Data Privacy & Protection
As soon as you handle personal information about individuals, you have a number of legal obligations to protect that information under the EU Data Protection Act 1998. All public and private organisations are legally obliged to protect any personal information they hold, and may be required to notify with the privacy authorities. Public authorities are also obliged to provide public access to official information. I help organisations understand these obligations and keep you updated as and when they change.
In Belgium, the Belgian Privacy Commission maintains a public register of data controllers. Each register entry includes the name and address of the data controller and details about the types of personal information they process. Individuals can check the register to find out what processing of personal information is being done by a particular data controller. Notification is the process by which a data controller’s details are added to the register. The EU Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. This sounds very serious and it is, especially when things go wrong in terms of privacy. When a person asks access to all his/her personal data that you as an organisation have, you need to reply to a request for personal information unless an exemption applies. One of the main rights which the EU Data Protection Act gives to individuals is the right of access to their personal information. An individual can send you a subject access request requiring you to tell them about the personal information you hold about them, and to provide them with a copy of that information. In most cases you must respond to a valid subject access request within 40 calendar days of receiving it.
In terms of protecting personal data your organisation holds, here are some basic tips:
For computer security:
Install a firewall and virus-checking on your computers.
Make sure that your operating system is set up to receive automatic updates.
Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities.
Only allow your staff access to the information they need to do their job and don’t let them share passwords.
Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information.
Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and update.
For those using emails:
Consider whether the content of the email should be encrypted or password protected. Your IT or security team should be able to assist you with encryption.
When you start to type in the name of the recipient, some email software will suggest similar addresses you have used before. If you have previously emailed several people whose name or address starts the same way - eg “Dave” - the auto-complete function may bring up several “Daves”. Make sure you choose the right address before you click send.
If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.
Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone.
If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient’s arrangements are secure enough before sending your message.
For those still using faxes:
Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. Make sure you only send the information that is required. For example, if a solicitor asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.
Make sure you double check the fax number you are using. It is best to dial from a directory of previously verified numbers.
Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.
If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.
Ring up or email to make sure the whole document has been received safely.
Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.
For other security:
Shred all your confidential paper waste.
Check the physical security of your premises.
Train your staff:
so they know what is expected of them;
to be wary of people who may try to trick them into giving out personal details;
so that they can be prosecuted if they deliberately give out personal details without permission;
to use a strong password - these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols;
not to send offensive emails about other people, their private lives or anything else that could bring your organisation into disrepute;
not to believe emails that appear to come from your bank that ask for your account, credit card details or your password (a bank would never ask for this information in this way);
not to open spam – not even to unsubscribe or ask for no more mailings. Tell them to delete the email and either get spam filters on your computers or use an email provider that offers this service.
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:
- a recovery plan, including damage limitation;
- assessing the risks associated with the breach;
- informing the appropriate people and organisations that the breach has occurred; and
- reviewing your response and updating your information security.
I am regularly assisting organisations with the following deliverables : Strategy and program that enables compliance with proper European and Belgian legislation including Safe Harbor agreements, data privacy policies, privacy tool selection, employee awareness programs
I provide organisations with practical advice about how to know their current privacy compliance and how to make improvements to practically comply with the Data Protection Act by either conducting one of the following activities:
Full Audits: these are aimed at organisations who have a basic understanding about complying with the Data Protection Act and have some policies and procedures in place but would benefit from focused assistance in meeting their obligations. An audit provides an assessment of whether your organisation is following good data protection practice. I do believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective policies and procedures in place and whether you are following them and includes recommendations from the ICO on how to improve. You benefit from the data protection knowledge and experience of our audit team, at no expense to your organisation. It is an opportunity for your staff to discuss relevant data protection issues with the members of the ICO’s audit team. An audit can include all or some of the principles of the Data Protection Act (DPA). Examples of areas which may be covered in an audit include:- data protection governance, and the structures, policies and procedures to ensure DPA compliance;
- the processes for managing both electronic and manual records containing personal data;
- the processes for responding to any request for personal data, including requests by individuals for copies of their data (subject access requests) as well as those made by third parties, and sharing agreements;
- the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
- the provision and monitoring of staff data protection training and the awareness of data protection.
Following agreement of a scope of work, which is formally documented in a letter of engagement, I:
- carry out an off site check of policies and procedures;
- carry out an on site review of the procedures in practice;
- provide a report which outlines good practice and any areas of improvement with practical recommendations to help you to address these where appropriate;
- write a 1-page executive summary ; and
- carry out a follow up review approximately six months after the audit.
Following completion of the full audit, I provide a comprehensive practical report along with a 1-page executive summary. The audit report allows you to respond to observations and suggestions for improvement made. My aim is to complete an audit, from first meeting to issue of the final report, within 30 working days, normally including three days’ at your organisation.
Advisory audits: these are for small to medium sized organisations who may be struggling to understand what they need to do about data protection and need some basic, practical advice to meet their obligations. The aim of an advisory audit is to give practical advice to organisations on how to improve data protection practice. It involves a one day visit and a short follow up report. You will benefit from our knowledge and experience to identify what you are doing well and what you need to improve and receive practical recommendations and suggestions to put things right. There is a limited expense to your organisation and you get a short report at the end which summarises what you should do next. You will get an information sheet before the visit to explain what you can expect and you will need to fill in a questionnaire which will be reviewed with you during the visit. I will use a one day visit to understand what policies and procedures you have in place and how they can be improved. The visit will also be flexible enough to provide an opportunity for your staff to ask questions. Within three days of the visit, you get a short report which will summarize what was seen and discussed, and provide you with practical advice. There are three main areas that I will look at:
- Security of personal data - how you keep electronic and manual personal data secure.
- Records management – how you process records containing personal data including their creation, maintenance, and eventual destruction.
- Requests for personal data – how you handle individuals’ requests for copies of their personal data and how you manage routine and one off disclosures to other organisations.
Self assessments: self assessment targets small organisations or public authorities within specific sectors to raise data protection awareness. The self assessment programme is aimed at promoting good personal data protection practice within sectors where there are a lot of smaller organisations or public authorities. The results of the questionnaire will result in a short report indicating areas of improvement and areas of good practice identified. The questions covered a wide range of areas including:
- What physical security provisions do you have in buildings or parts of buildings where personal data is held?
- Do you provide people with an explanation, in writing, about what you do with their personal information?
- If you maintain a website, are you satisfied that you are not disclosing any information that people would object to?
- Do you have a CCTV system and what do you use it for? Are cameras located so that they do not intrude unnecessarily on privacy?
- Do all staff handling personal information have suitable training?
- What other organisations, including IT providers, process personal data for you?
- Do you know about time limits and fees for subject access requests?