NOT PROTECTIVELY MARKED Data Protection Information Management & Information Security.

NOT PROTECTIVELY MARKED

Data Protection

Information Management

&Information Security

NOT PROTECTIVELY MARKEDData Protection? Information

Security?

What’s the difference??


Data ProtectionCurrent Requirements

Personal Data Processing of that data Data from which a person can be

identified, e.g. name, date of birth, reference number, video image

Applies to a living individual - the Act itself provides no protection after death but Force policy has an impact.

NOT PROTECTIVELY MARKEDData Protection

Relevant Legislation Data Protection Act 1998 Human Rights Act 1998 Computer Misuse Act

1990 Copyright Designs &

Patents Act 1988 Freedom of Information

(Scotland) Act 2002


Data - what’s that?


Data Protection Act 1998• Registrable Particulars – Policing

The prevention and detection of crimeThe apprehension and prosecution of offendersThe protection of life and propertyThe maintenance of law and orderRendering assistance to the publicVetting and LicencingPublic Safety


Data Protection Act 1998

• The Act imposes strict conditions on the PROCESSING of personal data

“Processing means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data”i.e. anything we do with the data



• The Eight Data Protection principles

• Processed fairly and lawfully• Only obtained for a specified purpose• Data shall be relevant, adequate and not excessive• Data shall be accurate and kept up to date• Data shall not be kept longer than is necessary• Data shall be processed in accordance with rights of

data subjects• Appropriate measures shall be taken against unlawful or

unauthorised processing and against loss, destruction or damage to data

• Data shall not be transferred outside the EEA unless adequate protection exists for the rights and freedoms of individuals



• Sensitive personal data

Racial or ethnic origin Political opinions Religious beliefs or beliefs of a similar nature Membership of a Trade Union Details of physical or mental health Details of sexual life Commission or alleged commission of any offence Details of any proceedings for any offence committed or

alleged to have been committed, the disposal of such proceedings or the sentence of the court in such proceedings


Disclosing Data To Others In general can only be released

for a purpose in line with Policing Ask the 3 important questions WHO wants the data? WHY do they want it? WHAT are they going to do with

it? If you get it wrong there is a personal liability

UNLIMITED FINEUNLIMITED FINE


Data ProtectionIndividual Rights

Any data subject has the right of access to their personal data

The data subject has the right to demand the correction or deletion of inaccurate data

The data subject has the right to compensation if they have suffered damage or distress

SUBJECT ACCESS - £10 fee

NOT PROTECTIVELY MARKEDData ProtectionDPO Responsibilities The Data Protection Department

Ensures all force systems are compliant

Maintains Data Protection Notification Gives advice and assistance Liaises with other agencies Prepares information sharing protocols

AUDITS EVERYONE!

NOT PROTECTIVELY MARKEDData ProtectionResponsibility of Users

YOU MUST Have a working knowledge of the Act Apply the principles as you work Take notebook entries Ensure the data you are processing is

Accurate Relevant

Up to dateSECURE


Criminal Offences Under the Act

• Knowingly or recklessly obtain, disclose or procure the disclosure of personal data without the consent of the data controller

• Sell or offer to sell personal data obtained in the above manner


Data Protection

Questions


Information security applies to Information security applies to allall information,information,

including personal data, and in including personal data, and in anyany format.format.

Paper - written & printed.Paper - written & printed.

Communications - radio & Communications - radio & telephone.telephone. Conversation.Conversation.

I.T. - Force network, PCs, Laptops, I.T. - Force network, PCs, Laptops, PDAs, PDAs, magnetic media, non-magnetic media.magnetic media, non-magnetic media.

Internet & e-Internet & e-mail.mail.

Information SecurityInformation Security


So why is information security So why is information security neededneeded??

Information security is about Information security is about protecting that valuable protecting that valuable

lifeblood from a wide range of lifeblood from a wide range of threats.threats.

Information is a vast resource, and Information is a vast resource, and a valuable asset. More a valuable asset. More

importantly, it is the lifeblood of importantly, it is the lifeblood of the Police Service.the Police Service.



ThreatsThreats

DeliberateDeliberate - theft, denial of service, hacker.

AccidentalAccidental - coffee, power supply.

NaturalNatural - fire, flood.



SourcesSources

InternalInternal - employees.

ExternalExternal - criminals, investigative journalists, members of the

public.

Most dangerous Most dangerous ==


employeesemployeesemployeesemployees


What do we get from information What do we get from information securitysecurity??C I AC I A

CConfidentialionfidentiality ty

IIntegrity ntegrity


The restriction of information The restriction of information and assets to authorised and assets to authorised individualsindividualsThe maintenance of information The maintenance of information systems and physical assets in systems and physical assets in their complete and proper formtheir complete and proper formThe continuous or timely access The continuous or timely access to information, systems or to information, systems or physical assets by authorised physical assets by authorised individualsindividuals

AAvailabilivailability ty


Personnel Personnel

Computer Computer

Communications Communications

RadiatioRadiationn

Procedural Procedural

Document Document

Physical Physical C I AC I A




Or to give it the full title, theOr to give it the full title, the

GGovernment overnment PProtective rotective MMarking arking SSchemecheme

which is designed to enhance the securitywhich is designed to enhance the security and help protect the value of sensitiveand help protect the value of sensitive

assets through the use ofassets through the use of ‘ ‘protective markings’. protective markings’.

How do we go about protecting our sensitive How do we go about protecting our sensitive assets?assets?

G P M SG P M S



The six markings used are:The six markings used are:

G P M SG P M S

NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKEDPROTECTPROTECT

RESTRICTEDRESTRICTEDCONFIDENTIALCONFIDENTIAL

SECRETSECRETTOP SECRETTOP SECRET



Once applied these markings (and handling Once applied these markings (and handling instructions) indicate to others the instructions) indicate to others the valuevalue of an of an asset and the asset and the impactimpact of compromise. Value and of compromise. Value and impact determine impact determine howhow it it should be protected, should be protected, and and whowho should be given should be given access to it.access to it.

The fundamental principle of this system is The fundamental principle of this system is to to assure that protectively marked assets will assure that protectively marked assets will be be given adequate protection against given adequate protection against accidental or accidental or deliberate compromise. deliberate compromise. Examples of Examples of impactimpact are: are:

G P M SG P M S



Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKED would be would be likely to:likely to:

G P M SG P M S

have no impact on the Forcehave no impact on the Force



G P M SG P M SAccidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked PROTECTPROTECT would be likely to have: would be likely to have:

no impact on life or safety but may cause no impact on life or safety but may cause inconvenience or discomfort to an individual inconvenience or discomfort to an individual

no impact on crime fighting but may cause minor no impact on crime fighting but may cause minor disruption to emergency service activities disruption to emergency service activities



Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked RESTRICTEDRESTRICTED would be likely to: would be likely to:

G P M SG P M S

cause substantial distress to individualscause substantial distress to individuals

prejudice the investigation or facilitateprejudice the investigation or facilitate the commission of crimethe commission of crime



Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked CONFIDENTIALCONFIDENTIAL would be likely to: would be likely to:

G P M SG P M S

prejudice individual security or libertyprejudice individual security or liberty

impede the investigation or facilitateimpede the investigation or facilitate the commission of serious crimethe commission of serious crime



Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked SECRETSECRET would be likely to: would be likely to:

G P M SG P M S

threaten life directly, or seriously prejudice publicthreaten life directly, or seriously prejudice public order, or individual security or libertyorder, or individual security or liberty

cause serious damage to the continuingcause serious damage to the continuing effectiveness of highly valuable securityeffectiveness of highly valuable security

or intelligence operationsor intelligence operations



Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked TOP SECRETTOP SECRET would be likely to: would be likely to:

G P M SG P M S

lead directly to widespread loss of lifelead directly to widespread loss of life

cause exceptionally grave damage to thecause exceptionally grave damage to the continuing effectiveness of extremelycontinuing effectiveness of extremely

valuable security or intelligencevaluable security or intelligence operationsoperations



However, the most common markings you will However, the most common markings you will probably see and use on a day-to-day basis are:probably see and use on a day-to-day basis are:

G P M SG P M S

NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKEDPROTECTPROTECT

RESTRICTEDRESTRICTEDCONFIDENTIALCONFIDENTIAL


The BasicsThe Basics

Warrant Cards/IDs.Warrant Cards/IDs.Destruction.Destruction.

Clear desk policy.Clear desk policy.

Passwords/logging out.Passwords/logging out.

E-mail/Internet use.E-mail/Internet use.

Desktop software. Desktop software.

Viruses.Viruses.

Access control.Access control.



A Problem Shared Is A Problem A Problem Shared Is A Problem HalvedHalved

Reporting Procedure:Reporting Procedure:

E-mail.E-mail.

Telephone.Telephone.

In person.In person.

As Soon As PossibleAs Soon As Possible



More Information – see your copy ofMore Information – see your copy of


Police Scotland Information Security Standard Operating

Procedure


Any questions?Any questions?

Information Information Governance OfficerGovernance Officer


NOT PROTECTIVELY MARKED Data Protection Information Management & Information Security.

Documents

Transcript of NOT PROTECTIVELY MARKED Data Protection Information Management & Information Security.