BSI British Standards Information Governance Workshop Presentation

1

BSI Information Governance Workshop Where next for Standards?

05 October 2009

Read more at: http://shop.bsigroup.com/ictstandards

2

Agenda

10.00 Introduction

10.10 Review of BS 10012 versus original business case

10.30 BS 10012 success and general feedback

10.50 Briefing for morning workshop

11.00 Workshops to consider BS 10012 and Data Protection

12.00 Feedback from morning workshop teams

12.30 Lunch

13.30 Preservation of electronic records

14.10 Briefing for afternoon workshop

14.15 Workshops to consider preservation of electronic records and information governance

15.00 Feedback from afternoon workshop teams

15.15 Closing remarks


3

Timeline: BSI and Information Governance

1995 Data Protection Directive 95/46/EC implementedBSI publishes Information Security standard BS 7799

1998 UK Data Protection Act receives Royal Assent

1999 BSI publishes guidance for Data Protection Act (PD 0012)BSI publishes Code of Practice for Legal Admissibility of electronic information (PD 5000)

2000 Freedom of Information Act comes into forceInformation Security standard ISO/IEC 17799 published

2001 Records Management standard ISO 15489 published

2002 Freedom of Information (Scotland) Act comes into forceBSI publishes guidance for Records Management ISO 15489

2003 BSI publishes guidance for Freedom of Information Act (BIP 0001)

2005 Information Security ISO/IEC 27000 series publishedBSI publishes revised guidance on Legal Admissibility (BIP 0008)

2008 BSI publishes Legal Admissibility standard (BS 10008)BSI publishes revised guidance on Legal Admissibility (BIP 0008)

2009 BSI publishes Data Protection standard (BS 10012)


4

Objectives for today

• Has BS 10012 achieved what it set out to do?

• What else needs to be done?

• What are the issues around Information Governance standardization?

• How can BSI best serve the Information Governance sector in future?


5

Data Protection Agenda for new ICO

• Risk, governance and accountability

• Too important to be left to experts

• Appetite for simplification and clarity

• Liberty versus Security balance

• False comfort of mass data collection

• Less centralisation / Government collection

• Data cleansing and wider data quality

• Privacy by design / Privacy Impact Assessments

• Reform of EU Directives & International Standards


6

Where next for BSI and Information Governance?

• Now

– The first formal standard on data protection, complementary to other data protection publications & information governance standards

– Need to continue working with stakeholders to meet user needs

• Next?

– Ongoing developments in information governance standards

• Revisions to Information Security ISO/IEC 27000 series (2012)

• New ISO/IEC Information Security standards relating to Privacy & Identity Management

• ISO standard for Management System for Records (2012)

– Increasing ICO powers?

– Future revisions to European Directives?

– Societal responses to e.g. increased use of biometrics, etc?


7

Agenda

10.00 Introduction






12.30 Lunch







8

Timeline: BSI and Data Protection

1999 BSI publishes guidance to practical implementation of the DPA 1998(PD 0012)- BSI Access & Privacy Editorial Board (APEB) established- Assistance and introduction from ICO

2000 First major revision (BIP 0012)

2003 Second major revision (BIP 0012)

2006 Third major revision (BIP 0012)

2007 Workshop identified a stakeholder desire for a formal data protection standard

2008 New project added to BSI work programme for Technical Committee,IDT/1 Document Management Applications - Drafting panel IDT/1/-/4 set up to develop standard (Chair: Gordon Wanless)

2009 Draft for Public Comment launched on 2nd January for a 3 month period - Panel reviews the comments and develops final textBS 10012 published on 2nd June


9

Original business case (1)

Description of the product

Working title:

“Code of Practice for the Management of Personal Information in Compliance with the

Data Protection Act 1998”


10


Working Scope

This Code of Practice gives recommendations for the management of personal information by organisations in both the

public and private sectors. It is intended for those who are responsible for initiating, implementing and maintaining

compliance with the Data Protection Act 1998 (DPA) within their organisation. It is intended to provide a common ground for the management of personal information, for providing confidence in

its management, and for enabling an effective assessment of compliance with the DPA by both internal and external

assessors, and by consumers.


11


Expansion on the title for non-experts

The Data Protection Act 1998 implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the

DPA as data relating to living individuals. The DPA requires organizations known as “data controllers” to comply with Eight

Data Protection Principles and to notify the Information Commissioner of their data processing (to ensure openness).

The DPA also gives individuals or “data subjects” rights of access to their personal data, to object to or to stop certain types

of processing and to sue data controllers for damages when breaches of the law occur.


12

Formation of the drafting panel

• Panel IDT/1/-/4 formed with the specific task of drafting the standard

• Gordon Wanless becomes Chairman - Panel supported by BSI Content Developer

• Expertise taken from Government (including The National Archives), NHS trusts, healthcare, legal, insurance, telecom, banking, education, local authorities, consultancy, consumer & privacy groups

• ICO aware of work being carried out and provided comments at key stages


13

Public Comment process

• Launched on 2nd January 2009 – BSI circulated press release

• Over 500 comments received from over 60 respondents

• Commenting period closed 31st March 2009

• IDT/1/-/4 met in April to resolve public comments

• Final draft circulated to panel and BSI committee in early May 2009 for approval

• BS 10012 published 2nd June 2009 – launched at DP Forum AGM


14

Launch of BS 10012

• Launched on 2nd June 2009 at the Data Protection Forum AGM

– BSI Press Release

– Survey of 500 Small Medium Enterprises

• Associated books – www.bsigroup.com/bip0050

• BSI Conference and Workshop 30th June / 1st July “Information Governance & Data ProtectionStandards, Guidance and Best Practice”

• BSI Data Protection Online tool launched 16th September


15

Agenda

10.00 Introduction






12.30 Lunch







16

Survey of BSI DP guidance subcribers (2006)

DP Purchasers by SectorCommercialLocal Government

EducationHealthcare & NHS

Government AgencyMuseums, Art Galleries

PoliceCentral Government

FinancialHousing Association

ManufacturingCharity

Professional BodyLegal

ConsultantPublisher


17

Survey of BS 10012 users by Sector

Commercial

Local Government

Education

Healthcare / NHS

Government Agency

Museums / Galleries

Emergency Services

Central Government

Financial

Housing Association

Manufacturing

Charity

Professional Body

Legal

Consultant

Publisher


18


% Change in sector share

-15

-10

-5

0

5

10

15

% c

han

ge


19

Survey of BS 10012 users by organisation

Global Orgs / UKFTSE 100

UK Manufacturers

UK Service Providers

Central Government

Government Agencies

Local Authorities /PCT

Others


20

Survey of other BS 10012 users

Professional /Research OrgsLibraries

Museums / Galleries

Charities

Housing Associations

Training

Publishers

Overseas


21

BSI Research: Data Protection and Public Sector

• BSI – UK Government Engagement Event, March 2009

• Key conclusions

– Reputational harm from DP breach cannot be ignored

– Cultural issues key to successful compliance

• Culture change needs senior level champion

• Clear accountability required for data protection & privacy

– Particular challenges

• Supply chain - interface with private sector, other public sector

• Outsourcing contracts & enforcement of DP requirements

• Data sharing – what, how, when?

– Specific guidance needed for different sectors?


22

BSI Research: Data Protection and SMEs

• BSI survey of UK SMEs, May 2009

• Key conclusions

– 20% thought they had unwittingly breached the DPA

– 32% felt complexity of DPA restricted their compliance capability

– 43% confirmed there is no one in their business with specific responsibility for data protection

– 65% provide no data protection training for their staff

– 15% were not confident that their data sharing practices conform to the DPA

• 5% frequently share data regardless

– 18% said that data protection is less of a priority in the current economic climate


23

Marketing & Media Coverage

• BSI Stakeholders

• Coverage of BS 10012 widely reported in general & regional news, business, IT, HR, security, legal, manufacturing, financial & public sectors

• Articles for Financial Services Technology magazine, Business Standards magazine, Information Age

• BSI Product Marketing (web page, e-shots)

• Positive reviews (Pinsent Masons, Eversheds, Wragge & Co, Data Council)

• Broadcast on http://www.smallbusinessadvice.tv

• Blogs


24

BSI input into Public Consultations


25

ISO TMB Privacy Task Force

Recommendations – September 2009

• ISO lead effort to engage broader standards community to intensify interaction (Conference?)

• Establish common terminology on privacy and principles (Consult existing committees?)

• ISO establish live inventory for all committees to share ongoing privacy work

• Engage with public policy organisations

• Indentify key stakeholders, work streams & standards work that can support international privacy standardisation

• ‘Privacy technology’ committee to be systematically informed about sector specific needs in order to address their own work programme


26

Agenda

10.00 Introduction






12.30 Lunch







27

Agenda

10.00 Introduction






12.30 Lunch







28

Topic 1

What are the main issues for organizations relating to Data

Protection?

• Has data protection become an issue at boardroom level?

• Can organizations confidently share data with each other?

• How can organizations become more proactive rather than being reactive to data protection compliance?


29

Topic 2

Does BS 10012 (and associated guidance) meet the needs of its

users?

• How does the standards user benefit from using BS 10012?

• What improvements should it bring to their organization?

• What do users or organizations need to achieve from using a Data Protection standard?


30

Topic 3

Are there any missing or new themes & products to develop? How does BS

10012 link to other standards?

• Can further ‘sector specific’ guidance be produced?

• Are there future topics that should be considered?

• Can BS 10012 be used as part of a suite of Information Governance standards?

• Can BS 10012 be linked to other ‘technology based’ standards?


31

Topic 4

How can BS 10012 relate to European and global requirements?

• Will an international standard assist global organizations, regions, or those trading across borders?

• What will be the challenges involved in producing a truly global standard?

• Can BS 10012 be applied globally in the interim before the publication of an international standard?

• How can any impact of revisions to EU Directives be captured within the standards making process?


32

Topic 5

What are the certification requirements of organizations?

• Is it desirable for an organization to become certified to the standard?

• What are the primary benefits and drivers for certification?

• Is this unique to certain sectors, or specific parts of organizations?

• Are there any disadvantages to certification?


33

Topic 6

What are the training requirements of users?

• Do users undertake Data Protection training?

• How do users currently obtain Data Protection training?

• What are the different ways that such training can be delivered?

• Can training based around the standard benefit organizations?


34

Agenda

10.00 Introduction






12.30 Lunch







35

Topics 1, 2, 3

• Topic 1: What are the main issues for organizations relating to Data Protection?

• Topic 2: Does BS 10012 (and associated guidance) meet the needs of its users?

• Topic 3: Are there any missing or new themes & products to develop? How does BS 10012 link to other standards?


36

Topics 4, 5, 6

• Topic 4: How can BS 10012 relate to European and global requirements?

• Topic 5: What are the certification requirements of organizations?

• Topic 6: What are the training requirements of users?


37

Agenda

10.00 Introduction






12.30 Lunch







38

Agenda

10.00 Introduction






12.30 Lunch







39

Electronic preservation

The problem:

Information stored in an electronic form has a finite life (retention period)

– Storage media may become obsolete

– Electronic format may be incompatible with retrieval software

•Retention requirements may exceed this requirement

•It may be necessary to demonstrate authenticity at any time


40


Storage media

Information stored in an electronic form always has a finite life

•Longevity of storage media

•Support by manufacturer

•Reliability of off-line media in store

•New technologies provide faster / cheaper storage

If storage media is changed, a migration process is required

•Costs / resource requirements

•Proof of integrity / completeness


41


Electronic format

How long will a particular electronic format be supported?

Is there a need for a long term storage format

If electronic format is changed, a conversion process is required

•Costs / resource requirements

•Proof of integrity / completeness

•Accuracy of rendition


42


What we have now (1)Long term preservation

ISO/TR 18492:2005 - Long-term preservation of electronic document-based information

‘How to’ guide - Digital records preservation JWG (TC 46/SC 11 & TC 171)

Storage media

ISO/TR 10255 - Document management - Optical disk storage technology - Management and standards (at final proof stage)

ISO 12142:2001 - Electronic imaging - Media error monitoring and reporting techniques for verification of stored data on optical digital data disks (in ballot for withdrawal, replaced by:)

ISO 23868:2008 - Document management - Monitoring and verification of information stored on 130mm optical media


43


What we have now (2)Processes

ISO/NP XXXXX Digital records conversion and migration processes (Records management)

Use of microfilm

ISO 11506:2009 - Document management applications - Archival of electronic data - Computer Output Microform (COM) / Computer Output Laser Disc (COLD)

Authenticity

ISO 12654:1997 - Electronic imaging - Recommendations for the management of electronic recording systems for the recording of documents that may be required as evidence, on WORM optical disk (Adopted as BS 7768 in UK)

ISO/TR 15801:2004 - Electronic imaging - Information stored electronically - Recommendations for trustworthiness and reliability (revision due 2009)


44


What we have now (3)Electronic preservation formats

ISO 32000-1:2008 - Document management - Portable Document Format - PDF 1.7

ISO/NWI 32000-2 - Document management - Portable Document Format - PDF X

ISO 19005-1:2005 Document management - Electronic document file format for long-term preservation - Use of PDF 1.4 (PDF/A-1)

ISO/CD 19005-2 Document management - Electronic document file format for long-term preservation (PDF/A) - PDF 1.7 (Due 2009/10)

ISO 24517-1:2008 - Document management - Engineering document format using PDF - Use of PDF 1.6 (PDF/E-1)

ISO/NWI 14289 - PDF / Universal Access


45


What we have now (4)

BSI publications:

Preservation

BIP 0089:2008 A manager’s guide to the long-term preservation of electronic documents

Authenticity

BS 10008:2008 Evidential weight and legal admissibility of electronic information

BIP 0008:2008 Code of practice for implementing BS 10008


46


What we have now (5)

Other Information Governance topics:

Records Management

ISO 15489:2001 Records management

– Part 1 – General

– Part 2 – Guidelines

BIP 0025 series supports ISO 15489

Information Security Management

ISO 27000 series – Information Security Management

BIP 0071-75 supports ISO 27000 series

BS 25999 – Business continuity management

BIP 0020:2008 – Securing email and electronic messages


47


Commercial

Local Government

Education

Healthcare / NHS

Government Agency

Museums / Galleries

Emergency Services

Central Government

Financial

Housing Association

Manufacturing

Charity

Professional Body

Legal

Consultant

Publisher


48


Where do we go from here?

Workshop topics:

1. Electronic preservation – do we need more guidance? How do we get more take-up with PDF/A?

2. Legal admissibility – still seems to be an issue – how do we solve the issue?

3. Information Governance is growing in stature – what guidance is needed? What existing standards topics need to be included within Information Governance?


49

Agenda

10.00 Introduction






12.30 Lunch







50

Agenda

10.00 Introduction






12.30 Lunch







51

Topic 1

What are the issues for the user with regard to electronic preservation?

• Do we need more guidance to assist users with the technologies?

• How do we get more take-up with PDF/A?

• Are there specific sector products that can be developed?


52

Topic 2

What are the issues for the user with regard to legal admissibility of

electronic documents?

• How do the needs for public and private sectors differ?

• Can compliance schemes and self assessment tools assist users of BS 10008?

• Can BSI improve its products to assist organizations?

• Can BS 10008 be linked to other topics?


53

Topic 3

What do stakeholders need from BSI in relation to Information Governance?

• What additional guidance is needed?

• How can guidance on Freedom of Information be delivered?

• What topics should BSI include within the Information Governance portfolio?

• Would more regular BSI workshops & stakeholder events benefit the user?


54

Agenda

10.00 Introduction






12.30 Lunch







55

Agenda

10.00 Introduction






12.30 Lunch







56