Thursday, 8 May 2014

Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?

Before we can talk about protecting personal information, the first question you must ask is “What personal information do we process throughout the organisation?
Do you understand:
a) How you collate personal information and when?
b) Why you collect personal information?
c) What sort of information do you collect?
d) Who handles it?
e) Where does it go?
Once you have an understanding of the basics you can begin to define how to control and manage it securely.

The ‘WHAT’ question is an important one, from this you can determine whether your existing security practices are appropriate.  E.g. an application processing simply names and addresses would need far less security than an application that records credit card data or medical data.

Steps to securing personal data:
1 – Identify the information processed

2 – Classify the information (e.g. is it public, confidential or medical)

3 – Value the information in terms of impact of loss.  What impact would it have to an individual or to the organisation if:
a) it was subject to unauthorised access?
b) you could not rely on the information processed?
c) the information was no longer available?

4 – Conduct a risk assessment considering:
a) How you collect the information;
b) How it is processed;
c) The involvement of third party entities;
d) How the information is shared.

5 – Determine the required security controls to help protect personal information.  This will include controls such as:
a) Training and awareness of staff – so they understand what is expected when handling personal information;
b) Documented policies and procedures;
c) Access controls – ensure that technical controls are applied so that only authorised personnel can access the information;
d) Data sharing agreements and contracts with third parties;
e) Data Backup arrangements and recovery plans;
f) Incident management – how will you respond to a breach to personal information?

6 – Conduct a gap analysis.  Identify what security controls you already have in place.
a) Do they help manage the identified risks? 
b) What are the gaps?
c) What can be improved?

7 – Implement change.  Improve the security controls you already have in place and implement the new controls.

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Ac
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones

Yvonne Sears
Senior Security Specialist

No comments:

Post a Comment