----- Original Message -----
From: Yosi Margalit <[log in to unmask]>
To: <[log in to unmask]>
Cc: <[log in to unmask]>
Sent: Friday, November 26, 1999 6:03 PM
Subject: Re: Transfer of Personal Data to the Republic of Ireland \
Suggesting that each of our suppliers must be DPA registered


> Th following response is based on my legislative experience and
> consequential enforcement practice in Israel of the DPA parallel Act
(1981,
> 1986, 1988) and regulations adopted in 1986 and considered currently.
>
> ----- Original Message -----
> From: <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Friday, November 26, 1999 3:45 PM
> Subject: RE: Transfer of Personal Data to the Republic of Ireland
>
>
> > ** Reply to note from ANNE LINCOLN <[log in to unmask]> Fri, 26 Nov
1999
> 09:50:37 -0000
> >
> >
> > > Are you suggesting that each of our suppliers must be DPA registered
for
> our
> > > data?  More and more systems seem to be supported by remote access
> (dial-up or otherwise) so this is a
> > > very important issue.  On the face of it, it seems most unlikely that
> they
> > > would all be so registered and the implications alarm me somewhat.
>
> The manufacturers' diagnostic and support tools date back to the early
> 1980's at least in the case of PDP 11/70 followed by VAX - VMS systems of
> Digital. So nothing is new under the DPA sun...It was also available to
some
> of Data General's minis and to HP legacy systems (??)
>
> Nonetheles it is a normal practice of defence and sensitive data
processing
> organizations to bar or filter the access to "live systems" i.e.,
Databases
> the contents of which is sensitive enough to mandate restricted access,
> accidental disclosure etc. We loose some and win some. In accordance with
> the Israeli DPA the majority of Personal DAta is "sensitive" i.e.,
requires
> reasonable measures of prottection defined in the Regulations to the DPA.
> (similar to the recent ISO 15408 Standard at C2 level (like NT4 certified
in
> UK). One can find UNIX systems which are designed to be Trusted Computing
> Base and certified as such to the level of C2, seldom to B1. In such TCBs
it
> is possible to lock out the Engineers (internal or contracted) from the
> contents.
>
> Unfortunately this is hardly applicable to legacy Mainframes e.g., IBM and
> compatible MVS based systems, used by the IT centers of the Academic
world,
> also not for Unisys (Univac Burroughs) and Control Data.
>
> The worst case is the need for Data Base administration and recovery (in
> case of crash), as well as the need to reconstruct a malfunction in order
to
> analyse / detect the reason for discrepancies in the records. This is
almost
> impossible with "Test Data" and must make access to contents available to
> the DBA and the remote support center experts, e.g. ORACLE DB2.
>
> The Israeli IT community has adopted several types of security management
> software from IBM and from local sources in the IBM MF environments -
> nothing is perfect but is reasonably managable - yet costly!!! ( Purchase
> and current use!!)
>
>
>
> >> Is the responsibility to ensure that they are registered ours or theirs
> (or both)?
> The responsibility of the vendor of support services is for
confidantiality
> and does not reqquire his registration, as a supplier of Professional
> Services, he is not theData Controller  , nor is he Data Processor (like a
> service bureau). The service agreement must contain confidentiality
> statement as well as compensatory clause in case a data subject' claims in
> Tort for damages due to disclosure of confidantial data as provided by the
> Israeli DPA.
>
> > > Or have I got hold of the wrong end of the stick?
> Unfortunately the point is overlooked - The EU directive as well as the
> recent UK DPA impose strict limitation on export of data (See Articles 25,
> 26 of the Directive).
> A comitteee of the Israeli Privacy Protection Council (Advisory to the
Min.
> of Justice) has worked out a draft in this respect. This concerns
exporting
> data to non - EU countries and to countries wher there is no DPA at all
or,
> like in the USA apartial "in adeqaute" Data Protection legal system, which
> does not implement the principals of the EU directive.
>
> >
>
> >
> > On all our internal registration forms, box (D206 B.Disclosure)  is
ticked
> > by default. Box 206 corresponds to "Individuals or Organisations
directly
> associated with
> > the Data User" and it stands for "suppliers, providers of goods and
> > services", ie. we state we will disclose data to them.
> You do not disclose actively - but data may be accessed by them in the
> course of performance of services - they are under obligation of
> confidantiality - non disclosure, just like any paralegal and advocate,
> parmedics and doctors etc. The Data Controller must warn them and assure
> they sign a proper declaration. That's all.
>
> This refers only to persons employed in the service of the Data Controller
> (employees, contact personnel) but not to Data Processors. Only Data
> Processors have to register with the Israeli Registrar, in order to enable
> cross control both on the Controller (Owner of data) and his "indpendent
> Processor and prevent exposures of "derelict  databases "abandoned" by
> defunct or negligent Controller.
> >
> > Effectively, it means that everything we store on a computer we may
> disclose
> > to a provider of services/goods relating to the operation of the
computer.
> Totally Wrong !! - You have to take reasonable measures to prevent
> dsiclosure to such people, or limit the "damage" cause by such exposure.
> Administrative procedure exist to be studied and followed, even in certain
> Acdemic Data Centers.
>
> > Whether the engineer connects via a modem to a main-frame or mini system
> or
> > whether we send a computer away to be repaired (I have done with brand
> name
> > PCs), and worse, imagine if we send it away to be repaired by this
> infamous
> > chain of stores, we will automatically disclose the contents of the PC.
>
> This practice should be avoided. In certain cases you have to Format the
> disk or erase its sensitive contents properly (by over writing) before you
> return the suystem for repair ( usually replacement). You should contract
> carefully in certain case: This may mean  absorb the cost of a returnable
> disc (30-40 UK Pounds at the "Brands" ) and destroy the plates. You may
> replace the hard disc for repairs if the problem is not associated with
it.
> Ask for "on-site" repairs and supervise replacement. "Headache" - Yes! But
> This is the cost of Privacy, that our society elected to impose on us.
> >
> > I would LIKE the provider of goods/services (if an EU company) to be
> > registered and comply with data protection regulations.  If we allow
> access
> > to sensitive data which are subsequently abused by a provider, in my
view,
> we
> > do not have much ground to defend ourselves.  We can counter sue the
> provider
> > but what good will it do?
>
> Registration is not the "cure". Contacting correctly is the way to hold
the
> services personnel responsible for misconducts and their company for
damges
> awarded by court to a data subject in case of unlawful disclosure.
>
> You have to log dilignetly the movement of your equipment in and out of
> site, to MARK CLEARLY the disk and the external case of the Work Station
> which contains protected data.
> >
> >snip><<<<<<<<<
>
> > The cache of a browser or data have nothing to do with the Operating
> System. <snip>
> The problem "minefiled" resides in Database maintenance  or malfunctions -
> not the OS - A DBA has access to the content - since he has to review an
> itermitent phenomenon and analyse it - it may concern a "deviation" in
> contents in certain record or group of records.
>
>
> > If I send my PC for repair, which because of the nature of my work has a
> lot
> > of data which can be interesting to marketeers, can I trust the provider
> not
> > to abuse my data.
> Not unless you warn him, make him contract properly, sign non-disclosure
> statemnet etc. You have to MARK CLEARLY that the PC system contains
> "Confidential DATA" on your service purchase order and on the PC Box.
>
> > By sending it to a "bad" provider am I taking enough
> > care to safeguard the data?  (PC is broken, so I can no longer encrypt
> them, protect them or remove them.  And > many of these options are not
> psossible for a machine that is used as a server).
> >
> > Does the repairer have to be DP registered?  Unless it is a corner shop,
> > I would say Yes.
> See above a repairer - does not HAVE to get access to data and is not
> Processor or Controller thereof.
>
> > Should we make sure they are registered?  Put it as part of the contract
> next
> > time you negotiate one, either DP registration or some kind of
> non-disclosure
> > clause so you can sue them.
>
> Indeed so - this is the only way to have a defence in case of a criminal
> charge is made - "reasonable measure to protect data have been taken !
> Abnd recover the damages awarded against you from the repairer (if he is a
> "shop around the corner" he may go bankrupt (Then you are in trouble !!!)
>
> > Can I do it for our instituion.  NO.  I am already going backwards
hitting
> > constantly 12 and 14 hours shifts.
> f your principals became aware of their obligation under the Law and their
> Personal Responsibilities and liabilities to the data subjects - (as it is
> in done in Israel) by Legal Consultant and by the Users Group and IT
> manager - you may get a budget and hire some people to work for you or
> "outsource" the heads not the services only - bring them in, give them a
> table to work on ... yes it is not the routine -
>
> > -----------
> > Finally, is it not the case that we can disclose data to EU companies
etc.
> > because they "have to" obey DP Legislation (ok. we must be registered
for
> > the disclosure etc)?
> The transfer of data to other parties is permitted only for the the
specific
> objectives the data was collected for. You may not disseminate it to EU or
> even other UK companies - unless you have specific consent of the data
> subjects or for reason of public safety, health and some other government
> activities... Having a "good reason" to share data, even for the benefit
of
> a data subject is not sufficient - unless you have consent or have
> permission to it because by law you  should do it ( e.g., Interpol, ).
There
> are specialregulation in respect of research data and ID of subjects too.
>
>
> > I cannot remember off the top of my head who does not
> > have to be DP registered (some small outfits, some small charitable
> > organisations/association  with staff/membership less than x, things
which
> > effectively came down to the level of the local village association).
> >
> You better learn this and where it is applicable to systems you are
> responsible for ...
> > Regards
> > Charles
> >
> >
> >
> > ==============================================
> > Charles Christacopoulos, Secretary's Office, University of Dundee,
> > Dundee DD1 4HN, (Scotland) United Kingdom.
> > Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604.
> > WebDad of http://somis.ais.dundee.ac.uk/
> > Home of the Scottish Search Maestro http://somis2.ais.dundee.ac.uk/
> > Happily using OS2 Warp.
> > ==============================================
>
>
> Hope this will supply some overview and further directions for study. The
> questions raised only demonstrate the state of affairs and how right was
the
> legislator in imposing the controls and forcing IT to make some order in
> their house and clean the porches too...
>
> yours
>
> Yosi Margalit LL.B. ISAA
> Senior IT Consultant
> NY Margalit Consulting and Planning Ltd.
> 19, Vitkin St. Tel-Aviv 63474 Israel
> 972-3-5464642 FAX: 972-3-5463152
>
>
>
>



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%