Help with data protection and information security
Taking proper care of the personal data your organisation collects, uses and stores is really important.
It’s best to do this by taking an integrated approach that looks at how you manage personal data from both privacy / data protection principles and from an information security perspective.
Looking at data protection and information security in isolation from each other leaves big gaps for people’s data to fall through, and also for regulators to investigate.
This is my simple five-phase approach to looking after people’s data.
- Document how data enters, moves through and leaves your organisation. You need to know what data you have, what you do with it, where it is and where it can go.
- Make sure that each time you use personal data you comply with the eight principles of the data protection act.
- Understand the impact that a loss of confidentiality, availability or integrity of the data would have on your organisation and on the people whose data you hold.
- Work out the likelihood that the losses will occur and put in appropriate measures to prevent them happening.
- Keep doing this well. Information security and good personal data protection is an ongoing and evolving process, not a one-off goal to be achieved.
I’m John Elliott and I help organisations to look after personal data and manage their information security. In some cases I guide an organisation through all five phases, in others I just help in one particular area. I’m building this web site to share information and some of my materials. Like security though, the web site is an ongoing process and consulting activities mean that I don’t update the site as frequently as I’d like to.
I hope you find the materials here useful, and please forgive any that are obviously on their way, but not completed. If you have comments or questions then I’d love to hear from you.
Don’t ignore warning signs
I’m often called in just after “something bad” has happened.
Organisations don’t pay enough attention to the early warning signs that there’s something wrong with their security. It could be a small thing, like a missing USB drive, or your data turning up in places you didn’t expect. It could be a recent trend in system unavailability or systems having ‘wrong data’.
These are warnings: there’s no data-smoke without information fire.
It’s better to find out where the smoke is coming from, before the information fire engulfs you. It is always much cheaper to fix security problems when you first see these warning signs than it is to deal with an urgent breach remediation programme.
Get ready for changes in data protection
In April 2010 as the Information Commissioner (who is responsible for policing the Data Protection Act) will get the power to fine organisations that breach the Act. The Ministry of Justice is currently consulting (PDF) on the proposed maximum penalty of £500,000 and the Information Commissioner has published his draft guidance (PDF) describing when he would levy a penalty.
Making sure your information is secure and you comply with the Data Protection Act can seem daunting, but once you strip it down to the bare essentials it is really easy to understand.
Whenever you get, use or share people’s data, you need to make sure you follow these simple principles:
- Be fair when you get, use and share data
- Tell people what you will do with their data – do nothing more
- Only get and use data you need
- Ensure you hold accurate data
- Delete data you no longer need
- Respect people’s rights over personal data
- Make sure you don’t lose data
- Be careful if you send data to other countries
