| 2.7 Info.Sec.Man.
09 Data Protection Officer | |
|---|
| 2.7.09 Data Protection Officer: | | 1. As Data Protection Officer contracted to protect data for a social care agency, the following measures were taken. The sensitive nature of the personal data involved lead to one very important conclusion - under no circumstances could a data breach be allowed to happen. Lots of other data protections measures have been taken, but nothing comes close to the single mission to ensure that a data breach cannot happen. | | 2. The owner understands that reputation is everything and if the company suffered any kind of data breach, then company would no longer command the trust of its customers. Nobody wants to say so, but if private data was leaked because of incompetence, the company is unlikely to survive once customer and supplier trust is lost. | | 3. Every company must have a qualified Data Protection Officer in the same way as they must have a qualified accountant. This may be a part-time role so the most skilled and experienced people can be used on a regular basis. |
| 2. Data Breach: | | 1. Personal data cannot be stolen by a criminal who gains access to a data center because all data is encrypted using may different methods. A criminal with a copy of the database would have a string of meaningless numbers that are worthless. Because no personal data can be viewed, no personal data can be stolen from a data center. The theft of a lot of meaningless numbers is not a personal data breach - no personal data is lost because nothing is readable. | | 2. Personal data is only stored in encrypted databases in secure data centers - no personal data is stored on any local computer or in any local file. Approved people can access personal data using any kind of desktop, laptop, tablet or smart phone using encrypted communications and without needing to install any software. Facilities are provided to ensure that no personal data needs to be downloaded for any reason - personal data is never put at risk. | | 3. Personal data is never communicated by email where it will be copied and read by many agencies in many countries. Personal data copied from emails may be used against a person in 20 or 50 years time when social cultures are very different. It is totally unacceptable to expose customers private data to such a threat and long term risk - private data cannot be deleted once it is copied. While a password can be changed after it is stolen, just try changing your stolen: qualifications, date of birth, place of birth, name of parents, gender, religion, ethnicity, school name, blood group, health, immunisations, travel. | | 4. Criminal target people who work from home, a simple burglary can pick up a computer with a mass of data that can be sold. It is unacceptable and totally avoidable to store any private and personal data or emails on a home computer or portable computer. It is unreasonable and not trustworthy to hold private data in emails on a computer that can be stolen - never trust a company that does not care about your personal data. |
| 3. Business Message Service: | | 1. A public email can be compared with a postcard that is only suitable for sending a messages such as; "wish you were here". A postcard would be considered totally unreasonable for private correspondence between two consenting adults. The private letter in a sealed envelope was designed so the public envelope could direct the message to an address and the private letter inside was only communicated to the named person. | | 2. Business Message Services work like a public envelope and private letter. The public envelope is an email that displays a public subject, who its from and who its to, but no private personal information. The recipient may:- | | (1) Ignore and delete the envelope. | | (2) Click the "opt-out" and unsubscribe link. | | (3) Click the "opt-in" to subscribe and view the private letter contents and secure encrypted web pages. | | 3. Agencies around the world know who communicates with whom and when, but personal data can be kept safe and secure. |
| 4. Legal Obligations: | | 1. Email has evolved with Privacy and Electronic Communication Regulations (PECR) defining that every company must manage emails in a professional way using "subscriptions". A message can only be sent to a person after that person has formally opted in to subscribe to receive such a message and evidence of the subscription exists. In addition, every message must give the recipient the ability to opt-out and unsubscribe from such a message. | | 2. The effect is that every company must manage subscription history for each person that they communicate with. A subscription is not needed to send an invoice or similar transaction, but for any message that is optional or discretionary, then a subscription is mandated. | | 3. A critical factor is to manage subscriptions so people are never sent a message that they have formally opted out of receiving. In the event that a message is sent, a company will be fined by the Information Commissioners Office and will be obliged to pay compensation to the person involved where subscription evidence cannot be proven. | | 4. As Data Protection Officer, measures were taken to replace all ad-hoc emails with Business Message Service. This had a massive benefit in that private personal data cannot be contained in any email that will be copied by other parties. No personal data is stored in a mobile phone that has emails so then the phone is lost, personal data is not lost as a reportable data breach. |
| 5. Office: | | 1. Office was retained on one old computer that is not connected to the Internet. Its role is to convert any old XLS or DOC file type from such a dangerous document to a safe HTML web page or CSV data file. It is understood that this old Office computer may be riddled with malware, but because it is not network connected, it cannot communicate with any control center. | | 2. A temporary USB drive is used to transfer data to and from the old Office computer. Care is taken to keep the USB drive free of all data except when converting a document. Network drives must not be used under any circumstances - malware travels through network connections at the speed of light. | | 3. All installed software has vulnerabilities that need weekly updates and those updates could also have vulnerabilities. The era of downloaded and installed software is over - it is not longer cost effective, it is far to dangerous to be used in a commercial environment, its not safe. A company that continues to use obsolete software like Office will eventually suffer a data breach - millions of attacks take place every day - its just a matter of time. | | 4. Using installed software is like using a horse and cart after the car was invented. People who do not care about effectiveness, efficiency and productivity may like to continue with their old horse and cart, but they will eventually be wiped out by malware. People who care about productivity and care to do more with less, will replace Office with online CRM tools to eliminate risk. |
| 6. Security: | | 1. Personal data must never be put at risk - trust in the company depends on never having a data breach. No personal data must ever be stored in a computer in the office - computers will be lost and stolen. No personal data must ever be included or attached to an email - every email is copied. | | 2. To eliminate personal data from computers in the office, Office and similar downloaded software must be eliminated. All downloaded software has vulnerabilities and will have even more security vulnerabilities into the future. All downloaded software needs patching and updating - those updates may include more vulnerabilities. | | 3. Never send personal data in an email and never trust a company that sends personal data in an email - every email is copied. Never give your person data to a company that uses email to communicate that person data - the company cannot be trusted. Only work with companies that care about personal data privacy - avoid people who demonstrate they do not understand security or privacy. | | 4. Do not do business with a person who uses a horse-and-cart in the era of cars - they cannot be trusted to protect your personal data. |
|
|