Tuesday, 14 September 2010

Data security

Today I'm at an IDBG (Institutional Business Development Group) meeting for Public Sector CIOs. It started last night with a presentation on partnerships, and then the first session this morning was from David Smith, the Deputy Information Commissioner.

There have always been losses of data, it used to be personal data discovered in black bin liners on refuse tips, but now the scale has changed with the use of data sticks, laptops etc. Recent high profile data breaches have led to tightening up on data security in the public sector, but there is still a lot that can be done.

The Information Commissioners Office powers have increased recently, and they can take enforcement actions and audit government organisations. Under their voluntary breach notification they receive about 30 to 40 notifications a month with the public sector predominating and the NHS top of the list. This doesn't necessarily mean more breaches, just might be more willing to report under a voluntary system.

Some key points:
  • Theft and loss of portable media is highly significant, but it was interesting to note that the ICO doesn't consider the loss of a properly encrypted form of media a data beach.
  • Retention and lack of weeding of data continues to be a problem, and we should work to minimize the amount of data stored where possible on the grounds that if you don't have it you can't lose it.
  • Many problems arise from a lack of proper risk assessment and a one size fits all approach with organisations treating all personal data in the same way.
  • The DP Act says appropriate security must be in place, not absolute security. More support for a risk based approach.
  • All systems/services should utilise Privacy by Design, ie design in privacy from beginning, don't try and fit it afterwards.
  • It's all about building public confidence. Take Google Sreet View, it turns out that they hardly collected any personal information, but they took a reputation hit because of perceptions.
  • If you have rules that are too strict, people will get round them. For example, some firms banned memory sticks, so users just emailed data to their personal email accounts.
  • As mobility and access to networked information increases, try to avoid anything being downloaded to devices.

After the talk I had an interesting chat with him about the implications of outsourcing things like email, and the simple answer to my question about whether safe harbour was adequate for data held outside the EU in the US was "yes".


Dave Berry said...

Kim Cameron, on his IdentityBlog, came to a very different conclusion regarding Google Street View. See http://www.identityblog.com/?p=1116 . There is a discrepancy between what Google PR says and what their technical FAQs say - see http://www.identityblog.com/?p=1139 .


Anthony Leonard said...

the simple answer to my question about whether safe harbour was adequate for data held outside the EU was "yes"

Interesting that the commissioners office should take this view. In fact Safe Harbor ostensibly only covers data held within the US, and not anywhere else outside the EU. Also Safe Harbor deals with the eighth principle of the 1998 data Protection Act which demands that the data security context is adequate at a country level - or a corporate level in the case of the US. Nevertheless the other seven principles still need to be applied at a service level. Particularly the principle stating that "Personal data shall be obtained only for one or more specified and lawful purposes". If the company's privacy statement for the service gives carte blanche for the company to use personal data to "improve it's services" (as Google's does for example) then it may be compliant with this principle, but affords little data protection to your users.

Chris Sexton said...

Sorry, should have made it clear that my question did indeed refer to data held in the US, not anywhere in world. Have edited blog to make that clear.