On Thu, 19 Nov 2009, Bradshaw, Phillip wrote:
> Jethro said :
>
> "I'm surprised at your policies only being 2 pages long..."
Just to be clear, I didn't say that, Doreen did :) I approve of short
policies.
> I agree. Having gone through a review this year our DP policy statement
> is now under 2 pages. With a bit of context setting and stuff about
> implementation the whole document is less than 4 pages.
>
> I took some persuading to expand it from my first draft which was simply
> "Cardiff Council will comply with the 8 Principles of Data Protection as
> set out in the Data Protection Act 1998 and will at all times comply
> with its duties under that Act. The Council will at all times in
> handling personal data comply with the rights of privacy and respect for
> personal and family life set out in Article 8 of the Human Rights Act
> 1998."
I think this nicely illustrates that there is a balance to be drawn ...
there's a short Policy, then there's a _short_ Policy!
Jethro.
>
> >From a practical perspective there is a very good practical reason to
> keep it short. All the rest - guidance, rules, best practice, I can
> change today in the light of experience and lessons learned - and on my
> own authority. To change a policy needs Executive approval which can
> take several months.
>
>
> Phillip Bradshaw
>
> Information Manager
> Clerk to the Council
>
> Room CY4A, County Hall
>
> EMail: [log in to unmask]
>
> Phone: 029 2087 3346
> Mobile : 07890 265987
>
> Fax: 029 2087 3349
>
> Mae Cyhoeddi Cynnar yn Codi Canfod Cadarnhaol
> Proactive Publishing Promotes Positive Perceptions
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Jethro R Binks
> Sent: 18 November 2009 20:12
> To: [log in to unmask]
> Subject: Re: [data-protection] Data Protection and Information Security
> Policies
>
> On Wed, 18 Nov 2009, Broom, Doreen wrote:
>
> > I'm surprised at your policies only being 2 pages long. Our Data
> > Protection Policy which has gone through the Plain English Campaign is
> > 25 pages long, I also have Procedure document which is about the same
> > length. Staff guidance documents are usually only 2/3 pages long and
> > they are very basic. When dealing with sensitive personal data, data
> > sharing, proposed fines/imprisonment for data leaks etc. and all the
> > other areas in the Council we could not take that chance. There is a
> > separate Security Policy which does link with the DP Code of Practice
> > and vice-versa.
>
> Generally, on policies:
>
> In my experience, what you describe is probably the wrong way around.
> Most parent policies should, as previously commented, be clear, easy to
> read, and not terribly specific at anything. They should provide very
> general points, and not prescribe particular procedures, tools,
> technologies, and whatnot. Policies are usually to be approved at a
> senior management level, and as such should not change frequently: too
> much detail means too much likelihood to change, and that can be a
> drawn-out procedure. The role of senior management is to approve
> general principles of policy, not to get bogged down in operational and
> procedural detail and practice.
>
> Policies should devolve responsibility for creating and approving
> related procedures, guidance, best practice and other more detailed
> documentation to other bodies or committees. These documents are still
> controlled, but are more dynamic, and can be easily modified to suit
> circumstances but without the time-consuming senior management approval
> route. They are the ones that are usually referenced day-to-day by end
> users, but breach of them is considered breach of the parent policy to
> which all staff agree to abide.
>
> I don't know your policy of course, but it sounds like there should be
> more of the detail moved to the staff guidance document, and less in the
> actual policy itself. If the Policy describes specific ways of working
> or procedures, it probably should be rewritten to move that detail to
> other documents. Documents bearing titles such as "XYZ Policy" are
> often mixtures of policy and procedures or guidance/best practice rather
> than actual "statements of policy".
>
> Jethro.
>
>
> >
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Tony Brookes
> > Sent: 18 November 2009 17:25
> > To: [log in to unmask]
> > Subject: Re: Data Protection and Information Security Policies
> >
> > Having just gone/going though in another University, I hope this will
> > help. We have suggested an information security policy as the "top"
> > information policy backed up by our version of the PIP. I'd then
> > expect a load of other policies to support them both (e.g. records
> > managment, techncial policies etc etc). Note - we've come to the
> > conclusion that no policy should be more than two pages long, but the
> > associated guidence may well be much longer than that. It is a similar
>
> > approach to that used in H & S.
> > Mind you, I'm well aware that what works or is being tried in one
> > University might not suit another. Tony
> > ________________________________
> >
> > From: This list is for those interested in Data Protection issues
> > [[log in to unmask]] On Behalf Of Tim Trent
> > [[log in to unmask]]
> > Sent: 18 November 2009 16:10
> > To: [log in to unmask]
> > Subject: Re: [data-protection] Data Protection and Information
> > Security Policies
> >
> >
> > I would say that neither of these policies is what I would term a
> "master policy"
> >
> > Data Protection has many of the facets of Information Security
> embedded within it it. Examples are a Data Destruction Policy - very
> much required - and the additional security that must surround sensitive
> data. yet InfoSec is not a subset of Data Protection, nor is Data
> Protection, because of the privacy element, a subset of InfoSec.
> >
> > Instead these are two parallel and often intersecting areas where each
> policy and set of sub-policies must relate to the other stream, and
> where some policies - Data Destruction - need only exist in one or the
> other, but be referred to as part of each.
> >
> > Your mileage may vary, of course, but my belief is that the overall
> > policy is the Human Resources Policy that covers disciplinary action
> > against workers who break either (any) of the other policies
> >
> > On 18 Nov 2009, at 15:42, Barlow, Jackie wrote:
> >
> >
> > Dear colleagues,
> >
> > I am fairly new to the role of Records Manager here at Anglia
> Ruskin and I
> > have recently revised our Data Protection Policy. Our
> Information Security
> > Policy is also currently being revised and I am unsure which of
> these
> > policies should be the overarching one.
> >
> > I would be grateful for your opinions on this and any
> information on your
> > current practices.
> >
> > Kind regards
> > Jackie
> >
> >
> >
> > Jacqueline Barlow ACIB MBA
> > University Records Manager
> >
> > Anglia Ruskin University
> > Office of the Secretary and Clerk
> > 3rd Floor
> > Tindal Building
> > Chelmsford
> > CM1 1SQ
> >
> > Direct dial 0845 196 4215
> >
> >
> >
> > --
> > EMERGING EXCELLENCE: In the Research Assessment Exercise (RAE)
> 2008, more than 30% of our submissions were rated as 'Internationally
> Excellent' or 'World-leading'. Among the academic disciplines now rated
> 'World-leading' are Allied Health Professions & Studies; Art & Design;
> English Language & Literature; Geography & Environmental Studies;
> History; Music; Psychology; and Social Work & Social Policy &
> Administration. Visit www.anglia.ac.uk/rae for more information.
> >
> >
> >
> > This e-mail and any attachments are intended for the above named
> > recipient(s)only and may be privileged. If they have come to you
> in
> > error you must take no action based on them, nor must you copy
> or show
> > them to anyone please reply to this e-mail to highlight the
> error and
> > then immediately delete the e-mail from your system.
> >
> > Any opinions expressed are solely those of the author and do not
> > necessarily represent the views or opinions of Anglia Ruskin
> University.
> >
> > Although measures have been taken to ensure that this e-mail and
> > attachments are free from any virus we advise that, in keeping
> with good
> > computing practice, the recipient should ensure they are
> actually virus
> > free.
> >
> > Please note that this message has been sent over public networks
> which may
> > not be a 100% secure communications
> >
> > Email has been scanned for viruses by Altman Technologies' email
> management service -
> > www.altman.co.uk/emailsystems
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask]
> > All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> > Any queries about sending or receiving messages please send to
> the list owner
> > [log in to unmask]
> > Full help Desk - please email [log in to unmask]
> describing your needs
> > To receive these emails in HTML format send the command:
> > SET data-protection HTML to [log in to unmask]
> > (all commands go to [log in to unmask] not the list
> please)
> >
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >
> >
> > ________________________________
> >
> > Tim Trent - Consultant
> > Tel: +44 (0)7710 126618
> > web: ComplianceAndPrivacy.com - where busy executives go to find the
> > news first personal blog: timtrent.blogspot.com/
> > <http://timtrent.blogspot.com/> - news, views, and opinions personal
> > website: Tim's Personal Website <http://www.trent.karoo.net> - more
> > than anyone needs to know
> >
> >
> > Marketing by Permission
> > <http://feeds.feedburner.com/~r/MarketingByPermission/~6/1>
> >
> > Important: This message is private and confidential. If you have
> received this message in error, please notify us and remove it from your
> system. This email and any attachment(s) are believed to be virus-free,
> but it is the responsibility of the recipient to make all the necessary
> virus checks. This email and any attachments to it are copyright of
> Meadowood Associates, owners of Compliance And Privacy, unless otherwise
> stated. Their copying, transmission, reproduction in whole or in part
> may only be undertaken with the express permission, in writing, of
> Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell,
> Berkshire, RG12 0TT.
> >
> >
> > ________________________________
> >
> > All archives of messages are stored permanently and are available to
> > the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> >
> > Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> >
> > * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> > * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> > * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> > * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
> >
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm
> > <http://www.jiscmail.ac.uk/help/commandref.htm> and are sent in the
> > body of an otherwise blank email to [log in to unmask]
> >
> > Any queries about sending or receiving messages please send to the
> > list owner [log in to unmask]
> > <mailto:[log in to unmask]>
> >
> > (Please send all commands to [log in to unmask] not the list or
> > the moderators, and all requests for technical help to
> > [log in to unmask], the general office helpline)
> >
> > ________________________________
> >
> >
> > ________________________________
> >
> > The University of Derby has a published policy regarding email and
> > reserves the right to monitor email traffic. If you believe this email
>
> > was sent to you in error, please notify the sender and delete this
> > email. Please direct any concerns to [log in to unmask] The policy is
>
> > available here: http://www.derby.ac.uk/LIS/Email-Policy
> >
> > ________________________________
> >
> > All archives of messages are stored permanently and are available to
> > the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> >
> > Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> >
> > * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> > * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> > * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> > * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
> >
> > All user commands can be found at
> > http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
>
> > of an otherwise blank email to [log in to unmask]
> >
> > Any queries about sending or receiving messages please send to the
> > list owner [log in to unmask]
> >
> > (Please send all commands to [log in to unmask] not the list or
> > the moderators, and all requests for technical help to
> > [log in to unmask], the general office helpline)
> >
> > ________________________________
> >
> >
> > **********************************************************************
> > This email and any files transmitted with it are privileged,
> confidential and subject to copyright. Any unauthorised use or
> disclosure of any part of this email is prohibited. If you are not the
> intended recipient please inform the sender immediately; you should then
> delete the email and remove any copies from your system.
> > The views or opinions expressed in this communication may not
> necessarily be those of Scottish Borders Council.
> > Please be advised that Scottish Borders Council's incoming and
> outgoing GSX email is subject to regular monitoring and any email may
> require to be disclosed by the Council under the provisions of the
> Freedom of Information (Scotland) Act 2002.
> >
> > **********************************************************************
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask] All user
> > commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> > Any queries about sending or receiving messages please send to the
> list owner
> > [log in to unmask]
> > Full help Desk - please email [log in to unmask] describing
> your needs
> > To receive these emails in HTML format send the command:
> > SET data-protection HTML to [log in to unmask]
> > (all commands go to [log in to unmask] not the list please)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
> . . . . . . . . . . . . . . . . . . . . . . . .
> .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask] All user
> commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|