ICO SME data protection workshop 25 September, NEC
|
|
- Arline Warner
- 8 years ago
- Views:
Transcription
1 ICO SME data protection workshop 25 September, NEC Information security & working with government Amanda Hillman Data Sharing & Data Protection Manager Claire Francis Supply Chain Information Assurance Team
2 Part 1: Intro - why we care about the DPA About us: Alan Harriman Data Sharing & Data Protection Policy Team Claire Francis Supply Chain Information Assurance Team 2
3 Part 1: Intro - why we care about the DPA About the Department for Work and Pensions: DWP is very big, and does a lot of different things each year we: All of which generates an awful lot of personal data DWP is data controller for one of the largest sets of citizen data in Europe. 3
4 Part 1: Intro - why we care about the DPA DWP and contracted services: One of the things we do a lot of is contracting which is why we are here: Drive across government to increase opportunities for SMEs in delivering services; We are a big data controller, it really is important to us do data protection well; If you have a good understanding of DPA issues, it makes it easier for us to deal with you, and vice versa. 4
5 Part 1: Intro - why we care about the DPA DWP and contracting: DWP has a diverse supply base With large numbers of suppliers to deal with, Various types of contracts, We rely on suppliers to protect the millions of DWP data assets out there. Therefore DWP must build requirements into contracts In order to avoid the following 5
6 Part 1: Intro - why we care about the DPA Risk impact data loss is a headline favourite: DATA CONTROLLERSHIP can be shared but for our data DWP would usually be the target of the headline. 6
7 Part 1: Intro - why we care about the DPA What are we trying to protect and why? any premises, systems, information or data which is owned, occupied, used by or in the possession of the Authority. The public are entitled to expect that Government will protect their privacy and use and handle information professionally. Departments are best placed to understand their information and to protect it, but need to do so within a context of clear minimum standards ensuring protection of personal information. SPF - MANDATORY REQUIREMENT 2 Departments must ensure that their Agencies and main delivery partners are compliant with this framework, and must consider the extent to which those providing other goods and /or services to them, or carrying out functions on their behalf, are required to comply. 7
8 Part 2: Why you should care about the DPA In the good old days, life was simple: We outsourced simple departmental activities; Personal data processed only as the contract specified; DWP was the data controller, contractors were data processors; DPA compliance = do what the contract says; Liability was also simple if it went wrong, it was our fault as the data controller. 8
9 Part 2: Why you should care about the DPA In the good old days, life was simple: DWP We specified the purpose and manner of processing, and pays for it. data flow Contractor Provider does what the contract requires. Simple liability 9
10 Part 2: Why you should care about the DPA In these exciting and innovative times: Complex funding models, payment by results; Common or shared goals, and purposes; Services used by multiple departments (and data controllers) using the same contract; Mix of off the peg and bespoke services; Data being processed for multiple/overlapping purposes; 10
11 Part 2: Why you should care about the DPA So exciting we need two slides: Management through third parties; Delivery by organisations (third sector etc) that exist to do this kind of thing anyway; Devolution Lots of joint controllership going on; 11
12 Part 2: Why you should care about the DPA What exciting and innovative looks like: EU DWP Other central govt Local govt Nongovt Funding Defines purpose Requires data Manage contract Uses service Uses partner orgs Liability????? 12
13 Part 2: Why you should care about the DPA Compliance and liability: DPA compliance with our contractors used to mean trying to make sure contracts were being followed to the letter Now it s more about building a relationship, making sure that all parties are doing the right thing, have the necessary capability Liability used to be pretty straightforward if we were paying for service, most likely it s our problem if it goes wrong In more complex services, it will depend what goes wrong, who dropped the ball, how things came to be done that way 13
14 Part 2: Why you should care about the DPA DWP accountabilities: DWP s maturity in Data Protection and information assurance is tested and measured against the Governments Information Assurance Maturity Model. DWP manages internal through year reporting to ensure that evidence of activities with and by supplier organisations are real and present. Subject areas include:- 14 Leadership and Governance Training, Education and Awareness Information Risk Management Through-life Measures Compliance
15 Part 3 Practical advice Liability and the basics: DWP is a large organisation and data controller for a huge amount of personal data, which enables/requires us to have a lot of DPA resources in place. If you re working with DWP, even in a simple controller/processor relationship, we ll expect you to know what you re doing and have the basics in place. Staff training, key roles, plans for dealing with DPA problems, being clear about how you handle personal data There are plenty of resources to help you do this: Our provider guidance, ICO website, BIS, ask that nice Mr Google 15
16 Part 3 Practical advice DWP Contracting provisions: Data Handling terms and conditions Specific security schedule Requirement for a supplier security plan Bearing in mind: Risk and Proportionality Value of contract not an indicator 16
17 Part 3 Practical advice Why robustness within contracts matters: Supplier responsibility to protect data we are entrusting with them. Cannot ensure protection without our suppliers Suppliers are our Data processors (most of the time)/ sometimes joint data controllers The questions and requirements within contracts are important however we do aim for proportionality. Sometimes the level of data and volumes do not allow for this. 17
18 Part 3 Practical advice Key requirements supplier security measures: Appropriate technical and organisational measures to keep data safe in accordance with the principles of the Data Protection Act. Need to understand suppliers around the following for example: Personnel Security staff vetting, access control, training, awareness, organisational culture and incident management. Premises and Physical Environment Security building security, perimeter, access controls, secure areas. Communications Management and Security use of office systems, encryption, retention, storage, archiving and destruction, monitoring, business continuity. Portable Media Security encryption, policies, guidance on usage, asset management. IT system Security IT architecture, backup, hardware, anti-virus measures, patching, audit and testing. 18
19 Part 3 Practical advice Security policies vs technical security measures: If your security relies on your employees getting things right 100% of the time, how much confidence can you (and we) have in that? Does your security response plan look like this? In general, if there s a technical fix, use it or expect to be asked why you didn t in the event that someone makes a mistake. Examples USB devices, links and URLs, laptop encryption 19
20 Part 3 Practical advice Security incidents if things go wrong: Tell us (if it s us you re working for) Tell us soon, as soon as practicality permits and before you start telling other people But don t let that stop you putting it right, or stopping it happening (eg fixing the website, replacing the window etc) Why? So we can agree handling, what needs doing about the incident, who needs to be told, agree press lines if necessary, stop us falling out unnecessarily. And we might actually be able to help, it s in our interest to if we can! 20
21 Part 3 Practical advice Security incidents how to avoid things going wrong: There s a lot of focus and attention on cyber, BIS have already talked about that sexy cyber stuff But actually most of what gives people headaches is around good oldfashioned mistakes; putting the wrong address on an envelope or the electronic equivalent, losing laptops Think about how much of your security is based on telling your staff to do/not do things? Breaking news: People don t always do what they re told; People sometimes make mistakes. 21
22 Part 3 Practical advice How to stay out of the headlines: Standards and requirements fully understood and adhered to. Practice robust security measures and plans. DWP has assurance of that. As new threats emerge - suppliers maintain appropriate countermeasures to protect assets. Talk to the Department if you have any uncertainty. Lost DWP data? Act without delay contact DWP first. We have a relationship with, and will contact, the ICO 22
23 Part 3 Practical advice Security standards and guidance: Government security standards can be pretty demanding. Don t expect it to be easy. We have to require the same kind of standards of you that we would apply ourselves if you are handling our customers info. But this does offer you some benefits as well, both in protecting your business itself, and being in a better position to handle other government contracts once you have the knowledge and capability. 23
24 Part 3 Practical advice Security standards and guidance: Most of our provider guidance and info from previous contract tenders is on the internet that makes it pretty clear what kind of things we expect and require by way of security The bidding process gives plenty of opportunities to ask questions, use it if you want clarification on something Much of this isn t new, solutions are already out there, unless you are working in defence the kind of measures needed are just good industry practice. 24
25 Part 4 Closing thoughts DPA snagging list things that can be complicated: The cloud & offshoring non-ea hosted Cross-government services and contracts Lack of clarity about who is doing what for whom Use of consent, confusion with fair processing 25
26 Part 4 Closing thoughts Useful links: Cabinet Office Supplier Assurance Framework Good Practice Guide: ile/255915/supplier_assurance_framework_good_practice_guide.pdf DWP internet pages on Data Protection: Contains Data protection and information security DWP Security Policy for Contractors Data security training and awareness slide pack for DWP suppliers and their employees delivering DWP contracts 26
27 Part 4 Closing thoughts Cabinet Office CESG Data Protection Act DWP Supply Chain Information Assurance Team Commercial Directorate team set up to assist DWP in meeting the requirements of the Govt Data Handling Review Has specific policy and coordinating responsibilities to guide and develop DWP Information Assurance activities with regard to ALL of DWP s commercial Supply Chain To work across and within DWP commercial work streams aiming to meet requirements of the Cabinet Office Security Policy Framework and the Information Assurance Maturity Model
28 Part 4 Closing thoughts Communications and other considerations: Internet Supplier Assurance Framework Workshops and awareness sessions with staff and suppliers Supplier visits 28
29 Part 4 Closing thoughts How we can help: Good context and understanding of DWP commercial business as well as security requirements. Can link to relevant DWP experts and stakeholders. Run guidance pages, advice and aide memoirs, training packages. Often contacted by other departments for support Proportionality a key facet. 29
30 Part 4 Closing thoughts Key points: Look at our provider guidance don t just read the DPA section Look at the ICO s guidance, and their enforcement news Look at Privacy Impact Assessment info on the internet, that gives a pretty good idea of the kind of questions/issues we will focus on Most DPA issues aren t rocket science, they are what most people would expect as good practice anyway If it feels wrong, it probably is wrong - ask if you have problems! 30
31 Part 4 Closing thoughts Er that s it: Thanks for your time! Questions? 31
32 Keep in touch Subscribe to our e-newsletter at or find us on
Workshop: Data protection in the digital office. ICO Foundation SME Workshop Technology
Workshop: Data protection in the digital office ICO Foundation SME Workshop Technology Overview Aims and objectives Scenario-based Risks in the digital office Cloud computing Mobile devices Office relocation
More informationCleveland Police. Data protection audit report. Executive summary November 2014
Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationIT asset disposal for organisations
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationWhen things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer
When things go wrong: information governance breaches and the role of the ICO David Evans, Senior Policy Officer Where it did go wrong NHS Surrey 200,000 MPN June 2013 The events leading up to the MPN
More informationSecurity breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison
Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationData Protection Audit Report - Southampton City Council
Southampton City Council Data protection audit report Executive summary March 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection
More informationRenfrewshire Council. Data protection audit report. Executive summary January 2013
Renfrewshire Council Data protection audit report Executive summary January 2013 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationData protection for commissioners
Data protection for commissioners Vicky Cetinkaya, Senior Policy Officer, Strategic Liaison Katie Hanrahan, Lead Auditor, Good Practice 2 July 2015 The Information Commissioner s Office What does the DPA
More informationCentral London Community Healthcare NHS Trust. Data protection audit report
Central London Community Healthcare NHS Trust Data protection audit report Executive Summary July 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with
More informationInformation Governance in Dental Practices. Summary of findings from ICO reviews. September 2015
Information Governance in Dental Practices Summary of findings from ICO reviews September 2015 Executive summary The Information Commissioner s Office (ICO) is the regulator responsible for ensuring that
More informationWork Programme - A Review
Case study: The evolution of the Work Programme Statistics Adam Pearce January 2014 The Work Programme is quite complex Referral Attachment Outcome Payments Completion Assigned to one of 9 Payment Groups
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
More informationHIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationProtecting Official Records as Evidence in the Cloud Environment. Anne Thurston
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
More informationCloud for Europe lessons learned
Cloud for Europe lessons learned Public sector challenges (European egovernment Action Plan 2011-2015) 2 Elevator Pitch Public sector cloud use as a collaboration between public authorities and industry
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationVersion of 25 May 2012 END USER TERMS
END USER TERMS Chorus owns and provides the Chorus network over which telecommunications and data services are provided to end users, including you. Chorus will install (if required), maintain, operate
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationBRING YOUR OWN DEVICE. Protecting yourself when employees use their own devices for business
BRING YOUR OWN DEVICE Protecting yourself when employees use their own devices for business Bring Your Own Device: The new approach to employee mobility In business today, the value put on the timeliness
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationBYOD BRING YOUR OWN DISASTER?
BYOD BRING YOUR OWN DISASTER? Síobhra Rush, Session Chair Leman Solicitors, Ireland BYOD - INTRODUCTION! Agenda! What is BYOD?! Why should businesses consider it?! Potential downsides to BYOD! An explanation
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationHIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationHIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the
More informationCriminal Injuries Compensation Authority. Data protection audit report
Criminal Injuries Compensation Authority Data protection audit report Executive summary January 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationCloud computing: benefits, risks and recommendations for information security
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationInformation Services Strategy 2011-2013
Information Services Strategy Issue 1 1 Introduction The States of Jersey public sector is facing significant pressure for efficiencies and savings. This has created the context to take a fresh look at
More informationCloud (educational apps) software services and the Data Protection Act
Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About
More informationHow To Choose A Cloud Service From One Team Logic
Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn
More informationResilience and Cyber Essentials
Resilience and Cyber Essentials Richard Bach Assistant Director Cyber Security Talk outline Why Cyber Essentials: the Policy context What is Cyber Essentials: Scheme background How the Scheme works: accreditation,
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationwww.neelb.org.uk Web Site Download Carol Johnston
What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate
More informationAN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING
AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in
More informationIs Cloud Computing Inevitable for Lawyers?
Is Cloud Computing Inevitable for Lawyers? by Sharon D. Nelson and John W. Simek 2015 Sensei Enterprises, Inc. Not a single day goes by when you don t hear something about cloud computing. It could be
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationData Protection Act. Conducting privacy impact assessments code of practice
Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationmybpos are a leading provider of business support services based in the UK
mybpos are a leading provider of business support services based in the UK 1 Introduction to mybpos 2 Services 3 Workforce Management 4 Payroll 5 Contractor Pool 6 Relocation 7 Contractors 8 IT Support
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationSecurity & Privacy Current cover and Risk Management Services
Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationCloud Computing and Data Protection Compliance - Experiences from Norway
Cloud Computing and Data Protection Compliance - Experiences from Norway PhD Thomas Olsen Legal Aspects of Cloud Computing, UiO, 27 January 2015 www.svw.no Overview Cloud Computing Introduction to EU and
More informationInformation Sheet: Cloud Computing
info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.
More informationCambridgeshire Constabulary. Data protection audit report
Cambridgeshire Constabulary Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
More informationIn house or Outsource: Exploring your Payroll
In house or Outsource: Exploring your Payroll In house or Outsource Options Whatever the size of your organisation if you employ staff, you have to run a payroll. There are, however, a range of different
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationCloud Storage Policy (Draft for consultation)
(Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee.
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationData Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015
Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationSupplier Assurance Framework Good Practice Guide
Supplier Assurance Framework Good Practice Guide Version 2.0 February 2015 1 P a g e V e r s i o n 2. 0 F e b 1 5 Contents INTRODUCTION... 3 SUPPLIER ASSURANCE FRAMEWORK OVERVIEW... 4 USING THE STATEMENT
More informationStakeholder workshop Central government. Thursday 26 March 2015
Stakeholder workshop Central government Thursday 26 March 2015 Welcome Sue Markey Government and Society Team Strategic Liaison Introductions This afternoon s programme 13.30 14.20 Data Protection and
More informationData-Centric Security. New imperatives for a new age of data
Data-Centric Security New imperatives for a new age of data Out-maneuvered, outnumbered, outgunned Things are not going well. The phones have gotten smarter, the data s gotten bigger, and your teams and
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationDataguard Advantage. cyber liability. Company information. Company name(s) Postal address. Postcode. Website address
cyber liability Dataguard Advantage APPLICATION Form Company information Company name(s) Postal address Website address Date established Date of financial year end Postcode No. of employees Currency of
More informationInformation audits in a perimeter-less world
Information audits in a perimeter-less world Jayesh Kamat Practice Head Risk Advisory services Seclore Partner The Business Challenge Information Value Some day, on the corporate balance sheet, there will
More informationNavigating the Privacy Law Landscape - US and Europe
21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationData Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance
Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationCloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL
Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)
More informationBusiness Opportunity Enablement through Information Security Compliance
Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationMANAGING CYBERSECURITY INVESTIGATIONS
MANAGING CYBERSECURITY INVESTIGATIONS Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 If you cannot hear us speaking, please make sure you have called into the teleconference
More informationCPM. Application Form INSURANCE FOR CYBER, PRIVACY & MEDIA RISKS
CPM INSURANCE FOR CYBER, PRIVACY & MEDIA RISKS Application Form This is an application for a cyber, privacy and media liability package policy aimed at a wide range of companies and professionals. CPM
More informationInformation Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet
Information Management Handbook for Schools London Borough of Barnet Document Name Document Description Information Management Handbook for Schools This document is intended for use by Barnet Borough Schools.
More informationInformation and Data Security
Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister
More informationData Protection Policy
1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.
More information