central scotland police data protection & information security stuart macfarlane information...
TRANSCRIPT
CENTRAL SCOTLAND POLICE
Data Protection&
Information Security
Stuart MacfarlaneInformation Governance Unit
Police Service of Scotland
CENTRAL SCOTLAND POLICE
Data Protection? Information Security?
What’s the difference??
CENTRAL SCOTLAND POLICE
Data ProtectionCurrent Requirements
Personal Data Processing of that data Data from which a person can be
identified, e.g. name, date of birth, reference number, video image
Applies to a living individual - the Act itself provides no protection after death but Force policy has an impact.
CENTRAL SCOTLAND POLICE
Data ProtectionRelevant Legislation
Data Protection Act 1998 Human Rights Act 1998 Computer Misuse Act 1990 Copyright Designs & Patents
Act 1988 Freedom of Information
(Scotland) Act 2002
CENTRAL SCOTLAND POLICE
Data - what’s that?
CENTRAL SCOTLAND POLICE
Data Protection Act 1998
• Registered Purpose – Policing
The prevention and detection of crimeThe apprehension and prosecution of offendersThe protection of life and propertyThe maintenance of law and orderRendering assistance to the publicVetting and LicencingPublic Safety
CENTRAL SCOTLAND POLICE
Data Protection Act 1998
• The Act imposes strict conditions on the PROCESSING of personal data
“Processing means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data”
i.e. anything we do with the data
CENTRAL SCOTLAND POLICE
Data Protection Act 1998
• The Eight Data Protection principles
• Processed fairly and lawfully• Only obtained for a specified purpose• Data shall be relevant, adequate and not excessive• Data shall be accurate and kept up to date• Data shall not be kept longer than is necessary• Data shall be processed in accordance with rights of data
subjects• Appropriate measures shall be taken against unlawful or
unauthorised processing and against loss, destruction or damage to data
• Data shall not be transferred outside the EEA unless adequate protection exists for the rights and freedoms of individuals
CENTRAL SCOTLAND POLICE
Data Protection Act 1998
• Sensitive personal data
Racial or ethnic origin Political opinions Religious beliefs or beliefs of a similar nature Membership of a Trade Union Details of physical or mental health Details of sexual life Commission or alleged commission of any offence Details of any proceedings for any offence committed or alleged
to have been committed, the disposal of such proceedings or the sentence of the court in such proceedings
CENTRAL SCOTLAND POLICE
Disclosing Data To Others In general can only be released for a
purpose in line with Policing Ask the 3 important questions WHO wants the data? WHY do they want it? WHAT are they going to do with it?
If you get it wrong there is a
personal liability
UNLIMITED FINEUNLIMITED FINE
CENTRAL SCOTLAND POLICE
Data ProtectionIndividual Rights
Any data subject has the right of access to their personal data
The data subject has the right to demand the correction or deletion of inaccurate data
The data subject has the right to compensation if they have suffered damage or distress
SUBJECT ACCESS - £10 fee
CENTRAL SCOTLAND POLICE
Data ProtectionDPO Responsibilities
The Data Protection Department
Ensures all force systems are compliant Maintains Data Protection Register entries Gives advice and assistance Liaises with other agencies Prepares information sharing protocols
AUDITS EVERYONE!
CENTRAL SCOTLAND POLICE
Data ProtectionResponsibility of Users
YOU MUST Have a working knowledge of the Act Apply the principles as you work Take notebook entries Ensure the data you are processing is
Accurate Relevant
Up to dateSECURE
CENTRAL SCOTLAND POLICE
Data Protection
Questions?
CENTRAL SCOTLAND POLICE
Information SecurityInformation Security
Information security is all about protecting Force information from a wide range of risk sources.
Information is an asset, and the lifeblood of the Police Service.
CENTRAL SCOTLAND POLICE
Threats to Information Threats to Information SecuritySecurity
Loss of information - CONFIDENTIALITY
Loss of information - INTEGRITY
Loss of information – AVAILABILITY
C.I.A.
CENTRAL SCOTLAND POLICE
Threats come from:- Risk Threats come from:- Risk Sources…….Sources…….
Internal – Employees Visitors Partner agency workers Contractors External - Criminals Journalists Information brokers Activists NATURAL DISASTERS
CENTRAL SCOTLAND POLICE
Information Security Information Security Applies to….Applies to….
Paper communications
Radio & telephone.
Conversation.
I.T. - Force network, PCs, Laptops, PDAs, magnetic media.
Internet & e-mail.
CENTRAL SCOTLAND POLICE
Information Security Information Security Covers…….Covers…….
I.T.
Buildings/vehicles (Physical)
Information management
Personnel
CENTRAL SCOTLAND POLICE
The Basics
Warrant Cards/IDs.
Destruction.
Clear desk policy.
Passwords/logging out.
E-mail/Internet use.
Viruses.
Desktop software.
Access control.
CENTRAL SCOTLAND POLICE
Government Protective Marking Scheme (G.P.M.S.)
• Information is graded into the following grades:-
• NOT PROTECTIVELY MARKED• PROTECT• RESTRICTED• CONFIDENTIAL• SECRET• TOP SECRET
CENTRAL SCOTLAND POLICE
InformationInformation SecuritySecurity
Questions?