Contact Us: +44 (0) 845 070 1750 

Data Protection

Around the world, data protection and privacy legislation is increasingly important and a crucial part of overall IT Governance, and increasingly onerous. It is in this field, in particular, that new laws are emerging on a regular basis. Many of of these overlap, or contradict existing laws, and for few of them is there any detailed regulatory implementation guidance or meaningful case law. However, BS10012, which specifies a Personal Information Management System (or PIMS) may bring some clarity to this area.

 

   Data Breaches: Trends, Costs and Best Practices provides completely up-to-date worldwide information and best-practice guidance for staying on the right side of the law.

 

Key legislation for the United States, Canada and the UK and EU includes:

• In the UK: the Data Protection Act, the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organizations.
•  In the US: HIPAA, GLBA, SB 1386, OPPA, the Fair Credit Reporting Act (FCRA) and various State Breach Laws
• In Canada: PIPEDA,
• In the EU: the Data Protection Directive (implemented slightly differently in each of the EU countries) - and the EU Safe Harbor regulations which enable US companies to escape prosecution under EU regulations,

UK Data Protection Act

Is your organisation compliant with the UK DPA? Order and download this DPA Compliance Assessment Tool and find out!

 

Very specific guidance exists for the UK's Data Protection Act ('DPA'). All UK organizations must comply with the DPA and all public sector ones with the FOIA.

 

The DPA Compliance Toolkit is a unique and comprehensive resource for those seeking compliance with the DPA.

 

This website also provides a comprehensive range of books and tools for achieving DPA Compliance.

 

Other books on the UK Data Protection requirements that are worth ordering include:

•  Data Protection Compliance in the UK (by Rosemary Jay & Jenna Clarke of Pinsent Masons - a clear, easy read for everyone responsible for data protection)
• Data Protection: A Practical Guide to UK and EU Law, Second Edition (comprehensive guide to the law)

• THE Data Protection Guide (BSI publication, with regular updates)

• IT Governance Triptych (three pocket guides covering information related regulation in the UK, US and worldwide)

Implementing and maintaining an ISO 27001-certificated Information Security Management System is the obvious way of complying with DPA, particularly with the 7th principle, which requires organizations to take appropriate technical and organizational steps to secure personal data.

GLBA

The Gramm-Leach-Bliley Act (GLBA), also known as the “Financial Services Reform Act of 1999” requires US “financial institutions” to establish administrative, technical and physical information safeguards to ensure the confidentiality and integrity of customer records and information.  In order to comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems.   Section 501(b) of GLBA established the required high-level privacy and security requirements with which financial institutions must comply.  The Federal Trade Commission (FTC) was authorized to implement it and issued Final Rule (16 CFR Part 314) in May 2002.  With a few exceptions, the effective date for financial institution compliance with the Final Rule was May 23, 2003 (with a two-year grandfathering of service contracts, until May 24, 2004)

• Protect the security and confidentiality of customers’ non-public personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information security
• Protect against unauthorized access to or use of information
• Establish a continuous risk-based information security program with:
  • Board oversight
  • Assessment of threats and vulnerabilities
  • Risk management and controls
  • Training and Testing
  • Vendor oversight
  • Monitoring, auditing, adjusting and reporting

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organizations (Covered Healthcare Providers, Health Plans and Healthcare Clearninghouses) to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange. HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data.  This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.

The ‘Administrative Simplification (AS) Provisions’ set out the specific rules that institutions must implement in order to comply with HIPAA; these include the rules for EDI, for electronic signatures and for privacy standards. While these provisions are technology-independent, any system of information security controls that a healthcare organization implements will need to be integrated and comprehensive.

 

We also have a selection of the most useful books on HIPAA compliance.

US State Breach Laws

Senate Bill 1386 (SB-1386), also known as the California Information Practice Act, was passed into law in July of 2003.  The primary purpose of the bill is to force companies to think more seriously about information security and its impact on the residents of California.  The law focuses on companies – primarily in the US but, in reality, throughout the world - and their need to protect the personal information of California residents. SB-1386 requires any ‘state agency or entity’ holding personal data about customers (or employees) living in California, and that suffers a breach of security relating to any database that holds that personal information (unless the data is encrypted), to notify the entire class of customers where the security of even one of them may have been breached, however that breach occurred. The costs of communicating with every Californian on the database, in addition to the negative publicity and reputation damage for the organization, are significant outcomes of a failure to establish a best-practice information security management system.

 

More than 35 States have now passed security breach laws similar to SB-1386. A full list of the current laws, together with a description of what they cover, is included in  Data breaches: Trends, costs and best practices. Companies that seek to avoid the penalties of compliance failure need to implement a comprehensive information security management system that will protect the confidentiality, integrity and availability of individual data.

Data Protection and ISO 27001

Implementing and maintaining an ISO 27001-certificated Information Security Management System is the obvious way of complying with DPA, particularly with the 7th principle, which requires organizations to take appropriate technical and organizational steps to secure personal data. It is also increasingly seen as the legal standard for information security management in the US.

International Data Protection Compliance

For international organizations faced with multiple compliance responsibilities, overlapping regulation and possibly unknown legal requirements, the obvious compliance starting point is the Unified Compliance Framework.