On May 31 this year, the first ever standard for the management of personal information was published by the British Standards Institute.
The standard, BS 10012:2009 - Data Protection: Specification for a Personal Information Management System, provides a framework for establishing best practices and improving compliance with the Data Protection Act (DPA).
The main objective of the standard is to enable organisations to put a personal information management system (PIMS) in place, an infrastructure for the handling of documents and other important data. The vendor-neutral BSI data protection standard was developed by a panel of experts including representatives from industry, government, academia and consumer groups. The three-month public comment period attracted a high number of responses, including one from the highly respected OWASP Industry Committee.
Given all the government's recent reports and various laws on data handling, do we need yet another standard?
Well, the success of any technology-based service depends on people feeling confident that their personal data is going to be used appropriately and kept safe and secure. Recent security breaches in both the private and public sector mean that more still needs to be done to increase the public's trust and confidence in systems and services which handle personal data. Showing that you are following best practice by meeting a recognised standard is one way to do that.
Without an industry-accepted standard, every organisation has to create and set its own privacy compliance and data management guidelines, which may or may not be any good. Having a standard against which to work means that you know right from the start what you need to achieve.
Given that the Data Protection Act applies to organisations of all shapes, sectors and sizes, the standard avoids prescribing exactly how operations should be run. Instead it provides a framework to create a management system adapted to the specific needs of a business. It provides a lot of useful guidance, presented in the management system style of "Plan-Do-Check-Act," covering procedures in areas such as training and awareness, risk assessment, data sharing, data retention, disposal of data and disclosure to third parties.
It is encouraging that the standard makes responsibility a top priority. Not only does it require that "a senior management team is tasked with issuing and maintaining a policy which sets a clear framework and demonstrates support for, and commitment to, managing compliance," but one or more people also have to be designated responsible for compliance with the policy on a day-to-day basis.
Their duties include maintaining an inventory of all the different types of personal information the organisation processes as well as re-evaluating the PIMS if data requirements or handling processes change. The organisation also needs to be able to demonstrate its competence in understanding data protection legislation and good practice.
Knowledge of the personal information management system and its purpose is a thread that runs throughout the standard. According to the framework, organisations need to "raise, enhance and maintain awareness of the PIMS through an ongoing education and awareness programme for all workers."
The awareness training is backed up with a "process for evaluating its effectiveness." Such a self-evaluation should lead to each member of staff knowing what his or her role is when it comes to keeping data secure.
Some of the requirements may look like standard practice. For example, it is necessary that "any privacy notice or online privacy statement required to be given to the individual is provided or made available to the individual prior to any personal information being collected." But how many organisations have "procedures for maintaining records of privacy notices and online privacy statements?" Also the standard calls for a complaints procedure and an appeals process, which I know from personal experience is certainly not a given.
Many organisations start off following proper security guidelines, but over time, changes in staff and processes can mean intentions don't always match actual practice. This problem is tackled in the standard with an audit programme that monitors and reviews the organisation's data handling. It even encourages larger organisations and those processing high-risk personal information to consider audits by third parties.
It's far too early to know whether the BSI data protection standard will gain global acceptance, adoptable by any organisation in the same way as ISO 27001. It may not be realistic, as there are so many different data protection laws around the world, many of which are still evolving. In the U.K., for example, the Freedom of Information Act 2000 can have an impact on how personal information is handled and stored.
This is one reason, I'm sure, why the BSI has gone for a set of processes that provide a framework for personal data governance, rather than trying to address too many different objectives and all the requirements of the law.
I can imagine that there will need to be a few revisions before there's a chance of widespread acceptance. Some industry experts, for example, would certainly like to see some form of privacy impact assessment, a process which aims to anticipate the likely privacy effects of new initiatives to ensure data protection compliance.
That would help ensure controls are in proportion to an organisation's real needs. Although the standard avoids a one-size-fits-all approach, it is still a bit rigid and prescriptive. It gives any organisation that adopts it the challenge of implementing the framework in a way that delivers effective day-to-day compliance within its environment and particular business.
It will no doubt keep government departments and agencies busy as they are still very occupied in meeting requirements raised in the government's Data Handling Review, an examination of the government's security practices following a series of government data breaches.
Nevertheless, BS 10012:2009 can still help an organisation demonstrate DPA compliance, which is not a bad thing given that the Information Commissioner's Office has been granted new powers to carry out spot checks and to fine offenders. The full standard costs £100.00 (£50.00 for BSI members) to download and a summary is available on the BSI website.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.