1 / 28

“ENSURING COMPLIANCE WITH DATA PROTECTION PRINCIPLES FROM A PRACTICAL PERSPECTIVE”

“ENSURING COMPLIANCE WITH DATA PROTECTION PRINCIPLES FROM A PRACTICAL PERSPECTIVE”. PRESENTED BY:- Mrs Drudeisha C-Madhub Data Protection Commissioner Defence and Home Affairs Department Prime Minister’s Office Tel:- 201 36 04 Email:- pmo-dpo@mail.gov.mu

kizzy
Télécharger la présentation

“ENSURING COMPLIANCE WITH DATA PROTECTION PRINCIPLES FROM A PRACTICAL PERSPECTIVE”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “ENSURING COMPLIANCE WITH DATA PROTECTION PRINCIPLES FROM A PRACTICAL PERSPECTIVE” PRESENTED BY:- Mrs Drudeisha C-Madhub Data Protection Commissioner Defence and Home Affairs Department Prime Minister’s Office Tel:- 201 36 04 Email:-pmo-dpo@mail.gov.mu Website:- http://dataprotection.gov.mu

  2. DATA PROTECTION OFFICE (pmo) • Privacy is a complex and elusive concept but is generally recognised as the ‘right to be left alone’. It lies at the heart of any trust relationship involving an individual with another individual or an organisation. Whenever this relationship is abused, significant harm may be caused to the reputation of the individual and the organisation. • Information privacy, one of the limbs of privacy, is in fact, known today as data protection. • Many organisations have reduced data protection to a compliance –driven approach only or sees it from an information security perspective only, which is not the correct approach.

  3. DATA PROTECTION OFFICE (pmo) • This compliance-driven focus may result to uncontrolled or unforeseen data loss incidents. • Organisations should consider data protection in a broader context such as assessing information risks from an individual’s perspective, by adopting transparency and data minimisation principles, by exploiting opportunities for differentiation through enhanced privacy practices; ensuring that privacy needs influence their identity management agenda (since identity technologies are a prerequisite to deliver effective privacy approaches).

  4. DATA PROTECTION OFFICE (pmo) • Privacy is intimately entwined with identity. Organisations use identity technologies to collect information from an individual. Good collection will obviously deliver greater anonymity and privacy whilst poor collection may expose the individual to privacy infringements. • Individuals should have control over their personal data. This is the message that this office wants to convey as the guiding principle for organisations in order to adopt the right approach to data protection.

  5. DATA PROTECTION OFFICE (pmo) • It is now trite law to observe that data has become the lifeblood of modern economies. However, it is difficult and at times probably impossible to truly grasp the true features and sizes of the different compartments of this fast and ever-expanding locomotive. • The exponential growth of data creation, transmission, use and storage, by an ever-growing tentacular panoply of actors, sometimes in or out of the opaque cloud, has led to the enactment of the Data Protection Act as most of this data is personally-identifiable and most of this data is controlled by someone other than the individual himself.

  6. DATA PROTECTION OFFICE (pmo) • Globalisation and new technologies are fundamentally changing the ways how companies communicate and market to customers. • They have changed both the opportunities and risks for individuals and organisations. Many of these technologies , including Web 2.0, user-generated content, and social media are straining traditional frameworks. • The collection of data has become more ubiquitous; data mining, analytics, and behavioral targetting are becoming more and more common and complex.

  7. DATA PROTECTION OFFICE (pmo) • Today, we enjoy unprecedented new services and benefits. However, we are also reaping unprecedented privacy threats and harms. • Some pessimists say privacy is a dead concept in the information age. I say that it is not, in fact it has just taken a new technological quagmire shape which requires some decryptive techniques, namely through the holistic and practical principles of the DPA. • The need for organisational accountability has thus become more urgent than ever before.

  8. DATA PROTECTION OFFICE (pmo) • The proposition that “privacy is good for business” is enshrined in all the data protection principles contained in the First Schedule of the DPA. • These universal principles of data protection seek to ensure the privacy of individuals and the promotion of the free flow of data and the growth of commerce. • The founding principles of data protection are: to limit collection, use and disclosure of personal data, to involve individuals in the data life-cycle, and to apply appropriate safeguards in a thorough manner.

  9. DATA PROTECTION OFFICE (pmo) • These requirements are premised upon organisational transparency and accountability. The ultimate results include enhanced trust, improved efficiencies , greater innovation, and a heightened competitive advantage . • The persevering confidence of individuals, business partners and regulators in organisations’ data-handling practices is thus of prime importance for a healthy business.

  10. DATA PROTECTION OFFICE (pmo) • For an organisation to demonstrate its willingness to meet expectations based on legal criteria and organisational promises, it must digest all aspects of data protection and information security . • This is reflected in the essential elements of accountability:- • Its commitment to accountability and adoption of internal policies consistent with data protection laws; • Mechanisms to put privacy policies into effect, including privacy-enhancing tools. training , and education;

  11. DATA PROTECTION OFFICE (pmo) • Systems for internal ongoing oversight and assurance reviews and external verification; • Transparency and mechanisms for individual participation; • The means for remediation and external enforcement. • To be an accountable organisation, a company must have rules based on an external measuring regulatory stick such as the Data Protection Act, industry self regulatory guidance such as codes of practice and/or guidelines issued or approved by the Data Protection Commissioner including international guidance such as

  12. DATA PROTECTION OFFICE (pmo) • the EU Directives on Data Protection and the OECD Guidelines or the APEC Principles. These policies must then be committed to by the organisation at the highest level. • The organisation must have in place all these pieces of the puzzle in place to ensure that the employees and vendors for instance, may successfully implement its policies and commitment on data protection. • Fair information practice principles based on data protection law must be built into the core functionality of all systems’ processes from technology development to the physical structure of facilities.

  13. DATA PROTECTION OFFICE (pmo) • In order to successfully embed data protection principles in organisational processes, seven foundational principles are to be adopted:- • Proactive and not reactive, i.e “prevention is better than cure”; • Accountability; • Data Protection Principles embedded into technological design; • Complete functionality- “Positive-Sum, not zero-sum”, Clear privacy rules create confident organisations which do not suffer from reticence risk and create economic advantage whilst protecting privacy.

  14. DATA PROTECTION OFFICE (pmo) • Complete lifecycle protection; Privacy must be built into every process from the assessment before data is collected to the oversight when data is retired or decommissioned. • Visibility and Transparency; • Respect for User Privacy. • There are virtually infinite ways by which organisations can creatively “build privacy in“ to their operations and products , to earn confidence and trust of customers, business partners and oversight bodies alike and to be leaders in the global marketplace.

  15. DATA PROTECTION OFFICE (pmo) • For instance, Hewlett Packard has developed an ‘accountability model tool’ which combines the HP Privacy Rulebook with a set of contextual, dynamically-generated questionnaire to be filled by employees and teams to be aware of what privacy considerations need to be considered before implementing their relevant tasks, in order to educate them on data protection. • Organisations are encouraged to develop practical standards on data protection, inspiring themselves from the guidelines Vol. 1 developed by the Commissioner posted on the website.

  16. DATA PROTECTION OFFICE (pmo) • They are further encouraged to implement high-level privacy management policies that will call for:- • Incorporating privacy-impact assessments (PIAs) throughout the systems lifecycle from business case to decommissioning; • Submitting these assessments for verification to the DPO; • Promoting greater transparency by publishing these PIAs; • Managing privacy-related risks.

  17. DATA PROTECTION OFFICE (pmo) About privacy-enhancing technologies (PETs): - • There is no widely accepted definition for PETs. However, a PET may be described as something that :- • Reduces or eliminates the risk of contravening data protection principles; • Minimises the amount of personal data held; • Empowers individuals to retain control over their personal data at all times.

  18. DATA PROTECTION OFFICE (pmo) • Today, there is a general understanding that PETs are consistent with good design objectives for any system that handles personal data and can offer demonstrable benefits and competitive advantages for business and organisations to adopt them. • However, PETs should not be forced into systems or technologies that are privacy-invasive as this would not achieve the desired effect. • In the same way that there is no definition for PETs, there is no recognised means of classification for PETs.

  19. DATA PROTECTION OFFICE (pmo) • However, they may be categorised, according to their main functions, as either privacy management or protection tools. • Privacy Management Tools:- • They enable the user to understand the consequences of the processing of the personal information. There are a number of tools today that cater for the enterprise or the end-user market, for example, P3P and IBM secure perspective software.

  20. DATA PROTECTION OFFICE (pmo) • Privacy Metadata:- Attaching standard tags to our personal information detailing the sources of information, the consent obtained, how it is intended to be used and the policies to which the information will be subjected to, including the length of time the information is retained and whether user consent is obtained prior to passing that information to third parties.

  21. DATA PROTECTION OFFICE (pmo) • Privacy Protection Tools:- • They aim to hide the user’s identity, minimise the personal data revealed and camouflage network connections, for example, the originating IP address is not revealed. • They may also authenticate transactions such as payments whilst making it impossible to trace a connection back to the user, for instance:- • Anonymising tools:- They hide the IP address of the originator and in the case of an anonymous or pseudonymous mail, the source email address.

  22. DATA PROTECTION OFFICE (pmo) • Anonymous or pseudonymous payment:- The user uses a prepaid card that is identified by a unique number. • Information Security Tools:- • Such tools are important for data protection but their primary goal is usually more modest:-that of preventing unauthorised access to systems, files or communications over a network, encryption for example.

  23. DATA PROTECTION OFFICE (pmo) • Future challenges for PETs:- • There is no doubt that PETs can provide a way of harnessing new technological advances to protect privacy. • A cultural barrier to data protection needs to be abridged in order for a change in attitude to occur. It is indeed human nature to be complacent about entrenched beliefs but we also have to keep pace with evolving technologies. Technology is here to serve us and not the other way round. Digital assistance is good but digital slavery is dangerous.

  24. DATA PROTECTION OFFICE (pmo) • Privacy is broader than information security, it’s about rights of individuals entwined with other such concepts as data security and risk management. • An organisations’s executive management needs to issue clear privacy-friendly practices as enunciated in the first set of guidelines from this office and incorporate these practices in risk management and management processes. • Security risk assessments rarely take into account the needs of the individual, for instance, ISO 27001, do not take into account risks form an individual’s perspective, nor do they prescribe privacy controls.

  25. DATA PROTECTION OFFICE (pmo) • Vendors are also encouraged to build in privacy functions into their systems, for e.g, on off-the- shelf software and to promote them as selling points. • Assessments have to be carried out at regular stages depending on the size and nature of the project as systems are routinely assigned new tasks, often referred to as function creep. • To be able to respond efficiently to the right to access personal information by individuals under section 41 of the DPA, systems have to be designed to include functions to identify the presence of personal information and the individual. A lack of automated access to personal data functionality can considerably increase the cost of servicing such requests.

  26. DATA PROTECTION OFFICE (pmo) • Balancing data sharing with privacy needs:- • Data sharing may lead to privacy breaches. The need to share personal data within or outside organisations is often compelling. • Internal practicalities, promotion of commercial marketing of personal data are predominant reasons for sharing personal data. Yet data losses occur when copies are transferred from privacy-friendly systems to systems having no privacy controls or between systems using unencrypted physical media such as CDs or memory sticks .

  27. DATA PROTECTION OFFICE (pmo) • True it is that PETs have yet to find their way in “real world’ environment s as organisations and vendors are quite worried of committing to specific PETs in case these become obsolete as technologies develop. Web 2.0, cloud computing and service oriented architectures developments,most likely, add further complexity to this problem. • But there is one thing to be borne in mind! Surely as we adapt and move to new technologies, similarly as we adapt to new conjunctures in life, we must be able to renovate these PETs in our own particular context, whenever the need will arise, with the assistance of this office.

  28. DATA PROTECTION OFFICE (pmo)

More Related