Data Protection Issues Compliance Within Computing Organisations, The Causes, Effects and Consequences.
Project and Professional Studies Unit
Data Protection Issues - Compliance Within Computing Organisations, The
Causes, Effects and Consequences.
Page
. Introduction to the data protection bill 1998 2
.1 The Eight Principles of The Data Protection Act 2
i. Fairly and lawfully processed 2
ii. Processed for one or more limited lawful purposes 2
iii. Adequate, relevant and not excessive 2
iv. Accurate and valid and where necessary kept up to date 3
v. Personal data processed for any purpose shall not be kept longer than deemed necessary 3
vi. Processed in accordance with the data subject's rights under this Act 3
vii. Securely protected by appropriate technical and organisational measures 3
viii. Personal data will not be transferred to Countries without adequate protection 3
2. Registration For Data Protection Act 4
3. Exclusions and Exceptions 4
4. Typical Example Of Active Data Protection Environments 5
Employer/Employee Relationships
5. Enforcement Of Data Protection 5
6. Implications For System Designers 6
Protection from potential dangers
7. Implications For Customers 8
The Fear Off Online Transactions
8. Summary 9
APPENDIX
THE PROBLEMS WITH DATA PROTECTION AND NEW TECHNOLOGY
EXAMPLE 1 - Marks and Spencers deny security threat. 10
EXAMPLE 2 - Halifax Net share dealing system breached. 10
EXAMPLE 3 - Egg admits security breach. 10
EXAMPLE 4 - Powergen's lax security condemned 10
EXAMPLE 5 - Barclays security breach forces online service to close. 11
EXAMPLE 6 - Crackers fell Cabinet Office Web site. 11
Bibliography 12
. Introduction to the data protection bill 1998
We've probably all heard of it, but just what is it - 'The Data Protection Act'? The much maligned and often misquoted and even misunderstood. Well, naturally it's about data, and according to Websters Online Dictionary - data is: a collection of facts from which conclusions may be drawn,
and so we are looking at the aspect of it's protection and it's associated issues.
Data Protection is not merely something with which large companies have to comply; "Data Protection affects a huge range of individuals and organisations, both in the public and private sectors" Rt. Hon Jack Straw MP, Home Secretary (British Computer Society, Conference 2000)
Our chief concerns are the issues governing computing businesses or organisations that store and retrieve data in any way shape or form and the challenges, threats and implications this may pose to the successful deployment of technical resources. Since the introduction of the Data Protection Act in the United Kingdom in 1984, this enforceable piece of legislation has carried with it severe penalties for being in default of it. Recently repealed by the latest Act of 1998 (implemented 1st March 2000), and accessible for viewing at the following online internet location: http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm.
.1 The Eight Principles of The Data Protection Act
It is said in the latest Act to be introduced, that the eight principles of good practice must be adhered to and that data must therefore be:
i. Fairly and lawfully processed
Indicates that data shall only be used for the purpose that the organisation is registered for. Regard is to be had for the method by which data is obtained, including in particular whether any person from whom it is obtained from is deceived or misled as to the purpose for which the details are to be processed.
ii. Processed for one or more limited lawful purposes
Within the business organisation's registration will be an outline of the specific purpose for which data will be used. The broadness of these purposes will usually be competently crafted to account for all its daily activities. These limited purposes are to also prevent the use of data for any other usage, which is incompatible.
iii. Adequate, relevant and not excessive
Very similar to the points outlined in Principle number 2 above, in that data hording must not take place, essentially through the use of computer systems and shall not be used for other purposes other than purposes intended for.
iv. Accurate and valid and where necessary kept up to date
Throughout the data's life its usefulness will naturally deteriorate, by the very nature of it being of a dynamic substance, this factor alone should deem the data to have a limited life span. After its effectiveness over a period of time has reduced, it should be removed or amended.
v. Personal data processed for any purpose shall not be kept longer than deemed necessary
Although a relatively sensible Principle to behold, its practicality is essentially difficult to determine and implement. It begs the question of how long is 'necessary'? Should it be voiced through the legal process it is generally regarded that normal industry procedures would be taken into account, depending on previous precedence's set out before it.
vi. Processed in accordance with the data subject's rights under this Act
The belief attached to this somewhat key Principle is that the person of whom data is being kept shall have access to the specific data. With a reasonable duration of time and monitory fee attached to the disclosure of the request. More shall be said of this later in the employment section.
vii. Securely protected by appropriate technical and organisational measures
To defeat unauthorised access to sensitive data, appropriate suitable and sustainable security measures must be in place at all times. The unlawful access or theft of private and personal data or statistics must at no times be allowed to compromise the ethics of business through accidental loss, destruction, damage or amendment to personal data.
viii. Personal data will not be transferred to Countries without adequate protection
In particular, Countries outside the European Economic Community must provide adequate levels of protection for the employee guardians of the ...
This is a preview of the whole essay
vii. Securely protected by appropriate technical and organisational measures
To defeat unauthorised access to sensitive data, appropriate suitable and sustainable security measures must be in place at all times. The unlawful access or theft of private and personal data or statistics must at no times be allowed to compromise the ethics of business through accidental loss, destruction, damage or amendment to personal data.
viii. Personal data will not be transferred to Countries without adequate protection
In particular, Countries outside the European Economic Community must provide adequate levels of protection for the employee guardians of the data concerned with it's processing.
"Personal data covers both facts and opinions about the individual. It also covers information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply." http://www.dataprotection.gov.uk/principl.htm
2 . Registration For Data Protection Act
The extent of the rigidity of the eight Principles leaves us in no doubt that data should be morally correct, ethically gained, legally stored, decent and truthful to the purpose it was intended to meet. When considering registration it is advisable to contemplate all of the possible usages the business will have for the manipulation of the stored, customer extracted data. By enlarge, it is wiser to tick the majority of check boxes on the application form covering the types of data and how you intend to put it to use. In one action, all aspects and angles will then have been accounted for and an update will not then be necessary at a point later defined in the operating life of the Company.
It is perhaps a wise course of action to permit the system managers and software engineers to engage in the task of defining the Company data protection policy, to assess and govern the manipulation of its bare commodity - data. Ways must be employed that allow the compliance of the Acts Principles regarding the validation of data and the methods used in creating lists and direct mail databases etc. and at the same time providing systems robust enough to deny unauthorised access as discussed later in this documentation.
3. Exclusions and Exceptions
There exists within the Act certain clauses and exclusions, such as the fact that word-processed documents are exempt from the limitations of the Data Protection Act, and deemed to be not a true form of data processing. The complete set of exemptions covered are:-
* National Security - As defined at the time by the Home Office minister at the time.
* Crime, taxation payroll and accounts - This category is exempt, to assist in the detection of and apprehension or prosecution of offenders.
* Health, education, medical and social work - Believed to protect patients from misinterpreting their own medical records without professional guidance.
Information and data contained within medical and nursing records is of a highly confidential nature. The staff having access to this material face disciplinary action for breaching the regulations governing confidentiality, it is also unlawful for these records to be made available for untrained and unsupervised staff.
(Adapted From Community Health Sheffield NHS Trust. Document C8 1/3 October 2000)
* Research, history and statistics - With a view to promoting secrecy of potentially sensitive material such as medical research and educational examination pass/fail details prior to being made public.
* Legal disclosures and proceedings - To facilitate disclosures being made in pursuit of upholding other laws in accordance also to the assessing of any person suitable for a judicial appointment or Queen's Counsel.
* Domestic purposes - Covers diverse matters such as individual personal bank account details, small clubs or societies, church administrations with their own records and accounts, and smaller trivial details such as personal Christmas card lists. Just about any other area that is not used for business or professional purposes, including 'Not For Profit' organisations which are mainly charities.
It is believed that the above exclusions should eradicate basic simplicities from having to register under the Act and likewise prevent 'specialised' subsets that require competent professionals to interpret results to medical patients and such like, not forgetting also sensitive data likely to prejudice the combat effectiveness of armed forces of the National services.
4. Typical Example Of Active Data Protection Environments
Employer/Employee Relationships
In organisations with a number of employees there are individuals about which data is stored. Both past, present and prospective persons all have references stored detailing their identification name and unique employee numbers, and other attributes concerning physical, physiological, mental economic, cultural or social identity. Generally speaking this information is obtained from the individual worker and processed on the basis of informed consent. Every effort should be made by data controllers to ensure that employee data processed is accurate, valid and does not exceed the time restrictions required to satisfy requirements, once this has been satisfied the data should be securely deleted. It is understood that employees should have the right to gain a copy of the data being kept about them, which is held by their employer. There may be a fee of up to ten pounds for this service and there could also be a delay in its provision by up to 40 days, in which the stored data could be cleaned before presentation.
5. Enforcement Of Data Protection
Data controller's in contravention of the Act are served an 'enforcement notice' by the Acts Commissioner or Registrar. This requires him or her to comply with the Principle or Principles in question, and to do either or both of the following- to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified. At this point the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress. The Commissioner puts in place an agreed time span of data amendment, to be rectified by the controller, unless the severity grants an immediate response within a fixed seven-day period. It is believed that failure to comply will lead to severe financial punishments being levied through magistrates Court fines (up to £2,000 or greater via High Court) or even closure of business organisations by the de-registration notice issued. Research has revealed records of these events as follows:
Cases tried under the Data Protection Act
991/2
992/3
993/4
No. of charges under the PDA
27
68
36
For non-registration
26
63
28
Of which acquitted
0
3
0
(source: Bott.)
At the same time it would appear that the number of business registrations is not meeting the expected number. The cost of employing full-time data protection officers per business is believed to be the reason behind the apathy shown towards this Act. It is considered by many to be also unworkable due to lack of localised Government funding, resulting in a catch-me-if-you-can scenario.
6. Implications For System Designers
Protection from potential dangers
The cost of implementing secure methods of protecting data must be taken into account long before the data is actually accumulated. Provisions should therefore be made and contingency plans laid out which stipulate business reactions to impending threats or changes to the storage environment. All risks should be analysed before the storage methods are 'live'. Every possible scenario envisaged and played out during early and progressive incremental testing stages of the hardware and software fault-finding procedures. Below, we can identify four of the major areas of concern:
. Maintenance Of Systems
A continuous task of systems engineers, which takes a vast amount of time as more and more functionality is bolted on to the existing systems. Thus, data protection can be effected also by internal work procedures and precautions must be taken to avoid any Principles being breached through staff negligence. Three areas of maintenance are highlighted as:
* Preventative - To adapt to the surrounding environment without compromising the integrity of the current data.
* Adaptive - This is believed to be the improvements to the current system which usually means a change to specification or smoothing out the creases to aid a better provision of a service.
* Corrective - follows a system failure and error correction is required, meaning of course that the original testing has not revealed all possible faults before going live.
All the parties concerned must agree upon system changes, which are then fully documented at each stage and modified structures subsequently tested to prove stability of new alterations. Throughout any maintenance of the system the purpose of the system must not change unless the Data Protection register is modified in accordance.
2. Audit and Control
An acceptable model must be in place for audit controls within financial sectors, to alleviate the failure of public confidence. This can only occur with active evidence that the data user conforms to the Principles of the Act. The independent audit controls should be able to review the computer system and it's environment with the aim being to:
* Prevent or detect unauthorised program alterations
* Confirm that testing and documentation are up to standard
* Verify program execution without errors being present, through prevention or detection
* Prevent or detect unauthorised data amendment
* Ensure correct documentation is created and updated
The control and responsibility of the system must not lie with any one person, nor must any one person also be in control of its completeness, accuracy and integrity alone.
3. People and Security
Adequate training must be provided for all staff handling data under the Principles of the Act. Negligence over this exercise may well lead to a breach of the seventh Principle mentioned earlier. Organisations should establish proper policies governing access to data and the corporate supply and distribution of it within the establishment and the design of secure measures to protect the Act must be of paramount importance.
4. Physical Security
Covering the environment surrounding the potential system installation, the location design and construction of the physical site and terminals may all have a negative effect on the security of data if this stage is overlooked or corners are cut. Things to take into account such as:
* Combustible materials-Pvc furniture produce harmful gases when ignited
* Sprinklers systems- more responsive carbon dioxide or halon gas activation systems
* Electrical cabling -designed to carry continuous and regulated voltage safely
* Alternative power supplies - emergency support measure for continuity
* Remote storage of data back ups- eliminates sole system dependency
When all these point and more besides have been taken into consideration, a contingency plan needs to be put into place to deal with other eventualities outside the boundaries of daily routines. Once planned it should have an importance attached to it that schedules regular mock disasters, perhaps on an annual basis or more, dependent upon individual environments and their stability. It will allow for the plan to be used and assessed for worthiness with a total review following any change of system configurations to highlight potential errors and incompatibility problems.
7. Implications For Customers
The Fear Of Online Transactions
Perhaps one of the major consequences of data protection security is the perceived mistrust in today's technology by potential customers, and as we can see from the case examples later in the appendices, online security is being compromised and not just by small enterprises. Although not on a regular basis its experience and negative publicity leads to ill feelings felt amongst customers affected, which has then been brought to the attention of the general public.
"Even with the continuing occurrence of high profile security breaches, many of the security measures available are not being deployed to the extent they should be and little attempt is being made to educate consumers in a common sense way." Ian McKinnon, director of EquifaxSecure .
8. Summary
The Data Protection Act 1998 is believed to be a veritable minefield waiting to explode in the face of organisations and businesses. The manipulators of data processed in commercial transactions either using traditional methods or the latest technological forms of electronic commerce, are under daily threat to perform consistently or face the legislative consequences of the Act. The challenges they face are many and varied; we have earlier in this paper looked at the main aspects and implied consequences:
* The eight Principles to be adhered to.
* Registration by businesses in compliance with the Act.
* How certain keepers of data may be exempt or excluded from the register.
* The governing of personal data by professionals regarding employees.
* Powers of punishment by the latest laws of the Act, through its enforcement.
* The tasks facing system designers and the areas of maintenance
* Negative results of a poorly implemented system and it's effects upon interactive customers.
From the initial stages, data storage and manipulation must be given much thought and planning, from the data registration type, system to be used, physical environmental surroundings to be chosen and perhaps most importantly the staff. As in any new method, the system development life cycle stages have to be adhered to without deviance, namely requirements, analysis, design, implementation and maintenance. Particular resources must be afforded to reliability through the testing of various expected and unexpected scenarios. System robustness and integrity of data, with each stage delivering documentary evidence must also be rigorously verified. Staff training issues need to be addressed to promote competency and data compliance. All areas of security and systems monitoring to prevent data violations must have great importance attached, coupled with independent audit controls and an incremental staged delivery of all new system changes and amendments. Emergency contingency procedures need to be in place and fully tested as a working method of support and daily back up of data and remote secure storage is of equal importance to routine operations. The managers within the organisation accountable for the protection of company data shall also have their responsibilities shared between other managers, therefore not one person alone need be concerned with sole ownership of business security at any one time.
Many e-commerce experts think that continuing security risks pose a slowing down of future transactions. There is belief that a positive government initiative is required to stem the spate of security breaches and to instil customer confidence with an all-encompassing acceptable business standard. Our Country awaits further legislative and technical action regarding the protection of our data. Whilst businesses struggle to comply, rhetoric alone is not enough.
APPENDIX
THE PROBLEMS WITH DATA PROTECTION AND NEW TECHNOLOGY
EXAMPLE 1
Marks and Spencers deny security threat.
UK retail giant Marks & Spencers confirmed 20 October 2000 that its Web site experienced a malfunction that left customer information and system passwords exposed. An online customer stumbled across the information after clicking a broken link at the Web site at the weekend. Some security experts, however, disagree with the company's claim that the incident could not lead to a broader security breach. (Adapted from Knight, W. 1)
EXAMPLE 2
Halifax Net share dealing system breached.
The Halifax admitted 29 November 1999 that a flaw in its online security allowed a customer to gain unauthorised access to its Internet trading accounts. The bank immediately pulled the plug on its Internet share dealing system, Share Express. A spokeswoman said later, "There are bound to be a few teething troubles with any new system...".The spokeswoman confirmed the Halifax is doing its utmost to restore the confidence of its customers. (Adapted from Knight, W. 2)
EXAMPLE 3
Egg admits security breach.
UK Online bank Egg, blamed "human error" 1st December 1999 for the security breach, which allowed a user to access another customer's account. "There was a breach of IT procedure, caused by human error". The Egg spokeswoman also claimed that future system updates would be completed when the site is not live to protect customers. (Adapted from Wakefield, J)
EXAMPLE 4
Powergen's lax security condemned
More than 7,000 Powergen customers advised to cancel their credit cards following one of the biggest online security breaches in the UK so far, 7 July 2000. The breach revealed names, addresses and credit card information of customers who have used Powergen's Web site to pay their bills.. The Data Protection Registrar is concerned about the situation. "We would expect any data collector to provide adequate security," says compliance manger Lorraine Godkin. "This is a breach of a principle of the Data Protection act." (Adapted from Knight, W. and Wearden, G)
EXAMPLE 5
Barclays security breach forces online service to close.
UK bank Barclays was hit by an online security breach Monday morning 31 July 2000, which allowed at least four customers to access the bank details of other Barclays customers. The breach follows the introduction of new security infrastructure designed to strengthen the bank's defences Saturday evening and forced the company to close its online services. According to a Barclays spokeswoman the breach occurred whenever two users attempted to log in at precisely the same moment. Barclays says the glitch did not become apparent during initial testing and was only uncovered when thousands of users tried to use the service simultaneously. (Adapted from Knight, W.3)
EXAMPLE 6
Crackers fell Cabinet Office Web site.
The Cabinet Office's web site was brought to it's knees on 13 July 2000, as code hackers began defacing the site and forcing its hosting company to take it off line. The spokesman admits that, as a prominent government Internet destination, the Cabinet Office Web site is constantly being targeted by computer attackers. "There have been hacking attacks in the past but we've been able to fend them off," he says. "We obviously take security very seriously and it is constantly under review." (Adapted from Knight, W. 4)
Bibliography
Boddy, D. Buchanan, D.A. (1986) Managing New Technology. Prentice-Hall.
Bott, F. Coleman, A. Eaton, J. Rowlan, D. (1996). Professional Issues In Software Engineering. 2nd Edition. UCL Press.
Bourn, C. and Benyon, J. (1984).Data Protection. Perspectives On Information Privacy. CEU.
British Computer Society Data Protection Committee http://www.bcs.org.uk/publicat/web/datap/data.htm
Carr, M,J. Konda, S. Monarch, L. Ulrich, I. Carol, F. Walker, C.F. (1993). Taxonomy - Based Risk Identification, Technical Report, CMU/SEI-93-TR-6. Software Engineering Institute.
Hook, C. (1989). Data Protection Implications For Systems Design. NCC.
Knight, W. (1) M&S Plays Down Security Exposure. http://www.zdnet.co.uk/news/2000/41/ns-18583.html Accessed: 20 October 2000
Knight, W. (2) Halifax Net Share Dealing System Breached. http://www.zdnet.co.uk/news/1999/47/ns-11813.html Accessed: 20 October 2000
Knight, W. (3) Barclays Security Breach Forces Online Service To Close. http://www.zdnet.co.uk/news/2000/30/ns-17002.html Accessed: 22 October 2000
Knight, W. (4) Crackers Fell Cabinet Office Web Site. http://www.zdnet.co.uk/news/2000/27/ns-16599.html Accessed: 22 October 2000
Knight, W. and Wearden, G. Powergen's Lax Security Condemned. http://www.zdnet.co.uk/news/2000/28/ns-16706.html viewed 23 October 2000
Kulik and Lazarus Consulting, Inc. http://www.klci.com Accessed: 25 October 2000
Myers, C. (1995). Professional Awareness In Software Engineering, Or Should A Software Engineer Wear A Suit? McGraw-Hill.
Wakefield, J. Egg Admits Security Breach. http://www.zdnet.co.uk/news/1999/47/ns-11862.html viewed 23 October 2000
Websters Online Dictionary
http://work.ucsd.edu:5141/cgi-bin/http_webster?method=exact&isindex=Data&db=* Accessed: 15 October 2000
Wideman, R. (1992). Project and Program Risk Management, a Guide To Managing Project Risks and Opportunities. Project Management Institute.
9
2