NOT PROTECTIVELY MARKED Data Protection Information Management & Information Security.
-
Upload
benjamin-cole -
Category
Documents
-
view
212 -
download
0
Transcript of NOT PROTECTIVELY MARKED Data Protection Information Management & Information Security.
NOT PROTECTIVELY MARKED
Data Protection
Information Management
&Information Security
NOT PROTECTIVELY MARKEDData Protection? Information
Security?
What’s the difference??
NOT PROTECTIVELY MARKED
Data ProtectionCurrent Requirements
Personal Data Processing of that data Data from which a person can be
identified, e.g. name, date of birth, reference number, video image
Applies to a living individual - the Act itself provides no protection after death but Force policy has an impact.
NOT PROTECTIVELY MARKEDData Protection
Relevant Legislation Data Protection Act 1998 Human Rights Act 1998 Computer Misuse Act
1990 Copyright Designs &
Patents Act 1988 Freedom of Information
(Scotland) Act 2002
NOT PROTECTIVELY MARKED
Data - what’s that?
NOT PROTECTIVELY MARKED
Data Protection Act 1998• Registrable Particulars – Policing
The prevention and detection of crimeThe apprehension and prosecution of offendersThe protection of life and propertyThe maintenance of law and orderRendering assistance to the publicVetting and LicencingPublic Safety
NOT PROTECTIVELY MARKED
Data Protection Act 1998
• The Act imposes strict conditions on the PROCESSING of personal data
“Processing means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data”i.e. anything we do with the data
NOT PROTECTIVELY MARKED
Data Protection Act 1998
• The Eight Data Protection principles
• Processed fairly and lawfully• Only obtained for a specified purpose• Data shall be relevant, adequate and not excessive• Data shall be accurate and kept up to date• Data shall not be kept longer than is necessary• Data shall be processed in accordance with rights of
data subjects• Appropriate measures shall be taken against unlawful or
unauthorised processing and against loss, destruction or damage to data
• Data shall not be transferred outside the EEA unless adequate protection exists for the rights and freedoms of individuals
NOT PROTECTIVELY MARKED
Data Protection Act 1998
• Sensitive personal data
Racial or ethnic origin Political opinions Religious beliefs or beliefs of a similar nature Membership of a Trade Union Details of physical or mental health Details of sexual life Commission or alleged commission of any offence Details of any proceedings for any offence committed or
alleged to have been committed, the disposal of such proceedings or the sentence of the court in such proceedings
NOT PROTECTIVELY MARKED
Disclosing Data To Others In general can only be released
for a purpose in line with Policing Ask the 3 important questions WHO wants the data? WHY do they want it? WHAT are they going to do with
it? If you get it wrong there is a personal liability
UNLIMITED FINEUNLIMITED FINE
NOT PROTECTIVELY MARKED
Data ProtectionIndividual Rights
Any data subject has the right of access to their personal data
The data subject has the right to demand the correction or deletion of inaccurate data
The data subject has the right to compensation if they have suffered damage or distress
SUBJECT ACCESS - £10 fee
NOT PROTECTIVELY MARKEDData ProtectionDPO Responsibilities The Data Protection Department
Ensures all force systems are compliant
Maintains Data Protection Notification Gives advice and assistance Liaises with other agencies Prepares information sharing protocols
AUDITS EVERYONE!
NOT PROTECTIVELY MARKEDData ProtectionResponsibility of Users
YOU MUST Have a working knowledge of the Act Apply the principles as you work Take notebook entries Ensure the data you are processing is
Accurate Relevant
Up to dateSECURE
NOT PROTECTIVELY MARKED
Criminal Offences Under the Act
• Knowingly or recklessly obtain, disclose or procure the disclosure of personal data without the consent of the data controller
• Sell or offer to sell personal data obtained in the above manner
NOT PROTECTIVELY MARKED
Data Protection
Questions
NOT PROTECTIVELY MARKED
Information security applies to Information security applies to allall information,information,
including personal data, and in including personal data, and in anyany format.format.
Paper - written & printed.Paper - written & printed.
Communications - radio & Communications - radio & telephone.telephone. Conversation.Conversation.
I.T. - Force network, PCs, Laptops, I.T. - Force network, PCs, Laptops, PDAs, PDAs, magnetic media, non-magnetic media.magnetic media, non-magnetic media.
Internet & e-Internet & e-mail.mail.
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
So why is information security So why is information security neededneeded??
Information security is about Information security is about protecting that valuable protecting that valuable
lifeblood from a wide range of lifeblood from a wide range of threats.threats.
Information is a vast resource, and Information is a vast resource, and a valuable asset. More a valuable asset. More
importantly, it is the lifeblood of importantly, it is the lifeblood of the Police Service.the Police Service.
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
ThreatsThreats
DeliberateDeliberate - theft, denial of service, hacker.
AccidentalAccidental - coffee, power supply.
NaturalNatural - fire, flood.
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
SourcesSources
InternalInternal - employees.
ExternalExternal - criminals, investigative journalists, members of the
public.
Most dangerous Most dangerous ==
Information SecurityInformation Security
employeesemployeesemployeesemployees
NOT PROTECTIVELY MARKED
What do we get from information What do we get from information securitysecurity??C I AC I A
CConfidentialionfidentiality ty
IIntegrity ntegrity
Information SecurityInformation Security
The restriction of information The restriction of information and assets to authorised and assets to authorised individualsindividualsThe maintenance of information The maintenance of information systems and physical assets in systems and physical assets in their complete and proper formtheir complete and proper formThe continuous or timely access The continuous or timely access to information, systems or to information, systems or physical assets by authorised physical assets by authorised individualsindividuals
AAvailabilivailability ty
NOT PROTECTIVELY MARKED
Personnel Personnel
Computer Computer
Communications Communications
RadiatioRadiationn
Procedural Procedural
Document Document
Physical Physical C I AC I A
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Or to give it the full title, theOr to give it the full title, the
GGovernment overnment PProtective rotective MMarking arking SSchemecheme
which is designed to enhance the securitywhich is designed to enhance the security and help protect the value of sensitiveand help protect the value of sensitive
assets through the use ofassets through the use of ‘ ‘protective markings’. protective markings’.
How do we go about protecting our sensitive How do we go about protecting our sensitive assets?assets?
G P M SG P M S
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
The six markings used are:The six markings used are:
G P M SG P M S
NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKEDPROTECTPROTECT
RESTRICTEDRESTRICTEDCONFIDENTIALCONFIDENTIAL
SECRETSECRETTOP SECRETTOP SECRET
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Once applied these markings (and handling Once applied these markings (and handling instructions) indicate to others the instructions) indicate to others the valuevalue of an of an asset and the asset and the impactimpact of compromise. Value and of compromise. Value and impact determine impact determine howhow it it should be protected, should be protected, and and whowho should be given should be given access to it.access to it.
The fundamental principle of this system is The fundamental principle of this system is to to assure that protectively marked assets will assure that protectively marked assets will be be given adequate protection against given adequate protection against accidental or accidental or deliberate compromise. deliberate compromise. Examples of Examples of impactimpact are: are:
G P M SG P M S
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKED would be would be likely to:likely to:
G P M SG P M S
have no impact on the Forcehave no impact on the Force
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
G P M SG P M SAccidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked PROTECTPROTECT would be likely to have: would be likely to have:
no impact on life or safety but may cause no impact on life or safety but may cause inconvenience or discomfort to an individual inconvenience or discomfort to an individual
no impact on crime fighting but may cause minor no impact on crime fighting but may cause minor disruption to emergency service activities disruption to emergency service activities
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked RESTRICTEDRESTRICTED would be likely to: would be likely to:
G P M SG P M S
cause substantial distress to individualscause substantial distress to individuals
prejudice the investigation or facilitateprejudice the investigation or facilitate the commission of crimethe commission of crime
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked CONFIDENTIALCONFIDENTIAL would be likely to: would be likely to:
G P M SG P M S
prejudice individual security or libertyprejudice individual security or liberty
impede the investigation or facilitateimpede the investigation or facilitate the commission of serious crimethe commission of serious crime
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked SECRETSECRET would be likely to: would be likely to:
G P M SG P M S
threaten life directly, or seriously prejudice publicthreaten life directly, or seriously prejudice public order, or individual security or libertyorder, or individual security or liberty
cause serious damage to the continuingcause serious damage to the continuing effectiveness of highly valuable securityeffectiveness of highly valuable security
or intelligence operationsor intelligence operations
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
Accidental or deliberate compromise of assets Accidental or deliberate compromise of assets marked marked TOP SECRETTOP SECRET would be likely to: would be likely to:
G P M SG P M S
lead directly to widespread loss of lifelead directly to widespread loss of life
cause exceptionally grave damage to thecause exceptionally grave damage to the continuing effectiveness of extremelycontinuing effectiveness of extremely
valuable security or intelligencevaluable security or intelligence operationsoperations
NOT PROTECTIVELY MARKED
Information SecurityInformation Security
However, the most common markings you will However, the most common markings you will probably see and use on a day-to-day basis are:probably see and use on a day-to-day basis are:
G P M SG P M S
NOT PROTECTIVELY MARKEDNOT PROTECTIVELY MARKEDPROTECTPROTECT
RESTRICTEDRESTRICTEDCONFIDENTIALCONFIDENTIAL
NOT PROTECTIVELY MARKED
The BasicsThe Basics
Warrant Cards/IDs.Warrant Cards/IDs.Destruction.Destruction.
Clear desk policy.Clear desk policy.
Passwords/logging out.Passwords/logging out.
E-mail/Internet use.E-mail/Internet use.
Desktop software. Desktop software.
Viruses.Viruses.
Access control.Access control.
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
A Problem Shared Is A Problem A Problem Shared Is A Problem HalvedHalved
Reporting Procedure:Reporting Procedure:
E-mail.E-mail.
Telephone.Telephone.
In person.In person.
As Soon As PossibleAs Soon As Possible
Information SecurityInformation Security
NOT PROTECTIVELY MARKED
More Information – see your copy ofMore Information – see your copy of
Information SecurityInformation Security
Police Scotland Information Security Standard Operating
Procedure
NOT PROTECTIVELY MARKED
Any questions?Any questions?
Information Information Governance OfficerGovernance Officer
Information SecurityInformation Security