The British Computer Society has created a Personal Data Guardianship Code to help businesses and individuals deal responsibly and safely with private information. The guidelines follow two years work during which there have been a series of major losses by government departments, private firms and even secret agents. Most of …
Where have you been living?!
"The code includes reminders that people or organisations holding data *should* be accountable..."
We all know they SHOULD be accountable! What we really need is them to be criminally LIABLE for data loss.
Submit this to the ICO to bring to the attention of the people in charge of the European Data Protection Directive, get it put into legislation, and we might be a little better off all round.
1) Didn't the two data protection acts lay out the rights and responsiblities of the data processors and data subjects quite plainly?
I seem to recall receiving, and reading, quite a lot of bumph about what we had to do, the data we we allowed to collect and how we could, and couldn't, process this data. All quite plain really.
2) Does the BCS still exist? The only BCS members that I have ever known were out of touch with current (even back then) technology, and reality for most of the time.
we know it's wrong, but we still do it.
the same principle aplpies to data protection. No matter how many self-appointed or government-appointed bodies, or legally enforcable rules, codes or "best practices" are laid down by anyone who thinks their opinions matter - we'll still continue to break them.
The reasons are many-fold, from the "It'll never happen to me", through "well I only did it once" to the old favourite "but it was an emergency" and finally "Really, officer ..... did I?"
So far as protecting data goes, it's just too inconvenient. All those security procedures take time and effort to comply with. Whether it means signing something out, encrypting data before travelling, not using paper copies, validating users before allowing access or banning thumb-drives and other removable storage, all of these require people to take the longer route - rather than the simple, straightforward plain copy of sensitive information. Given that people are frequently under pressure to deliver (or simply too damn lazy) it's little wonder that they take short cuts.
As it is, the only way data can be truely secured is either to prevent anyone, anywhere from accessing it (which gives rise to an existential debate: if no-one can access the data, does it really exist?) or to make the necessary security measures both the default and invisible to the users. Maybe that means keeping everything encrypted, everywhere, all the time or making biometric access ubiquitous I don't know. All I can say is that if organisations rely on rules or procedures or safeguards, they must expect them to be broken and ignored.
My personal favourite security method would be the IT equivalent of invisible ink: - data that fades away gradually over time. Should save a fortune on backups, too.
need more case law
The Nationwide was fined nearly a million a couple of years ago for losing a database containing members' addresses under the DPA. This fine should have come from staff bonuses rather than from members, given that the members own the society. But the principle of organisations being fined for breaches needs to be upheld - if there were more prosecutions and especially if the fines ended up costing those directly responsible, those looking after personal data would be more careful.
"The code also explains the rights of individuals in respect to their data - what you have the right to see, to correct and how you can opt-out of some databases."
An individual should have the right to see EVERYTHING, that's ALL data regarding themselves which maybe stored on ANY database regardless of who owns that database. Not only that, but the cost of providing the individual concerned with that data should be borne by the database holder.
If the database holder "loses" any data regardless of whom it concerns, an individual should have the right to be removed from that database and any other databases held by that party for the holder has shown themselves unfit for the handling of that data.
With the exception of some official government databases an individual should also have the right to have his/her data removed from any and every database they so desire. Even if the data holder has proved themselves competent in the handling of such data. Yes I am aware it would be impractical to have user data removed from some commercial databases such as banks.
Yes the BCS still exists and its national membership has grown to around 68,000. Can't speak for the rest of the country but round here (Merseyside) we've had recent talks from FAST, the ICO, and on topics like ID Theft, Computer Forensics and updates to PRINCE 2.
Check out your local branch. You don't always have to be a member to attend events.
Mmmm, but who's responsible? The admin clerk who took a short cut because he/she was under ridiculous pressure? The managers who created the pressure trying to make cuts in expenditure? The owenrs/shareholders who wanted the cuts made? The government who were responsible for the financial crisis leading to the cuts?
Its like penaltry clauses in contracts: in my experience they are wonderful things for escalating a drama into a crisis, because as soon as the trouble is on the horizon the contractor moves all effort into evading the penalty clause rather than fixing the problem...
Re Anon & the BCS
The BCS has a wide remit and while I agree that some BCS members have been comic I don't think we can criticise them too much for this effort. This is the sort of activity the BCS is set up to do and if it has any effect on this issue then it it will have been worthwhile. They won't be able to control the law so it's a realistic goal to create a best practice badge. Hopefully pie-eyed CIOs will be falling over themeselves to add the badge to their pride and improve things from the current state of frontier Frank Spencerism.
3 simple rules
For protecting your data
1. Remove the CD/DVD burners from every unsecured PC.
2. Remove the USB/SD card/flash stick/ ports on the same.
3. Sack any employee using an unencrypted USB drive to move data around
There... now wheres my £10 000 computer security consultancy fee?
the people in charge
are the problem, they don't know or care about the data protection act until it directly affects them.
an example form my experience, on a bit of software a new field was added to collect data for a specific purpose. 3 years later, that purpose was discontinued and when i raised that we also needed to stop collecting this field i was met with blank looks. When i cited the DPA, collecting info that we're not using in any way and don't need, i was told it wasn't important and just to leave it. (removing the field would have added a couple of weeks onto the project).
until they actually get hammered for it, the people who actually can change thsio don't care, try getting approval to lock down the USB ports when the managing director want's to use the USB stick he got for christmas.
...advice from the same organisation that has a pro-Microsoft agenda, refuses professional, working scientists CSci because they're not qualified enough - but awards both CEng and CSci to its own staff, insists of using cheques because internally they can't handle electronic payments...
Money grabbing bunch of *********** just stating, once again, the obvious...
Reading the advice...
"There should be an audit trail within the organisation showing who has actually accessed personal data. "
Who currently does this? It would result in a lot of data being generated, is this something that is regarded as good practice for all organisations or just those working with particularly sensitive data e.g. medical, financial?
By far the most OSes installed in business are by MS, can you now clarify why an industry body shouldn't have a pro-MS stand, or would you like them to be anti the company that supplies most of their members' work?
Having said that, without exception all of the people that I know who are in the BCS in one way or another are FOSSers/UNIXers/Mainfram-ers who happen to use MS software as well. You almost certainly wouldn't get very far in BCS if you maintain an anti-anything stance, let alone anti-MS, because it would show how out of touch you are with business needs.
Also why should a working scientist automatically get anything from BCs? The only thing you can automatically get is membership, anything else you have to prove that you are worthy of.
And, their web site does take electronic payments from the usual suspects.
I'm living in Merseyside at the moment and I can tell you that, working as a web desginer/developer (albeit freelance) and knowing several other developers, designers, coders, IT expert etc, etc, the BCS is still out of date and what's worse very few people in Merseyside actually recognise them. Add that to the fact that Merseyside is not exactly cutting edge all you have is a moot point. Sorry.
Have done some consultancy work a while back I drafted up a document that was just 5 pages of text. Most of that was bullet points and short paragraphs in plain english. Put simply I told them, to read the document or in leiu of the 'Don't be Stupid'. The fact is that a USB thumb disk/drive is easy to lose, add to that there is often a misconception that just because you can use Microsoft Office you are computer literate means that often those who are meant to implement security plans don't know how to. Hell even the ECDL doesn't go into preventative/security measures and that's a manditory requirement for many Gov depts.
The simplest thing is that there needs to be greater levels of education and CPD that instructs both business owners and employees in the basics. Virus scans, password protection of removeable media, correct deletion proceedures.....you know the simple, yet 'oft overlooked things!
IT because at one point it stood for INFORMATION TECHNOLOGY, now it's IDIOTIOTIC TRIUMPHS