Workshop: Data protection in the digital office ICO Foundation SME Workshop Technology
Overview Aims and objectives Scenario-based Risks in the digital office Cloud computing Mobile devices Office relocation Discuss 3 proposals Questions?
Aims and Objectives An understanding of the risks and opportunities that various work practices pose to data protection Not all about data security Help you to identify problem areas Introduce new ways of working Analyse existing practices
Scenario My Small Business 7 employees Networked Windows XP machines Rely heavily on paper 3 employees working from central office 4 employees working from remote locations (home and remote offices) Use fax and postal services to transport paper between locations
What are the risks? Network security Windows XP; Wi-Fi; firewall; anti-virus; back-ups, disaster recovery; theft; access control; end-of-life, remote access; passwords; public internet usage Paper Easy to lose; misplace Secure storage; Lost in the post; Disposal/shredding Fax Mis-directed faxes; Fax queue; misplaced paper Remote locations Secure storage
Things need to change Rising costs Smaller head office Fewer admin staff Reduced postal budget Storage Move paper archive offsite Working with others There is an increasing opportunity to work with other organisations Subject access Currently very time consuming to locate personal data
Available tools We know what we want to achieve What tools, systems or technologies are available to achieve this?
Review the proposals 3 proposals have been prepared for discussion In groups, consider the pros and cons of each scenario How you might improve it? How might you ensure that there were appropriate security measures are in place? Consider some of the ways that the data processing may be incompatible with the DPA (consider all 8 principles) Pretend you are an employee. How might you cause a deliberate or accidental personal data breach? Pretend you are an attacker How might you find or take advantage of potential vulnerabilities?
Proposal 1 Little change from the existing work practices Purchase new laptops for office workers Dispose of XP laptops and gift 500 to remote employees to purchase their own devices to use Use an online file sharing portal (e.g. Dropbox, Box, Egress) to transfer data between office and remote locations Move paper files to archive storage
Proposal 2 Private cloud Purchase of new laptops (by the organisation) for both office and remote workers Internal network upgraded with a new infrastructure installed by an external IT services organisation Remote access to employees Employees can access email via a webmail interface from a range of different devices, including personal devices Historic paper files to be catalogued and moved to an offsite secure storage facility. Those older than 7 years will be disposed.
Proposal 3 Public cloud Move all data to an online office productivity suite (e.g. Google Apps, Office 365) Register all employees with an account Zero local storage 0 - All data in the cloud Dispose of existing IT equipment, only basic network connectivity to remain Data sharing by email attachment or email a URL to the data stored in the cloud Scan and add all archive documents to the cloud Dispose of remaining paper archives
Discuss in groups
What did you find?
Is there a better scenario?
ICO guidance A look at ICO guidance available to help you Cloud BYOD / Mobile IT Security Learning from other s mistakes Enforcement action
Cloud guidance Published 27 September 2012 Guidance for data controllers Outlines a number of key risks
BYOD guidance Published 7 March 2013 Guidance for data controllers Outlines a number of key risks
IT security Physical security Access controls Employee awareness and training Secure data on the move Keep systems up-todate Have plans for if the worst happens
Learning from ICO casework Published 12 May 2014 Review 8 common IT security failings Practical recommendations
Other guidance
Audit reports
Enforcement
Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews