Credit, Credit Bank, Credit Auto

experion credit report


 

Data Protection Consulting

  • News from Data Protection Consulting
        Data Protection Consulting Newsletter   Issue  21       November 28, 2007 Smart data protection solutions for business   At the end of a month when data protection compliance hit the headlines in a big way, we have to ask, could it happen here?  Give yourself peace of mind by letting us handle your data protection issues.    In this issue   Information security - watching the regulators  Jersey and the Faroe Islands approved for international transfers Website accessibility - the Target case in the US The consultation on CCTV Code of PracticeCopyright and legal notice email: enquiries@dp-smart.co.uk     Why not visit www.anyotherbusiness.net today and join the company secretaries discussion forum?        Information security - watching the regulators The issues at HM Revenue and Customs that gave rise to the security breach and loss of personal information in November 2007 were systemic but ultimately avoidable. There are a number of building blocks in any information handling and data protection policy, many of which were not in place or were being undermined at HMRC, facts that should have been picked up by routine monitoring and particularly, audit, activity.   The Information Commissioner, Richard Thomas, said in a press release about the HMRC breach in November:   "This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly."  The basic building blocks of an information handling and data protection policy   Information security is not and cannot be the sole responsibility of the IT department, although it is recognised that IT security has a part to play, it is only one of the building blocks. Responsibility for information security and data protection is a matter for the board of directors and senior executive management of the organisation.   Step one: Senior executives take responsibility for information handling and data protection policy. Communication of the organisation’s values and commitment to stated policies will determine its compliance culture. If the senior management team clearly communicate to staff the issues that they consider are important and the policies that they expect everyone to adhere to, they will create a positive compliance culture rather than letting inertia dictate the easiest route.   Step two: Communicate security and data protection policies and the reasons behind them clearly to staff. Often the weakest link in an organisation’s security policy are the people. Their behaviour can be controlled and monitored by training, procedures and audit.   Step three: Introduce procedures to cover high risk areas.   Step four: Train staff about the issues and the procedures designed to avoid or mitigate risk and continue to develop a compliant culture.   Step five: Monitor/audit the effectiveness of procedures in practice. Supplement and amend procedures accordingly. Feed back the findings to staff.  Next steps for the regulator In his annual report in May 2007 the Information Commissioner said (foreword): "Audit is seen as an increasingly important function of ours. In consequence we are not only looking to expand the audit unit and number of audits conducted but also to increase our powers in this area". Also: "During the year we conducted eight data protection audits to assess the processing of personal data" All of those audited at this stage were public authorities but the new wider powers sought will be available for use against businesses.  What audit can do An audit of the HMRC operation earlier in 2007 probably would have highlighted the issues:
    • Failure of senior management to "own" the issues of information security and data protection
    • Lack of compliance culture among staff due to low morale, frequent management and structural changes and focus on minimising external IT costs
    • IT security failings
    • Too wide access to personal data
    • No restriction on downloading personal data onto CD or memory stick
    • Failure in procedures or training to restrict access and downloading personal data
    • Failure in procedures or training about the importance of secure transfer or transmission facilities for personal data.
    An audit would certainly have raised awareness of information security and personal data issues among staff. It would have given management the opportunity to remedy the defects in the information security policy. Consequently the breach might have been avoided.  Next steps for businesses If conducting an audit was a recommended practice prior to the HMRC breach of security issue, post November 2007 how much more vital is that work? The Information Commissioner has clearly indicated that audit is becoming more of a mainstream feature of his department’s work. In that event, better to commence regular audit of information security and data protection policies than wait until the regulator comes calling. Back to top.  Jersey and the Faroe Islands approved for international data transfersIn October 2007 the Article 29 Working Party approved Jersey and the Faroe Islands as offering an adequate level of protection for personal data to allow transfers from within the EU.    The Eighth Data Protection Principle prohibits the transfer of personal data outside of the EEA (the EEA comprises the EU member states plus Norway, Lichtenstein and Iceland).  Transfers to third countres (those outside the EEA) need further action to be taken to legitimise the transfer.  The most simple route is where the third country has obtained approval from the EU for its internal data protection framework.  To date Argentina, Canada, Guernsey, Isle of Man and Switzerland have been approved.  To this list we can now add Jersey and the Faroe Islands.   Apologies for the error in the newsflash sent out concerning the approval of Jersey, it was approved in October not November but the Document detailing this was not added to the Europa website until November. Back to top.   Website accessibility - the Target case in the USWebsite accessibility A landmark website accessibility case in the US involving Target.com rumbles along. For anyone not aware of this case, Target has a website that is not accessible to blind users. In particular, there is no alternative text for images, no headings (which screen readers use to navigate) and keyboard navigation does not work, you have to use a mouse. To use a mouse, you need to be able to see. The NFB (National Federation for the Blind) and a blind internet user brought a case against Target. The court has so far ruled that the website is inaccessible to blind users and that a class action may be brought. Target now argues that it has made improvements to its website to improve accessibility and requested the court to declare the continuing legal case "moot" ie of no import. The judge refused to make such a ruling because, she pointed out, accessibility aspects of the website have been improved but there are still problems and, as new pages are added to the website daily, the problem persists.   This case could have ramifications for UK based website owners as websites are accessib

Copyright 2007 http://www.home-credit-bank.com