allow contractors access to personal data (e.g. computer 
engineers) in the course of maintenance or repair work.

<R> HE and FE institutions should ensure that contractors are:

 - Controlled, documented, and required to wear some form of 
identification 

 - Restricted from unnecessary admittance to areas where personal 
data is held or processed

 - Required to sign nondisclosure agreements where access to 
personal data is unavoidable
    
<R> HE and FE institutions should ensure that vendors and 
suppliers are:

 - Controlled, documented, and required to wear some form of 
identification 

 - Escorted throughout the general premises by the person they are 
visiting 

 - Restricted from unnecessary admittance to areas where personal 
data is held or processed

<R> Employees and students should be advised to challenge, or 
report to security, individuals found in areas where personal data is 
held or processed without proper credentials.

<ST> Transfer of personal data

Reasonable precautions must be taken when transferring personal 
data in either hardcopy or electronic form.  HE and FE institutions 
should not assume that documents transferred by electronic 
means (e.g. e-mail, WWW, FTP) are secure, and thus information 
containing personal data, and in particular sensitive personal data, 
should be encrypted before transmission. 

<R> HE and FE institutions should ensure that personal data is 
transferred under conditions of security commensurate with the 
anticipated risks, and appropriate to the type of personal data held

<ST>Employee and student use of personal data on home 
computers or at remote sites.

Employees and students should take particular care when laptop 
computers or personal machines are used to process institutional 
personal data at home or in other locations (e.g. in public places, 
or on public transport) outside the institution.

<R> Employees and students should be required to ensure that 
when processing institutional personal data at home or in other 
locations:

 - they take reasonable precautions to ensure that the data is not 
accessed, disclosed or destroyed as a result of act or omission on 
their part.

 - they have an up-to-date virus scanning program installed on 
laptop computers or personal machines and scan all disks for 
viruses prior to loading.

 - they back up system hard drives to avoid loss of data.

 - they report all computer security incidents including virus 
infections to the institution

 - when using laptops they:

 -- keep the laptop constantly in view when travelling, especially in 
airports;

 -- store the laptop in the boot of an vehicle in which it is left 
unattended

 -- do not check the laptop as baggage unless it is placed inside 
luggage that has been locked

 -- record the model number and serial number of each hardware 
component associated with the laptop and keep this information in 
a separate location

 -- notify the institution immediately in the event of loss or theft 

<ST>Back-upof personal data

  Loss or destruction of personal data may have severe 
consequences for the operations of HE and FE institutions, in 
addition to their incurring liability to individuals who have suffered 
damage or distress as a result of the loss or destruction of their 
personal data.  Disaster recovery plans are thus an essential part 
of any institutional data protection framework.

<R> HE and FE institutions should ensure that:

 - A workable disaster recovery mechanism is in place for all 
personal data processing operations where it would be reasonable, 
by virtue of the importance of the personal data, for such a 
mechanism to be implemented. 

 - There are provisions for frequent back-up or duplicate copies of 
all personal data produced in personal data processing operations 
at an institution to be made, and securely stored, in a location 
wholly separate from that of primary data source (e.g. off-site). 

 - There are designated personnel tasked with the responsibility of 
ensuring the recovery of personal data, and establishing its 
accuracy and integrity, within a reasonable time following any 
disaster.

<ST>Migration or upgrade plans

  Changes to an institution’s hardware or software systems may 
result in personal data becoming inaccessible or unreadable due to 
incompatibility between data formats meaning that the institution 
cannot properly ensure the data’s accuracy and integrity.  

<R> HE and FE institutions should ensure that:

 - future migration or upgrade plans for institutional systems are 
documented to address the potential effect of hardware, software 
and operating system upgrades, or obsolescence, on personal 
data processing operations.

 - Successful data transfer tests of existing personal data to new 
systems or file formats are carried out before those systems go 
live, and old systems are discarded

<ST>Disposal of Data

  The proper disposal of personal data should be the final element in 
an institutional framework designed to ensure the security of 
personal data.  The method of disposal should be appropriate to 
the sensitivity of the personal data to be destroyed.  The minimum 
standard for the destruction of paper and microfilm documentation 
should be shredding; paper and microfilm documentation 
containing sensitive personal data should be horizontally and 
vertically shredded or incinerated.  The minimum standard for the 
destruction of data stored in electronic form should be reformatting 
or overwriting, and electronic storage media containing sensitive 
personal data should be overwritten to [what] standard or 
destroyed.  
    
<R> HE and FE institutions should ensure that:
    
 - All paper or microfilm documentation containing personal data is 
permanently destroyed by shredding or incinerating, depending on 
the sensitivity of the personal data.

 - All computer equipment or media to be sold or scrapped have 
had all personal data completely destroyed, by re-formatting, over-
writing. or degaussing.

 - Employees and students are provided with guidance as to the 
correct mechanisms for disposal of different types of personal data 
and regular audits should be carried out to ensure that this 
guidance is adhered to.  In particular, employees and students 
should be made aware that erasing electronic files does not equate 
to destroying them.

<R> Where disposal of equipment or media is contracted to a third 
party, HE and FE institutions should ensure that the contract 
contains a term requiring the third party to ensure that all personal 
data is completely destroyed, and permitting the institution to audit 
the third party’s performance of that term at regular intervals



Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387   Fax:   01482 466388
E-mail: [log in to unmask]


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000
1999
1998


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager