The management of personal data has become a key concern for most organisations over the last couple of years. High-profile incidents such as the HM Revenue and Customs data breach and large data loss fines for household names including Nationwide Building Society and Marks and Spencer plc, combined with the increased public anxiety over the risks of identity theft, have led to increased regulatory action by both the Information Commissioner's Office (ICO) and the Financial Services Authority (FSA). What does this mean for your organisation?
HM Government has put an incredible amount of effort into putting its own house in order over the past two years. Having addressed the internal management of privacy issues, the public sector is now concentrating on its suppliers, and demanding that similar measures are put in place to manage personal information.
The ICO and the FSA have both become more active in pursuing organisations that have breached the privacy of personal information. Suppliers to the public sector are under increasing pressure both to manage personal information correctly, and to demonstrate that they are doing so. There are also increasing privacy compliance standards in the commercial sector, as exemplified by the Payment Card Industry Data Security Standards (PCI DSS) requirements.
It is against this background that the British Standards Institute (BSI) has issued British Standard BS 10012:2009 Data Protection -- Specification for a personal information management system (BS 10012). In the same way that ISO 27001 is now routinely specified as a security requirement in contracts, I expect BS 10012 to be specified where client personal information is handled -- particularly for those providing services to the public sector.
BS 10012 states that its objective is to "enable organisations to put in place, as part of an overall information governance infrastructure, a personal information management system (PIMS) which provides a framework for maintaining and improving compliance with data protection legislation and good practice." As such, the standard specifies a management system which organisations can adopt to meet the requirements of The Data Protection Act (DPA) and European Directive 95/46/EC.
The structure of the PIMS will be familiar to anyone who has implemented other management standards such as ISO 27001 (Information Security), ISO 9001 (Quality), ISO 14001 (Environmental Management) or ISO 20000 (IT Service Management). It is structured in the same manner as the other standards and is based around the widely adopted "Plan-Do-Check-Act" model. However, the standard differs from the others in that it is not a generic management process -- it is specific to the requirements of the DPA and the implementation of the eight data protection principles defined in the act, which require that personal information is:
- 1st principle - fairly and lawfully processed;
- 2nd principle - obtained only for specified purposes and not further processed in a manner incompatible with those purposes;
- 3rd principle - adequate, relevant and not excessive;
- 4th principle - accurate and up to date;
- 5th principle - not kept for longer than is necessary;
- 6th principle - processed in line with the rights afforded to individuals under the legislation, including the right of subject access;
- 7th principle - kept secure;
8th principle - not transferred to countries outside the European Economic Area without adequate protection.
The BSI standard is structured into four main areas:
- Planning for a PIMS.
- Implementing and operating the PIMS.
- Monitoring and reviewing the PIMS.
- Improving the PIMS.
A privacy impact assessment template
Like ISO 27001, the selection of appropriate controls is based on a risk assessment of "the level of risk to individuals associated with the processing of their personal information." While the standard is not prescriptive as to the risk assessment method to be used, it does point to the guidance issued by the ICO. The ICO has issued the Privacy Impact Assessment Handbook (PIAH) on its website. The privacy impact assessment template is a comprehensive guide not only to privacy impact assessments (PIA), but also to privacy law compliance checks (PLCC), DPA compliance checks (DPACC) and privacy and electronic communications compliance checks.
The ICO recommends that the PIA is preceded by a screening phase to determine if a full-scale, small-scale or even no PIA is needed. The assessment calls for 11 screening questions to determine if a full-scale PIA is required, followed by 15 further questions to determine if a small-scale PIA is necessary. The four-step PIA screening process is also used to determine if a PLCC and/or a DPACC are required.
Note that the ICO recommends that a PIA is appropriate at the inception of a project. Checking privacy law and DPA compliance once a project is operating is better achieved using a PLCC or DPACC.
- Preliminary Phase: This is the initial planning of the PIA to develop a project brief and a project plan.
- Preparation Phase: This provides the detailed preparation for Phase 3, producing a stakeholder analysis, a consultation plan for the discussions with stakeholders and the formation of a PIA consultative group (PCG) of representatives from the stakeholder groups.
- Consultation and Analysis Phase: During this phase, discussions are held with the stakeholders to identify the privacy issues with the proposed project, and the design solutions to address those issues. These are documented in an issues register, and the developed solution is documented in a privacy design.
- Documentation Phase: The end of the PIA process results in a PIA report, containing:
- A description of the project;
- An analysis of the privacy issues arising from it;
- The business case justifying the use of personal information and its implications;
- Discussion of alternatives considered and the rationale for the selected solution;
- A description of the privacy design features adopted to reduce and avoid privacy intrusion and the implications of these design features;
- An analysis of the public acceptability of the scheme and its applications.
- Review and Audit Phase: This phase is undertaken at an appropriate point in the implementation of the project to ensure the agreed privacy measures are carried forward into implementation.
The PIA is a wider assessment than that which would be performed as part of an ISO 27001 risk analysis. The PIA looks at the types of personal information being processed, whether the processing of that information is allowed under the Data Protection Act, whether it is necessary to process that information, how the processing of that information can be limited and what other measures are required to meet the requirements of the DPA. In order to meet the 7th principle of the Data Protection Act (that personal information is kept secure), it is necessary to perform a risk assessment to determine the appropriate security controls, and to manage the security of the personal information. This is where ISO 27001 comes in; a major component of the ISO standard addresses how to conduct a risk assessment. BS 10012 states that: "Where appropriate, the organisation may wish to consider compliance with ISO 27001". I would strongly recommend that BS 10012 implementation be complemented by compliance with ISO 27001.
BS 10012 together with ISO 27001 provides the basis for management of privacy risk. For new projects, privacy impact assessment templates should be used to determine the proper processing of personal information and compliance with legal requirements, including the Data Protection Act. This will normally include a PLCC and DPACC. For existing projects, a PLCC and DPACC should suffice.
ISO 27001 should be used as the basis of the information security management system to implement the security controls necessary to meet the 7th principle of the DPA. This should include an information security risk assessment, and the implementation and management of appropriate information security controls.
About the author:
Neil O'Connor is Principal Consultant at Activity (www.activityim.com)