• Home
• IT Governance

  IT Governance

  ISO 38500

  Calder Moir

  CobiT & ValIT

  Data Governance

  Architecture Frameworks

  King III

  SOA Governance

  Tools & Services

  Books & pocket guides

  ITG Framework Toolkit

  Training Courses

  Consultancy Services

  Green IT

  Books and Pocket guides

  ISO 14001

  EN 16001/ISO 50001

  Toolkits

  Consultancy Services

  Training Courses

  Other IT Governance

  Capability Maturity Model

  Cloud Computing

  IT Audit

  IT Outsourcing

  Social Media Governance

• Risk Management

  ISO 27001

  ISO 27000 Standards

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  Risk Assessment Tools

  Qualifications

  CISA

  CISM

  CISSP

  IBITGQ

  ISO 31000

  Standards & Guides

  BCM Planning

  BS25999

  Books & Pocket guides

  Documentation Toolkits

  Training Courses

  Consultancy Services

  Penetration Testing

  Penetration Testing Services

  Training Courses Books and Guides

  IT Health Check

  Forensics

  Books

  Training Courses

• Compliance

  Data Protection

  BS10012 PIMS

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  PCI DSS

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  Scanning Services

  Sarbanes Oxley

  Books & Pocket Guides

  Toolkits

  Training Courses

  Training Courses

• ITIL / ITSM

  ITIL

  ISO 20000

  Books & Pocket Guides
  Documentation Toolkits

  Training Courses

  Distance Learning

  Qualification Scheme

• PPPM-Projects

  PRINCE2

  Books & Pocket guides

  Training Courses

  Distance Learning

  PMBOK

  Books & Pocket guides

  Training Courses

  Distance Learning

  MSP

  Books & Pocket guides

  Training Courses

  Distance Learning

  P3O

  Books & Pocket guides

  Training Courses

  Distance Learning

  MOP / MOV

  Books & Pocket guides

  Distance Learning

• Best Practice

  ISO 9001

  ISO 27001

  ISO 14001

  OHSAS 18001

  EN 16001/ISO 50001

  Buy Standards

  OGC Best Practice

  TickITplus

• News
• My Account
• 

Data Protection and Data Protection Act (DPA) Compliance

DPA Consultancy | DPA Training | DPA Compliance Toolkit | BS10012 | DPA eLearning

What is on this page?

• An Introduction to Data Protection
• Free Technical Data Protection Briefing Paper
• UK Data Protection Act
• Emerging data protection and privacy regulation
• GLBA
• HIPPA
• US State Breach Laws

An Introduction to Data Protection

Data Protection is an issue that affects all organisations. It has never been more important for businesses to protect their critical assets and ensure that their staff is aware of the role they play in data protection. With the exponential development in technology, incidents of hacking, data breaches and data loss have proliferated. In the UK all organisations must comply with the Data Protection Act whilst companies in other countries have their own data protection legislation to comply with. Data breaches can prove costly and expose your business to fines, brand damage and loss of business.

This page provides essential information on the importance of data protection, and more importantly, what you can do to ensure that your data is protected.

   Data Breaches: Trends, Costs and Best Practices provides worldwide information and best-practice guidance for staying on the right side of the law.

IT Governance CEO, Alan Calder speaking at the Privacy Laws & Business 23rd Annual International Conference about the relationship between data protection law and information systems:

Free Technical Data Protection Briefing Paper

The use of laptops, USB memory sticks and other portable or removable storage has increased substantially in the last number of years. Whilst these devices increase communication levels between staff, they are, however, highly susceptible to loss or theft. This technical briefing paper focuses on the best way to protect the content on your laptops and other mobile storage devices.
Provide your email address below and we'll send it to you free:

Implementing and maintaining an ISO 27001-certificated Information Security Management System is the obvious way of complying with DPA, particularly with the 7th principle, which requires organisations to take appropriate technical and organisational steps to secure personal data.

UK Data Protection Act

Very specific guidance exists for the UK's Data Protection Act ('DPA'). All UK organisations must comply with the DPA and all public sector ones must additionally comply with the FOIA.

The Complete DPA Compliance Toolkit is a unique, inexpensive and comprehensive resource for those seeking compliance with the DPA. It provides all the tools and resources you need to become DPA compliant.

The Data Protection Act (DPA) 1-Day Course gives a comprehensive, practical and up-to-date overview of DPA compliance requirements.

Our DPA Compliance Gap Analysis & Consultancy service is a practical, effective way to identify gaps in your current DPA activity.

This website also provides a comprehensive range of books and tools for achieving DPA Compliance.

Other books on the UK Data Protection requirements that are worth ordering include:

•  Data Protection Compliance in the UK (by Rosemary Jay & Jenna Clarke of Pinsent Masons - a clear, easy read for everyone responsible for data protection)
• Data Protection: A Practical Guide to UK and EU Law, Second Edition (comprehensive guide to the law)
• Data Protection vs Freedom of Information - a unique guide for the UK public sector to the interface between these two laws.
• Data Protection Awareness Posters are an invaluable training aid.
• BS10012 is the new British DPA Standard for Data Protection Act compliance.
• Attend the Data Protection Act (DPA) 1-Day Course.

Emerging data protection and privacy regulation

Around the world, data protection and privacy legislation is increasingly important and a crucial part of overall IT Governance, and increasingly onerous. It is in this field, in particular, that new laws are emerging on a regular basis. Many of of these overlap, or contradict existing laws, and for few of them is there any detailed regulatory implementation guidance or meaningful case law. However, BS10012, which specifies a Personal Information Management System (or PIMS) may bring some clarity to this area.

Key legislation for the United States, Canada and the UK and EU includes:

• In the UK: the Data Protection Act, the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organisations.
•  In the US: HIPAA, GLBA, SB 1386, OPPA, the Fair Credit Reporting Act (FCRA) and various State Breach Laws
• In Canada: PIPEDA,
• In the EU: the Data Protection Directive (implemented slightly differently in each of the EU countries) - and the EU Safe Harbor regulations which enable US companies to escape prosecution under EU regulations.

GLBA

The Gramm-Leach-Bliley Act (GLBA), also known as the “Financial Services Reform Act of 1999” requires US “financial institutions” to establish administrative, technical and physical information safeguards to ensure the confidentiality and integrity of customer records and information.  In order to comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems.   Section 501(b) of GLBA established the required high-level privacy and security requirements with which financial institutions must comply.  The Federal Trade Commission (FTC) was authorized to implement it and issued Final Rule (16 CFR Part 314) in May 2002.  With a few exceptions, the effective date for financial institution compliance with the Final Rule was May 23, 2003 (with a two-year grandfathering of service contracts, until May 24, 2004)

• Protect the security and confidentiality of customers’ non-public personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information security
• Protect against unauthorized access to or use of information
• Establish a continuous risk-based information security program with:
  • Board oversight
  • Assessment of threats and vulnerabilities
  • Risk management and controls
  • Training and Testing
  • Vendor oversight
  • Monitoring, auditing, adjusting and reporting

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organisations (Covered Healthcare Providers, Health Plans and Healthcare Clearninghouses) to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange. HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data.  This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.

The ‘Administrative Simplification (AS) Provisions’ set out the specific rules that institutions must implement in order to comply with HIPAA; these include the rules for EDI, for electronic signatures and for privacy standards. While these provisions are technology-independent, any system of information security controls that a healthcare organisation implements will need to be integrated and comprehensive.

US State Breach Laws

Senate Bill 1386 (SB-1386), also known as the California Information Practice Act, was passed into law in July of 2003.  The primary purpose of the bill is to force companies to think more seriously about information security and its impact on the residents of California.  The law focuses on companies – primarily in the US but, in reality, throughout the world - and their need to protect the personal information of California residents. SB-1386 requires any ‘state agency or entity’ holding personal data about customers (or employees) living in California, and that suffers a breach of security relating to any database that holds that personal information (unless the data is encrypted), to notify the entire class of customers where the security of even one of them may have been breached, however that breach occurred. The costs of communicating with every Californian on the database, in addition to the negative publicity and reputation damage for the organisation, are significant outcomes of a failure to establish a best-practice information security management system.

More than 35 States have now passed security breach laws similar to SB-1386. A full list of the current laws, together with a description of what they cover, is included in  Data breaches: Trends, costs and best practices. Companies that seek to avoid the penalties of compliance failure need to implement a comprehensive information security management system that will protect the confidentiality, integrity and availability of individual data.

International Data Protection Compliance

The most useful book to read about the emerging standard for data protection compliance is Information Security Law: The Emerging Standard for Corporate Compliance

• Home
• Online Shop
• Best Sellers
• New Products
• About Us
• Contact Us
• Join Us
• Expert Panel
• Shipping
• Links
• Free Resources
• Knowledge Bank
• Newsletter
• Terms/Privacy
• Site Map
• Blog

© 2003- IT Governance Ltd.  | eCommerce by Xanthos