CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015
|
|
|
- Kelly Lucas
- 8 years ago
- Views:
Transcription
1 CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION Presented by Sophie More O Ferrall 9 February 2015
2 DATA SECURITY LEGAL REQUIREMENTS SECTOR SPECIFIC ISSUES INTERNATIONAL TRANSFERS DATA SECURITY BREACHES THE FUTURE OF DATA SECURITY 2
3 LEGAL REQUIREMENTS: APPROPRIATE technical and organisational measures To protect against unauthorised access/ alteration/ disclosure/ destruction of personal data DP ACTS; S. 2(1)(d)/E-Privacy Regulations 2011; Regulation 4 Personal Data: Data relating to a living individual who can be identified from the data or from the data plus other information that the data controller has 3
4 LEGAL REQUIREMENTS: WHAT COVERED? Loss or theft of data or equipment People gaining inappropriate access Deliberate/targeted attack on systems Malicious acts (hacking/viruses/deception) Equipment failure Human error Act of God (fire or flood) 4
5 LEGAL REQUIREMENTS: APPROPRIATE? No definition in DP Acts/E-Privacy Regulations Take into account state of technical development and cost Appropriate to: Risk presented Nature of data to be protected Harm that might result ADOPT A RISK BASED APPROACH TO ASSESSMENT OF SECURITY NEEDS 5
6 LEGAL REQUIREMENTS: ASSESSING THE LEVEL OF SECURITY REQUIRED Carry out a risk assessment; examining: Nature and extent of organisation s premises and computer systems Number of staff Extent of staff access to personal data Whether personal data held by data processors on behalf of organisation 6
7 LEGAL REQUIREMENTS: ASSESSING THE LEVEL OF SECURITY REQUIRED Design and organise security to fit the type of personal data held and the harm that may result from a breach Ensure: Correct physical and technical security Supported by data security policies and procedures Well trained staff are in place Be able to respond to any data security breach swiftly and effectively 7
8 LEGAL REQUIREMENTS: DATA PROCESSORS: person/entity who carries out processing of personal data on behalf of an organisation Responsibility for data security remains with organisation itself ( Data Controller ) Data Processor must be able to provide sufficient guarantees in relation to security of processing Written Contract: Data security obligations complied with Only act on instructions of data controller Right of Audit check whether appropriate data security measures/ processing data in accordance with instructions only 8
9 LEGAL REQUIREMENTS: DATA PROCESSORS: person/entity who carries out processing of personal data on behalf of an organisation Cloud Processing particular risks involved Less control over processing of data Data can be analysed by anyone: Person who uploaded data Service provider keeping it there External Access??? Data can be hosted anywhere: location of service provider may be different from server where data stored: Sufficient protection? International Transfers? Model Clauses/International Agreement 9
10 INTERNATIONAL TRANSFERS/SAFE HARBOUR Schrems v Data Protection Commissioner Wanted to block Facebook transfers of data to US 10
11 DATA SECURITY BREACHES: DATA BREACH RESPONSE PLAN Security Breach Team Investigate the Facts: Nature and cause of the breach Extent of damage/harm caused/potentially caused by breach Stop or mitigate the breach Consider who needs to be notified: Data Protection Commissioner: Legal Requirement where electronic communications provider (E-Privacy Regulations)] Regulatory Requirement unless individuals informed / < 100 affected / non-sensitive data (DPC Guidance) Affected Individuals Third parties (eg. Irish Banking Federation where financial data) 11
![Commissioner: Legal Requirement where electronic communications provider (E-Privacy Regulations)] Regulatory Requirement unless](/docs-images/53/12037935/images/page_11.jpg "individuals informed / < 100 affected / non-sensitive data (DPC Guidance) Affected Individuals Third parties (eg.")
12 DATA SECURITY BREACHES: Data Breach Notifications (2013) Category Number Theft of IT Equipment 23 Website Security 53 Mailing Breaches (Postal) 920 Mailing Breaches (Electronic) 151 Security 86 Other 274 TOTAL 1507 Non-Breach Notifications 70 12
13 FUTURE OF DATA SECURITY EUROPEAN LEGISLATION: DRAFT DATA PROTECTION REGULATION Proposed change to make notification to National Data Protection Authority mandatory in all cases 13
14 Philip Lee Solicitors 7/8 Wilton Terrace Dublin 2 14
