The Scottish Government Draft Consult Paper on Identity Management and Privacy Issues
|
|
- Gregory Parker
- 3 years ago
- Views:
Transcription
1 Scottish Government Draft Consultation Paper on Identity Management and Privacy dns ref: SCX028 date: 23 November 2009 version: 1.0 classification: unclassified dns contact: Mike Wawro, dns ltd, 83 princes street, edinburgh, eh2 2er; 16 st martin s le grand, london, ec1a 4en t: +44(0) f: +44(0) e: info@dns.co.uk w: registered in Scotland No
2 1 distribution and revision 1.1 document revision history name revision date version description Stewart McIntyre 19 November initial draft Mike Wawro 23 November review Don Smith 23 November review and release 1.2 distribution list name company contact info Natasja Bolton dns Graeme Cox dns Gordon Lang dns Richard Lewis dns Stewart McIntyre dns Don Smith dns Mike Wawro dns Caroline Irving Scottish Government Page 2
3 2 table of contents 1 distribution and revision document revision history distribution list table of contents executive summary introduction proving identity and entitlement identify only once risk appropriate login single sign-on prevent data mining avoid discrimination maintain non-it access to services consider users IT platforms offer choice provide a reasonable choice of authentication methods governance and accountability appointment of a privacy officer frequency of privacy officer reports audit incident management system data and data sharing controlling access role based access control access authorised by users linking information between systems add examples of link situations links must be reliable and accurate clarification on persistent identifiers education and engagement educate people about identity management and privacy issues introduction of a breach disclosure principle conclusions Page 3
4 3 executive summary As a leading provider of identity management and information security consultancy services to the Scottish public sector, dns is well placed to respond to the Scottish Government draft consultation paper on identity management and privacy principles. dns provides these types of services to (among others); The Scottish Government, NHS Scotland, General Register Office of Scotland, The Scottish Courts Service, The Crown Office and Procurator Fiscal Service, The Scottish Police Services Authority and many Scottish Local Authorities. We believe that the draft consultation paper provides an excellent start for refining the principles which seek to balance privacy needs with the undoubted benefits that well designed identity management systems can bring. We share the view that organisations should avoid creating large centralised databases of people s personal information with the exception of a single staff database per organisation. We have reviewed the paper and recorded our comments in this document. We understand that this is a principles paper and should not address issues associated specifically with implementation methods. However, we have made comments that reference identity management methods based on our experience where relevant. In summary; We advocate variable authentication methods that match the risk associated with the transaction(s) involved. Where possible a variety of authentication methods should be offered. Regarding governance and accountability, we believe that there should be a compliance process that involves annual sign-off by the identity store owner of a statement that summarises any security incidents related to the identity store and providing an assurance of the security and integrity of the identity store. The audit principle should be supported by an active security incident management system capable of immediately managing an alert caused by an actual, or suspected, breach of the identity store. The principle of least privilege should be used for controlling access to personal data. Where choice is available, users should be able to choose which services are able to access their personal information. The recommendation against sharing identifiers prevents increased damage by the breach of connected repositories. However, our experience suggests that the preference for avoiding identifiers may not be practical due to the errors inherent in a rules based matching system. The use of common identifiers is likely to be proposed as a link solution because of ease of implementation and satisfaction of the accuracy and reliability criteria. Finally, we are in favour of adding a breach disclosure principle that forces public service data controllers to inform service users if there has been, or is likely to have been, a breach of their identity credentials. The communication to users should inform them of any actions they should take to minimise the consequences. We recognise the need for a concise identity management and privacy principles definition. However, as always, the proof is in the quality of the design, implementation and operational management. Identity and privacy are complex subjects and we therefore recommend the creation of a guidance document, complementary to the principles, that provides greater context to aid interpretation, discusses identity management methods, and explains choices for system designers. dns would welcome the opportunity to participate in the creation of such a document. Page 4
5 4 introduction Focusing exclusively on information security, dns offers a complete set of both professional services and managed security services to a wide range of customers. Based in Edinburgh and London, dns serves an international customer base. Due to its commitment to customer satisfaction and information security expertise dns is the fastest growing information security services company in Europe. dns has been involved in several public sector organisation projects, including Scottish Schools Digital Network, NHS Scotland and Scottish Enterprise. The dns vision is to be the leading niche provider of quality information security solutions and services. dns is well placed to respond to the Scottish Government draft consultation paper on identity management and privacy principles. dns provides these types of services to (among others); The Scottish Government, NHS Scotland, General Register Office of Scotland, The Scottish Courts Service, The Crown Office and Procurator Fiscal Service, The Scottish Police Services Authority and many Scottish Local Authorities. In a broad sense, the principles in this document can be compared to principles from successful public service identity schemes in other countries, including New Zealand s igovt service, which provides user registration and authentication for government services, and Norway s enorway initiative, which provides a portal to 30 government services. Notably, both New Zealand and Norway are comparable to Scotland in terms of population size. In the following sections 5 to 8 we have provided our comments on the draft consultation paper. Each section corresponds to a section of the consultation paper. For ease of reference, we have restated the principle prior to our comments on it. Page 5
6 5 proving identity and entitlement 5.1 identify only once Principle 1.1. For services which are used frequently and for which identification is needed, public service organisations should give people a simple way to register once. Thereafter, unless there is a statutory requirement to prove identity, in many cases a person should be able to access the service using a token, such as a bus pass or library card that proves their entitlement without revealing unnecessary personal information. In other circumstances, a user name and a password or elements of a password may be required risk appropriate login Authentication is the process of verifying that someone is who they claim to be. Authentication should be appropriate to the level of risk associated with intended transaction. The registration and authentication methods an organisation requires for access to a service should be appropriate to the impact of the misappropriation of a user identity in that service 1. As well risk differences between organisations a single organisation may offer several services with various levels of risk. For example, the impact of identity misappropriation is greater for a council s tax payment service than their library service. If an authentication method is used by several services it must meet the requirements of the service with greatest risk or support some form of tiered authentication single sign-on Single sign-on allows users to access their services through a single login event. Single sign on increases user convenience, increases the consistency of the user experience, fosters ownership of their public service identity, avoids re-inventing authentication solutions for each service provider and avoids separate authentication infrastructure in each organisation. The purpose of a single sign-on service is user authentication. The information collected for a single sign-on service should be sufficient to verify that a user is who they claim to be. Service specific personal information should still be stored by the service provider organisation, avoiding general purpose centralised databases (principle 4.2) prevent data mining Services must not leak personal information to unauthorised parties. An example of personal information leakage is a Norwegian government pension scheme website that returned name and address when presented with a social security number, allowing an adversary to build a list of information useful for identity theft 2. This type of unauthorised bulk data collection is known as data harvesting or data mining. Anonymous users whose identity has not been verified must not have access to personal information. Authenticated users typically have authority to access only their own personal information and should not have access to another user s information. Authentication systems should avoid leaking usernames by only informing users if the login was successful and not confirm whether or not the user name exists. 1 Registration and Authentication Framework, UK e-government Strategy 2 Risks in Networked Computer Systems, Andre N. Klingsheim Page 6
7 5.2 avoid discrimination Principle 1.6. Organisations must take steps to ensure that people are not discriminated against unfairly (for example, on grounds of disability, age or ethnicity) or socially excluded as a result of the approach to identification or authentication maintain non-it access to services Though possibly self-evident, we think it might be worth explicitly stating that service users who do not have access to information technology systems should be able to continue to access services by alternative methods (including in person, by telephone and mail correspondence) consider users IT platforms Services provided by IT systems should be available to a high proportion of users as reasonably possible. For services presented via the Internet, compatibility with a reasonable proportion of web browsers is a key issue. For example, although Microsoft Internet Explorer 6 has been superseded by newer versions, and may in some instances be harder to create web based services for, it still accounts for approximately 16% of web traffic in the UK offer choice Principle 1.7. As far as possible, people should be offered alternative ways to prove identity and / or entitlement provide a reasonable choice of authentication methods The alternative methods used to prove identity and entitlement should avoid burdening users with a confusing array of choices. Collecting additional information to support additional authentication methods (or to increase confidence about user identity before granting additional authentication methods) must be balanced with the principles of single registration and avoidance of excessive data. If an authentication method is used by several services it must meet the requirements of the service with greatest risk. 3 Survey Unveils a Softer Start for Internet Explorer 8 ( _en.htm ) Page 7
8 6 governance and accountability 6.1 appointment of a privacy officer Principle 2.3. Responsibility and accountability for privacy should be assigned to a named senior management officer who reports to the Board or equivalent frequency of privacy officer reports The duties of a privacy accountability officer should include regular reviews of privacy issues in an organisation. Regular internal reviews of privacy as a normal business activity help organisations maintain a state of readiness for audits and ICO inspections specified in principle 2.7. There should be a process whereby the officer endorses compliance to the Senior Information Risk Owner at least annually. The compliance report should summarise any security incidents related to the identity store and provide an assurance of the security and integrity of the identity store. 6.2 audit Principle 2.4. Public service organisations must be able to demonstrate that personal information can only be accessed by staff who need access to it. Organisations must ensure that they keep records of access to personal information, that there are alerts which prevent or identify inappropriate access and that access logs and alerts are reviewed regularly by line managers incident management system The alerts only have value if they feed into a live incident management system. The key point is that it must be pro-active and trigger action. The definition in paragraph 2.4 suggesting regular review could be interpreted to mean that a weekly (for example) frequency of review is sufficient. If an identity store is compromised then it must be sensed immediately and remedial action initiated. The public should expect nothing less. Page 8
9 7 data and data sharing 7.1 controlling access Principle 4.4. Public service organisations should ensure that personal data is held securely (see 2.1c above), that their employees only have access to the minimum personal information they need and that audit records exist of all accesses to, changes to and uses of that data role based access control The principle of controlling access to information should consider the purpose that the access is for rather than the employee performing the purpose. This allows the definition of access rights based on business purposes, rather than around individual employees. An employee s access rights therefore consist of the set of rights for the business purposes they perform. This is often described as role-based access control. Each of an organisation s services (or purposes) may require only a subset of the information held by the organisation. Only the information required by a service should be provided to that service. Alternatively, using a claims based model, services can validate claims without requiring access to raw identity data, for example, validating that someone is over 18 or not (a binary response) rather than disclosing their date of birth access authorised by users Allowing users to manage how services access their personal information provides an opportunity to justify the need for the personal information and explain how the information will be used, increasing user involvement and trust in the system. User authorisation of access to their personal information is only necessary when the user s personal information changes or the service changes, rather than per-access event. User authorised access allows users to control the personal information, or persona, that they present to a service, rather than having their service identity specified solely by the request from the service provider organisation. User authorisation of access can be finer than grant or deny decisions, and a deny access decision does not necessarily prevent access to a service. For example a service may have a requirement that the user provides contact information but each individual contact method is optional. 7.2 linking information between systems Principle 4.6. Public service organisations should not share personal information unless it is strictly necessary. If a public service organisation needs to link personal information from different systems and databases, it should avoid sharing persistent identifiers; other mechanisms, such as matching, should be considered. If a public service organisation believes that persistent identifiers should be shared, it must publicly explain why add examples of link situations Further qualifying the types of situation where linking data is necessary would be beneficial. This may include situations where the use is a purpose the data was collected 4 Many of these models are discussed in the recommended document Identity Governance Framework, Oracle White Paper, November Phillip Hunt and Prateek Mishra Page 9
10 for, the use is necessary to uphold the law, or the use lessens an imminent threat to public safety links must be reliable and accurate The method used to connect a user s records across several systems must produce accurate and reliable links. An accurate link connects all of a single user s records, without records from any other users. A reliable linking method consistently produces the same links from the same sets of personal information on multiple occasions clarification on persistent identifiers Identifiers can match a person and a system, rather than just a person, preventing direct matches between different systems identity repositories. Links are therefore established through a central link mechanism which groups these identifiers by user with a minimal amount of personal information. Access to the link mechanism is only granted in circumstances where linking systems is necessary, and only for the systems involved in the particular link. 5 Examples from New Zealand Privacy Act, Principle 10: Limits on use of personal information Page 10
11 8 education and engagement 8.1 educate people about identity management and privacy issues Principle 5.2. Public service organisations must ensure that staff or contractors who handle personal data on their behalf have and maintain a good working knowledge and understanding of identity management and privacy. Principle 5.3. Public service organisations must take steps to ensure that their customers have enough information to make informed decisions about identity management and privacy introduction of a breach disclosure principle In order to foster transparency with the public, we strongly advocate the addition of breach disclosure to the education and engagement principles, as recently legislated by the majority of states in the USA. Privacy breaches include the theft, loss or inadvertent disclosure of identity information. Disclosure of a breach could require either reference to the ICO for guidance or the notification of affected service users. Breach disclosure makes public service data controllers accountable to users and provides an official mechanism for response to press coverage. As part of the organisation s responsibilities under 5.8 (duty to repair or redress) they may be required to inform the user of any actions they should take, in the event of a breach, in addition to the actions required of the organisation. Disclosure laws are not a magic bullet solution to the problem of identity theft. A study on the impact of the USA data breach laws found that breach laws have had a minimal effect in reducing identity theft but can contribute to improved data handling practise and user education 6. 6 Do Data Breach Disclosure Laws Reduce Identity Theft?, Carnegie Mellon University Page 11
12 9 conclusions The current Proving Identity and Entitlement principles implicitly include risk appropriate login. Adding a principle of risk appropriate login clarifies that authentication methods used must be sufficient for the circumstances (1.3, 1.5) and that the user s services may influence the choice of authentication methods available to them (1.7). The e-government Strategy paper Registration and Authentication Framework recognises four authentication levels, ordered by severity of the consequences of a misappropriation of a user s identity. New Zealand s igovt authentication service uses user name and password for most services and adds a one-time password, generated from a device or sent to the user s mobile phone, as a second factor for services that require extra security. A single sign-on access management system provides benefits in two areas: user experience, increasing convenience and consistency, and a common access management infrastructure for service providers, avoiding re-inventing login for each organisation. Access management systems accelerate development of service provider systems by providing packaged authentication, authorisation and audit integration points. Although single sign-on is a central system, it has the distinct business purpose of authenticating users to service and should only share the information necessary to achieve this purpose with service provider systems. The proposed principles describe a user centric identity system, which provides users with visibility of and control over their relationships with government organisations systems, including how these systems collect and use their personal information. Extending the access control principle (4.4) to include user authorisation of access to personal information extends the commitment to the Education and Engagement principles. Involving the user in the authorisation of access to their personal information provides an opportunity to inform users which information is required or optional for a service, how the information will be used and provides user control. We recognise the need for a concise identity management and privacy principles definition. However, as always, the proof is in the quality of the design, implementation and operational management. Identity and privacy are complex subjects and we therefore recommend the creation of a guidance document, complementary to the principles, that provides greater context to aid interpretation, discusses identity management methods and explains choices for system designers. dns would welcome the opportunity to participate in the creation of such a document. Page 12
DATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationPublic Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner
Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing
More informationQUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationARTL PKI. Certificate Policy PKI Disclosure Statement
ARTL PKI Certificate Policy PKI Disclosure Statement Important Notice: This document (PKI Disclosure Statement, PDS) does not by itself constitute the Certificate Policy under which Certificates governed
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationProperty Management (Factoring) Policy. Approval date July 2014 Review date July 2017 Approved by Link Group Board. www.linkhousing.org.
Property Management (Factoring) Policy Approval date July 2014 Review date July 2017 Approved by Link Group Board 1. INTRODUCTION This policy has been devised to show how Link operates property management
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationSafer recruitment scheme for the issue of alert notices for healthcare professionals in England
Safer recruitment scheme for the issue of alert notices for healthcare professionals in England November 2006 The issue of alert notices for healthcare professionals Summary 1. NHS Employers and the Department
More information23/1/15 Version 1.0 (final)
Information Commissioner s Office response to the Cabinet Office s consultation on the proposal to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( PECR ), to enable the
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationOpal Privacy Policy. Opal Electronic Ticketing System
Opal Electronic Ticketing System Contents 1 Background... 4 1.1 The Opal Ticketing System... 4 1.2 Channels for acquiring Opal cards... 4 1.3 TfNSW... 4 2 Scope of policy... 5 2.1 Applicable privacy legislation...
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationData Governance Policy. Version 2.0 19 October 2015
Version 2.0 19 October 2015 Document Title: Summary: Date of Issue: Status: Contact Officer: Applies To: References: This policy provides the Cancer Institute NSW with an instrument to formally manage
More informationData Protection in the Charity & Voluntary Sector
1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases
More informationESTRO PRIVACY AND DATA SECURITY NOTICE
ESTRO PRIVACY AND DATA SECURITY NOTICE This Data Privacy and Security Policy is a dynamic document, which will reflect our continuing vigilance to properly handle and secure information that we are trusted
More informationPersonal Health Information Privacy Policy
Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights
More informationBring Your Own Devices (BYOD) Information Governance Guidance
Bring Your Own Devices (BYOD) Information Governance Guidance 1. Purpose The purpose of this document is to provide guidelines that will support organisations wishing to enable the use of Bring Your Own
More informationIdentity Cards Act 2006
Identity Cards Act 2006 CHAPTER 15 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately 6 50 Identity Cards Act 2006 CHAPTER 15 CONTENTS Registration
More informationehealth Architecture Principles
ehealth Architecture Principles Version 3.0 June 2009 Document Control Details Title: ehealth Architecture Principles Owner: Head of Architecture and Design, Scottish Government ehealth Directorate Version:
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationTerms of Business for Registered Support Providers
Terms of Business for Registered Support Providers The National Disability Insurance Scheme Act 2013 provides for the making of Rules and requirements for registered providers of support. The Rule National
More informationNHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé
NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was
More informationApplying the legislation
Applying the legislation GUIDELINE Information Privacy Act 2009 Privacy breach management and notification A privacy breach occurs when there is a failure to comply with one or more of the privacy principles
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationAccountability: Data Governance for the Evolving Digital Marketplace 1
Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the
More informationInternet Use Policy and Code of Conduct
Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationPolicy on Public and School Bus Closed Circuit Television Systems (CCTV)
DEPARTMENT OF TRANSPORT Policy on Public and School Bus Closed Circuit Television Systems (CCTV) Responsibility of: Public Transport Division TRIM File: DDPI2010/3680 Effective Date: July 2010 Version
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationSTANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS
STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS 1. DEFINITIONS AND INTERPRETATION 1.1 In these Conditions the following words and expressions shall have
More informationPRIVACY IMPACT ASSESSMENTS
PRIVACY IMPACT ASSESSMENTS FOR IGOVT PROGRAMME For: The Department of Internal Affairs (NZ) COMMERCIAL IN CONFIDENCE 8 DECEMBER 2010 TABLE OF CONTENTS 1 EXECUTIVE SUMMARY... 4 1.1 BACKGROUND... 4 1.2 PROCESS...
More informationInformation Management Policy
Title Information Management Policy Document ID Director Mark Reynolds Status FINAL Owner Neil McCrirrick Version 1.0 Author Deborah Raven Version Date 26 January 2011 Information Management Policy Crown
More informationBring Your Own Devices (BYOD) Information Governance Guidance
Bring Your Own Devices (BYOD) Information Governance Guidance 1. Purpose The purpose of this document is to provide guidelines that will support organisations considering whether to enable the use of Bring
More informationUse of Exchange Mail and Diary Service Code of Practice
Use of Exchange Mail and Diary Service Code of Practice Introduction This code of practice outlines the support mechanisms in place for the security of the Exchange mail and diary service. References are
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationClosed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV www.ico.gov.uk
Closed Circuit Television (CCTV) code of practice Based on the publication A Code of Practice for CCTV www.ico.gov.uk Owner: Ian Heywood Last reviewed: July 2011 Contents 1.0 Introduction... 4 2.0 CCTV
More informationPatient Online Services in Primary Care
Patient Online Services in Primary Care Good Practice Guidance on Identity Verification NHS England INFORMATION READER BOX Directorate Medical Commissioning Operations Patients and Information Nursing
More informationMandatory data breach notification in the ehealth record system
Mandatory data breach notification in the ehealth record system Draft September 2012 A guide to mandatory data breach notification under the personally controlled electronic health record system Contents
More informationDo you have a private life at your workplace?
Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli In the course of his supervisory activities, the EDPS has published positions on
More informationPersonally Controlled Electronic Health Record System: Legislation Issues Paper
Personally Controlled Electronic Health Record System: Legislation Issues Paper Introduction The AMA has reviewed the Personally Controlled Electronic Health Record System: Legislation Issues Paper. The
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 7 October 2003 (OR. en) 12858/03 RECH 152 OC 589
COUNCIL OF THE EUROPEAN UNION Brussels, 7 October 2003 (OR. en) 12858/03 RECH 152 OC 589 LEGISLATIVE ACTS AND OTHER INSTRUMENTS Subject : Council Decision on the signing of the Framework Agreement between
More informationFrequently Asked Questions on new guidance for email in NHSScotland
May 2012 Approved Frequently Asked Questions on new guidance for email in NHSScotland 1) Why the need for new guidance? There is confusion as to what can be sent between NHSScotland boards, to business
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationCredit Reporting Privacy Rules
Credit Reporting Privacy Code 2004 Incorporating: Amendment No. 3 and Commentary Privacy Commissioner Te Mana Matapono Matatapu NEW ZEALAND CREDIT REPORTING PRIVACY CODE 2004 PART 1: PRELIMINARY 1. Title
More informationInformation Commissioner s Office. ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974
Information Commissioner s Office ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 14 November 2013 1 Contents Introduction Response Further issues About the ICO The ICO
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationSelling Telematics Motor Insurance Policies. A Good Practice Guide
Selling Telematics Motor Insurance Policies A Good Practice Guide April 2013 1 INTRODUCTION 1.1 The purpose of the guidance This guidance sets out high-level actions that insurers should seek to achieve
More informationPREPLY PRIVACY POLICY
PREPLY PRIVACY POLICY Effective Date: November 21, 2012. Welcome to Preply! This Privacy Policy discloses FindGuru, Inc. s ( Preply, we, us or our ) privacy practices and procedures in connection with
More informationPractice Note. 10 (Revised) October 2010 AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM
October 2010 Practice Note 10 (Revised) AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM The Auditing Practices Board (APB) is one of the operating bodies of the Financial Reporting
More informationBHF Southern African Conference
BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act
More informationINTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL
INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM AUTHOR DISTRIBUTION David Beaton Director of Finance and Corporate Resources Internal Audit
More informationSubmission. Ministry of Economic Development. Draft Insolvency Law Reform Bill Discussion Document. to the. on the
Submission by to the Ministry of Economic Development on the Draft Insolvency Law Reform Bill Discussion Document 11 June 2004 PO Box 1925 Wellington Ph: 04 496 6555 Fax: 04 496 6550 1. INTRODUCTION 1.1.
More informationInformation security management guidelines
Information security management guidelines Agency cyber security responsibilities when transacting online with the public Version 2.1 Approved July 2014 Amended April 2015 Commonwealth of Australia 2013
More informationCONSUMER INSURANCE LAW: PRE-CONTRACT DISCLOSURE AND MISREPRESENTATION
THE LAW COMMISSION AND THE SCOTTISH LAW COMMISSION CONSUMER INSURANCE LAW: PRE-CONTRACT DISCLOSURE AND MISREPRESENTATION Joint Report SUMMARY 1.1 The English and Scottish Law Commissions recommend new
More informationCorporate Policy and Strategy Committee
Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset
More informationUnited Kingdom. London W1J 6QE. FCA Register No: 446677 HA6 1NW. United Kingdom
Privacy Policy For the purposes of trading CFDs and Spread Betting, 3D Markets Ltd has introduced you to 3D Market Trading, which is a trading name of Spread Co Limited ('Spread Co'), registered office
More informationElectronic business conditions of use
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationService Level Agreement for the Introduction of Permanent and/or Fixed Term Contract Staff
Service Level Agreement for the Introduction of Permanent and/or Fixed Term Contract Staff TABLE OF CONTENTS: 1. INTRODUCTION... 2 2. DEFINITIONS... 2 3. EXPECTED SERVICES AND RESPONSIBILITIES... 3 4.
More informationEducation and Training Committee, 10 March 2011. Professional indemnity insurance. Executive summary and recommendations.
Education and Training Committee, 10 March 2011 Professional indemnity insurance Executive summary and recommendations Introduction This paper appeared as a paper to note at the Council meeting on 10 February
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationSCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES
SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES 1 1 Definitions In these conditions:- We means Scotland s Commissioner for Children and Young People,
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationYour Agency Just Had a Privacy Breach Now What?
1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,
More informationElectronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012
Electronic Messaging Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Retention
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationAudit and Performance Committee Report
Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City
More informationMIS Privacy Statement. Our Privacy Commitments
MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed
More informationLancashire County Council Information Governance Framework
Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice
More informationVodafone New Zealand Microsoft Privacy Statement Dated: August 2013
Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013 This Microsoft privacy statement sets out how your personal information is used by Vodafone in connection with the provision of the Microsoft
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationBy email to: CompanyFilingReqts@bis.gsi.gov.uk. 22 November 2013
By email to: CompanyFilingReqts@bis.gsi.gov.uk 22 November 2013 To: Company Law Simplifications Team The Department for Business, Innovation and Skills Spur 2, Level 3 1, Victoria Street London SW1H 0ET
More informationDATA PROTECTION LAWS OF THE WORLD. India
DATA PROTECTION LAWS OF THE WORLD India Date of Download: 6 February 2016 INDIA Last modified 27 January 2016 LAW IN INDIA There is no specific legislation on privacy and data protection in India. However,
More informationMENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose
MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY Index: Introduction Information is a Corporate Resource Personal Responsibility Information Accessibility Keeping Records of what we do Ensuring
More informationCouncil Policy. Records & Information Management
Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationINFORMATION GOVERNANCE POLICY: NETWORK SECURITY
INFORMATION GOVERNANCE POLICY: NETWORK SECURITY Original Approved by: Policy and Procedure Ratification Sub-group on 23 October 2007 Version 1.2 Approved by: Information Governance Group Approval Date:
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationMEMBI PRIVACY POLICY
MEMBI 1 PURPOSE OF OUR POLICY 1.1 Membi Limited (Company Number 09775238) of 396a Kingston Road, Kingston Road, London SW20 8LL, United Kingdom (Membi, we, us or our) provides the services offered on the
More informationInformation Governance Policy
Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise
More informationFederal Trade Commission Privacy Impact Assessment
Federal Trade Commission Privacy Impact Assessment for the: W120023 ONLINE FAX SERVICE December 2012 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal
More informationStandard conditions of electricity supply licence
Gas and Electricity Markets Authority ELECTRICITY ACT 1989 Standard conditions of electricity supply licence SECTION A: STANDARD CONDITIONS FOR ALL SUPPLIERS Standard conditions 1 to 6: General arrangements
More informationSUBMISSION FROM GREENBELT GROUP LIMITED
SUBMISSION FROM GREENBELT GROUP LIMITED 1. Greenbelt Group Limited, (No.SC192378) of Abbotsford House, Abbotsford Place, Glasgow G5 9SS, (GGL) invites the Committee to have regard to the following submissions
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationOnline Banking Terms and Conditions and Privacy Policy
Online Banking Terms and Conditions and Privacy Policy These terms and conditions are our agreement with you for Online Banking and our Mobile Banking App they tell you how our Online Banking and our Mobile
More informationThe newly adopted Luxembourg Law on electronic archiving. Luxembourg has taken a crucial step towards a paperless office.
The newly adopted Luxembourg Law on electronic archiving Luxembourg has taken a crucial step towards a paperless office. In July 2015, after two years of discussions, the Law relating to electronic archiving
More information