Category Archives: Uncategorized

Is your employees’ privacy one of the first casualties in the battle to secure your information systems?

I’m speaking about the trade off between network security and employee privacy at the International Association of Privacy Professionals (IAPP) European Data Protection Congress in Brussels on the 2nd December.

In the face of modern cyber-threats, communication monitoring and surveillance are essential for the protection of corporate information. But monitoring technology is often intrusive of the privacy of system users and, ironically, the capabilities of modern cyber-solutions can bring increasing privacy risks for system users. What are the threats to user privacy of IT monitoring and surveillance tools that allow network communications to be retained for subsequent analysis and replay? What are the legitimate expectations of privacy in the workplace? How can the tensions be reconciled? Here, we will examine the threats presented to the privacy of system users by latest-generation monitoring technologies. We will explore the challenges involved in reconciling the need for robust system security with legal obligations to respect the privacy of system users. We will also consider strategies for managing these challenges and associated legal risks, including PIA and security risk assessments.

What you’ll take away:

  • An understanding of the privacy risks posed by latest-generation monitoring technologies.
  • Strategies for minimising privacy risks, including an appreciation of the role of consent in programmes of workplace surveillance both now and under the draft GDPR.

I’m really pleased to be co-presenting with Heledd Lloyd-Jones, a specialist privacy lawyer with Bird & Bird. Heledd sparked my interest in the intersection of privacy and information security seven years ago when I attended her brilliant ISEB Protection training course.

There are lots of other really interesting sessions at the conference, I’m really looking forward to The Ten Million Dollar Question: Managing Privacy Risks in Your Supply Chain and Cloud Privacy: How Do International Certification Standards Fit with the Proposed EU Regulation?

Registration for the conference is open now.

Filling cabinet breaches

I like to analyse the ICO’s undertakings and enforcement notices to see whether there are lessons you can learn from other people’s unfortunate mistakes.

Last year the Orbit housing association moved offices and in the process sold-off some of their surplus-to-requirments filling cabinets. The problem was that there were some 57 files left in them. With 42 recovered that left 15 customers’ files in the wild. The ICO insisted on an undertaking (PDF).

I resisted pointing out the obvious — that this was a bad idea — and reminding people that it is important to involve your DPA or security manager in office moves, and embedding DPA considerations into your business change process.

However a couple of weeks ago Lancashire County Council left some social work records in an old filing cabinet that was bought by a member of the public. Again the ICO required an undertaking (PDF).

There’s a couple of lessons to take for these two incidents.

  1. It is worth reminding everyone in the organisation that the data protection act applies to paper files that contain personal data. Just emphasising this in the next DPA or security training my help someone stop and think.
  2. Make sure that there’s a DPA or security check in all of your business change processes.