Request for comments
*Key*
<T> = title
<ST> = Subtitle
<R> = Recommendation
<T> Security of data
<ST>InstitutionalFramework for Data Security
A data subject may apply to the court for compensation if he/she
has suffered damage (financial loss or physical injury, and possibly
associated distress) because personal data have been lost or
destroyed or disclosed without the authority of the data user, or
access has been obtained to personal data without the authority of
the user. A court dealing with a claim for compensation will need to
consider if the institution has taken all reasonable care to prevent
the particular loss, destruction, disclosure or access.
HE and FE institutions are obliged under the 1998 Act to have in
place an institutional framework designed to ensure the security of
all personal data during the collection to destruction cycle. A key
current international benchmark for Information Security
Management Systems (ISMS) is BS7799. A framework that
meets this standard will provide a high level of compliance with the
1998 Act. Where complete compliance with BS7799 is infeasible
or unreasonable for all, or certain types of, institutional personal
data processing operations, certain minimum standards should still
be met.
Such standards should ensure:
- a level of security appropriate to the risks represented by the
processing and the nature of the data to be protected.
- that data security is assured no matter where or by whom data is
stored or processed and throughout the whole procedure, including
the transmission of data.
- that there are clear lines of responsibility and the controller's
ultimate responsibility for data security is clearly understood.
<R>HE and FE institutions should, as a minimum, ensure that:
- wherever possible, data are de-personalized, or coded, or
encrypted, with any key being kept securely.
- Existing and proposed personal data processing operations are
evaluated to ascertain and evaluate all potential risks in order to
determine the cost, effectiveness and practicability of proposed
levels of security.
- Appropriate levels of security are applied, commensurate with the
anticipated risks, and appropriate to the type of personal data held.
- Agreed levels of security are applied, monitored and regularly
reported upon as regards their effectiveness
- All staff are trained to take effective action to protect life, data
and equipment (in that order) in the event of disaster.
- Competent people are assigned to be responsible for the
accuracy and integrity of personal data held in each part of an
institution’s personal data processing operations.
<ST>Employees and Student Security Training and Management
A primary part of any HE or FE institution’s personal data security
framework will be the effective training and management of its
employees and students in necessary security procedures. A
significant proportion of unauthorised disclosure of, and access to,
personal data occurs because employees and students are
unaware of, or fail to adhere to, existing institutional guidelines.
The potential consequences under the 1998 Act for institutions of
unauthorised disclosure of, and access to, personal data are such
that it is essential to both culture an institutional awareness of data
privacy rules, and to provide a verifiable mechanism for sanctions
for breach of those rules.
<R> HE and FE institutions should ensure that:
- Employees and students dealing with personal data are aware of
the purposes for which the data has been collected, including the
parties to whom disclosure may legitimately be made, and are
aware that disclosure may not be made to other parties, unless
one of the exemptions in the Act applies.
- Employees and students dealing with personal data have a
formal point of contact within the institution, such as a Data
Protection Officer, where they can refer requests for disclosure
under one of the exemptions in the Act (e.g. law enforcement)
- Employees and students dealing with personal data are aware
that their access to personal data is for specified authorised
purposes only. Institutional regulations should provide that access
to personal data by employees and students for unauthorised
purposes (e.g. browsing of personal data) will be a disciplinary
offence
- Employees and students are aware that casual access to
personal data by unauthorised persons (e.g. members of the
general public having access to personal data via VDU screens or
printouts), by act or omission, should not be permitted.
Institutional regulations should provide that acts or omission that
lead to unauthorised access or disclosure to unauthorised persons
will be a disciplinary offence.
- Reasonable access control mechanisms, including where
appropriate the use of passwords, encryption, compartmentalised
access and access logs, are used to detect and prevent attempts
to access computer files through terminals or computer networks
without authorisation. Institutional regulations should provide that
failure to adhere to the correct use of applicable access control
mechanisms will be a disciplinary offence.
- Basic security steps are taken to ensure that building perimeters
and internal sensitive areas are secure, and that the general public,
unescorted visitors, and unauthorized personnel be restricted from
areas where personal data is used.
- Existing security controls are reviewed for improvement or
modification and that awareness programs, as well as policy and
guidelines be established to protect personal data.
<ST>Vendors, contractors, and suppliers
Vendors, contractors, and suppliers are often required to have
access to areas in which personal data may be stored or
processed. In certain circumstances, it may also be necessary to
allow contractors access to personal data (e.g. computer
engineers) in the course of maintenance or repair work.
<R> HE and FE institutions should ensure that contractors are:
- Controlled, documented, and required to wear some form of
identification
- Restricted from unnecessary admittance to areas where personal
data is held or processed
- Required to sign nondisclosure agreements where access to
personal data is unavoidable
<R> HE and FE institutions should ensure that vendors and
suppliers are:
- Controlled, documented, and required to wear some form of
identification
- Escorted throughout the general premises by the person they are
visiting
- Restricted from unnecessary admittance to areas where personal
data is held or processed
<R> Employees and students should be advised to challenge, or
report to security, individuals found in areas where personal data is
held or processed without proper credentials.
<ST> Transfer of personal data
Reasonable precautions must be taken when transferring personal
data in either hardcopy or electronic form. HE and FE institutions
should not assume that documents transferred by electronic
means (e.g. e-mail, WWW, FTP) are secure, and thus information
containing personal data, and in particular sensitive personal data,
should be encrypted before transmission.
<R> HE and FE institutions should ensure that personal data is
transferred under conditions of security commensurate with the
anticipated risks, and appropriate to the type of personal data held
<ST>Employee and student use of personal data on home
computers or at remote sites.
Employees and students should take particular care when laptop
computers or personal machines are used to process institutional
personal data at home or in other locations (e.g. in public places,
or on public transport) outside the institution.
<R> Employees and students should be required to ensure that
when processing institutional personal data at home or in other
locations:
- they take reasonable precautions to ensure that the data is not
accessed, disclosed or destroyed as a result of act or omission on
their part.
- they have an up-to-date virus scanning program installed on
laptop computers or personal machines and scan all disks for
viruses prior to loading.
- they back up system hard drives to avoid loss of data.
- they report all computer security incidents including virus
infections to the institution
- when using laptops they:
-- keep the laptop constantly in view when travelling, especially in
airports;
-- store the laptop in the boot of an vehicle in which it is left
unattended
-- do not check the laptop as baggage unless it is placed inside
luggage that has been locked
-- record the model number and serial number of each hardware
component associated with the laptop and keep this information in
a separate location
-- notify the institution immediately in the event of loss or theft
<ST>Back-upof personal data
Loss or destruction of personal data may have severe
consequences for the operations of HE and FE institutions, in
addition to their incurring liability to individuals who have suffered
damage or distress as a result of the loss or destruction of their
personal data. Disaster recovery plans are thus an essential part
of any institutional data protection framework.
<R> HE and FE institutions should ensure that:
- A workable disaster recovery mechanism is in place for all
personal data processing operations where it would be reasonable,
by virtue of the importance of the personal data, for such a
mechanism to be implemented.
- There are provisions for frequent back-up or duplicate copies of
all personal data produced in personal data processing operations
at an institution to be made, and securely stored, in a location
wholly separate from that of primary data source (e.g. off-site).
- There are designated personnel tasked with the responsibility of
ensuring the recovery of personal data, and establishing its
accuracy and integrity, within a reasonable time following any
disaster.
<ST>Migration or upgrade plans
Changes to an institution’s hardware or software systems may
result in personal data becoming inaccessible or unreadable due to
incompatibility between data formats meaning that the institution
cannot properly ensure the data’s accuracy and integrity.
<R> HE and FE institutions should ensure that:
- future migration or upgrade plans for institutional systems are
documented to address the potential effect of hardware, software
and operating system upgrades, or obsolescence, on personal
data processing operations.
- Successful data transfer tests of existing personal data to new
systems or file formats are carried out before those systems go
live, and old systems are discarded
<ST>Disposal of Data
The proper disposal of personal data should be the final element in
an institutional framework designed to ensure the security of
personal data. The method of disposal should be appropriate to
the sensitivity of the personal data to be destroyed. The minimum
standard for the destruction of paper and microfilm documentation
should be shredding; paper and microfilm documentation
containing sensitive personal data should be horizontally and
vertically shredded or incinerated. The minimum standard for the
destruction of data stored in electronic form should be reformatting
or overwriting, and electronic storage media containing sensitive
personal data should be overwritten to [what] standard or
destroyed.
<R> HE and FE institutions should ensure that:
- All paper or microfilm documentation containing personal data is
permanently destroyed by shredding or incinerating, depending on
the sensitivity of the personal data.
- All computer equipment or media to be sold or scrapped have
had all personal data completely destroyed, by re-formatting, over-
writing. or degaussing.
- Employees and students are provided with guidance as to the
correct mechanisms for disposal of different types of personal data
and regular audits should be carried out to ensure that this
guidance is adhered to. In particular, employees and students
should be made aware that erasing electronic files does not equate
to destroying them.
<R> Where disposal of equipment or media is contracted to a third
party, HE and FE institutions should ensure that the contract
contains a term requiring the third party to ensure that all personal
data is completely destroyed, and permitting the institution to audit
the third party’s performance of that term at regular intervals
Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387 Fax: 01482 466388
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|