BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal...
-
Upload
bsi-british-standards-institution -
Category
Business
-
view
614 -
download
1
description
Transcript of BSI Data Protection Brochure - accessible version - A consumer’s guide to protecting personal...
A consumer’s guide to protecting personal informationBritish Standard BS 10012:2009 Data protection – specification for a personal information management system
Every time you use your supermarket reward card, contact your bank, use NHS services or buysomething online, organisations collect and store certain information about you – this mightbe your name, address, date of birth, medical history, bank details, credit card number or evenyour shopping habits.
Used correctly this information can make your life easier. But, if it isused incorrectly, or falls into the wrong hands, you could become avictim of identity theft or fraud. This is where criminals use yourpersonal information to get credit cards, open bank accounts, claimbenefits, and even get new passports in your name. This could costyou dearly and take a lot of time and effort to sort out. According to the Home Office, identity theft costs UK consumers around £1.2 billion each year.¹
You can protect your personal data by keeping information in a safeplace and being careful who you give your details to. But how can yoube sure that organisations, such as councils, GPs, hospitals, banks,insurers, online stores and supermarkets are using your personalinformation correctly and keeping it safe?
The lawThe Data Protection Act 1998 is there to make sure thatorganisations collect only relevant and accurate information, storeit safely and use it correctly. The Act also gives you the right to findout what information an organisation holds about you on paperand on computer records.
But the Act doesn’t guarantee the safe-keeping of your personaldata. A 2009 survey conducted by the British Standards Institutionfound that 1 in 5 businesses admitted to unwittingly breaching theData Protection Act. Of these, nearly half said they had breached
the Act more than once and an additional 18% said they were notsure whether they had or not.
The Data Protection Act sets out eight principles that organisationsmust adhere to, but it doesn’t give them any guidance on what to do or how to manage personal information effectively and lawfully.So, even organisations that want to comply with the Act can find itconfusing and difficult.
British Standard BS 10012 helps to fill that gap. It has been specificallywritten to help organisations meet the requirements of the DataProtection Act and gives companies step by step guidance on how to manage the information they hold about their customers.
BS 10012 – The basicsThe British Standard for data protection was first published in June 2009. It is the first standard of its kind in the area of dataprotection. The standard can be used by organisations of any size, and in any sector. It provides a clear framework for UK organisationsthat want to comply with data protection law, helping them to createa tailored management system for personal data.
The standard gives detailed guidance in areas such as training andawareness, risk assessment, data sharing, retention and disposal ofdata and disclosure to third parties. However, the standard isvoluntary so organisations do not have to sign up to it.
¹ Survey by The Identity Fraud Steering Committee (IFSC) published October 2008
A consumer’s guide to protecting personal information 01
What are British Standards?
The British Standards Institution (BSI) has beendeveloping standards for over 100 years tomake products and services safer forconsumers. Standards set out good practiceand guidelines for organisations to follow.
It’s not compulsory for organisations to sign up to a standard, so you can feelconfident that those that choose to comply with British Standards take safety and customerservice seriously.
www.bsigroup.com/ConsumerStandards
A clear policy• A senior management team should be responsible for creating and
maintaining a data protection policy that sets a clear frameworkfor good practice and for complying with the law.
• The policy should follow the 15 commitments set out in thestandard.
Clear responsibility • A member of senior management should be accountable
for the management of personal information within theorganisation.
• One or more people should be responsible for making sure thatthe company complies with the policy on a day-to-day basis andthat the Personal Information Management System (PIMS) isupdated when changes happen within the company.
• The organisation should be able to demonstrate theircompetence in understanding data protection legislation and good practice.
• Adequate resources should be allocated to the PIMS.
Education and training• The details and importance of the data protection policy should
be clearly communicated to all members of staff that handledata.
• Relevant staff should be made aware of the PIMS and receiveongoing training.
Use of personal information• Information collected should be relevant and not excessive
to needs.
• Information should be accurate and kept up to date.
• Information should not be kept any longer than necessary and should be disposed of safely.
• To identify any potential problems organisations should make aninventory of the types of data they collect and how it is used.
• Organisations should have procedures in place to ensure thatpersonal information is used fairly and lawfully.
• All customers providing information to the organisation shouldbe given a ‘privacy notice’ or online privacy statement beforethey hand over any details, clearly telling them how theirpersonal information will be used.
• Information should only be used for the purposes specified – if companies want to use it for something else they should let you know beforehand.
• Information can only be passed to third parties if customersagree. Third parties can only use personal information forreasons specified to the customer.
• Organisations must make sure that personal information isprotected against loss, damage or theft by using appropriatesecurity measures.
• Access to personal information should be restricted to thosemembers of staff that actually need it.
• All staff handling data should know what to do if security isbreached in any way.
• All consumers should be sent copies of their personal data heldby the organisation, on request.
Regular checks • Audits should be carried out at planned intervals to make sure
that the PIMS is operating in accordance with policy andprocedures.
• Any problems should be flagged up to management so that theycan be resolved as quickly as possible.
• There should be regular management reviews to make sure thatthe system remains effective and is updated when needed.
Complaints• The organisation should create a complaints and appeals
procedure to make it easy for customers that have complaintsabout the processing of their personal information.
USEFUL INFORMATION
British Standards Institution (BSI) 020 8996 9001 www.bsigroup.com
Information Commissioner’s Office (ICO) 0303 123 1113 (helpline) 9am to 5pm, Monday to Friday www.ico.gov.uk
CIFAS (UK Fraud Prevention Service) www.cifas.org.uk
www.identitytheft.org.uk
www.actionfraud.org.uk
BS 10012 – What should you expect?
A consumer’s guide to protecting personal information 02
raising standards worldwide™
BSI Group Headquarters
389 Chiswick High Road London W4 4AL UK
Tel +44 (0)20 8996 9001Fax +44 (0)20 8996 7001www.bsigroup.com
© BSI copyright
A consumer’s guide to protecting personal information 03
Q. Do all organisations have to follow BS 10012?
A. No, the standard is voluntary and it is up to individual organisations to sign up to the standard if they choose. Thosethat do should follow the guidelines it lays out. In the event of a major data breach, the Information Commissioner’sOffice will look for evidence that compliance with data protection legislation was being taken seriously, andapplication of BS 10012 could be considered an example of this.
Q. Who do I complain to if I think that my personal information has not been handled according to the eightprinciples of the Data Protection Act?
A. Contact the Information Commissioner's Office for help. Complaints are usually dealt with informally but, if this isn'tpossible, enforcement action can be taken.
Frequently asked questions
✓ At home keep your personal information safe
✓ Think carefully before supplying your personal information to any organisation.
✓ Does the organisation you’re dealing with use BS 10012? If you’re not sure then ask.
✓ When asked for personal information you should receive a clear statement of what the organisation is collecting it for and be asked to agree to it.
✓ If you have concerns, ask for a copy of the personal information that the organisation holds about you.
Checklist