The law in the United Kingdom has various influences on organizational information security policy. As well as protecting the rights of individuals and organizations, it also imposes many duties and responsibilities. For organizations to meet their legal obligations a number of technical controls can be put in place.
Information Security Obligations under UK Law
A PassGo TechnologiesWhitepaper
Introduction
The law in the United Kingdom has various influences on organizational information securitypolicy. As well as protecting the rights of individuals and organizations, it also imposes manyduties and responsibilities. For organizations to meet their legal obligations a number oftechnical controls can be put in place. This document examines how PassGo products canhelp support these legal requirements.
Meeting Obligations of Privacy
Data Protection
The Data Protection Act 1998 affects every organization which holds personal informationrelating to living individuals. It has been extended significantly from its 1984 predecessor toreflect EU legislation derived from the European Convention on Human Rights andFundamental Freedoms and has now become a complex area of law in itself, as well asspawning some 21 Statutory Instruments. The Act imposes limitations and conditions on thestorage or processing of personal data. It confers rights on a person to discover whatinformation about him is being stored or processed, and if necessary to have it altered orerased. The essence of the Data Protection Act 1998 is embodied in its eight principles:
1. That personal information shall be stored or processed fairly and lawfully and then only ifat least one of a number of conditions is met.2. That personal information shall be stored or processed only for one or more specified and PassGo Technologieslawful purposes, and not further stored or processed in any way which is incompatible with www.passgo.comthose purposes. 651 Holiday Drive3. That the personal information held shall be relevant, adequate, and not excessive. Suite 300, PMB #3104. That the personal information shall be accurate and, where necessary, kept up-to-date. Pittsburgh, PA 152201.888.652.39835. That the personal information shall not be kept for longer than is necessary. sales@passgo.com6. That information shall be stored or processed in accordance with the data subject's rightsunder the Act. These rights include the right to find out what data is processed, and to Europehave it altered or deleted if necessary. Also provided is the right to compensation fordamage caused by a data controller's non-compliance - a right previously unavailable in Horton Manorthe 1984 Act. Ilminster, SomersetTA19 9PY, UK7. That appropriate technical and organizational measures shall be taken against +44 (0)1460 258300unauthorized or unlawful processing of personal data and against accidental loss or +44 (0)1460 258403 (fax)destruction of, or damage to, personal data.8. That the personal data shall not be exported outside the European Economic Area unless This document refers to a number ofhardware and software products that arethe receiving country has adequate legislation in place to protect the data subject's rights. produced by other companies. In most, inot all cases, the names of these producare claimed as trademarks by thecompanies that manufacture them. It is nour intention to claim either the productstheir names or trademarks as our own.With regard to the seventh principle, the Act gives some further guidance on matters which should be taken intoaccount in deciding whether security measures are "appropriate". These are as follows:
1. Taking into account the state of technological development at any time and the cost of implementing any measures,the measures must ensure a level of security appropriate to:. the harm that might result from a breach of security; and. the nature of the data to be protected.
2. The data controller must take reasonable steps to ensure the reliability of staff having access to the personal data.
The co-ordinating and regulating body for the Data Protection Act is the Information Commissioner. The InformationCommissioner's guidance on compliance with the Act has the following advice with regard to the seventh principle:
The data controller [.] needs to adopt a risk-based approach to determining what measures are appropriate.
[.]
Standard risk assessment and risk management techniques involve identifying potential threats to the system,the vulnerability of the system to those threats and the counter-measures to put in place to reduce and managethe risk. In many cases, a simple consideration of these matters will be sufficient. On the other hand, there arewell-established formal method... [download for more]
