Embed Size (px)
Citation preview
DATA PROTECTION GUIDE TO SENDING PERSONAL DATA TO EXTERNAL ORGANISATIONS
This guide is aimed at staff that send personal data to external organisations. This guide should be read alongside the Employee Information Security Manual contained within the FCA Employee Handbook. The Data Protection Act 1998 The Data Protection Act 1998 (the Act) governs the use or holding of personal data (essentially any information about identifiable living individuals). The FCA's level of compliance with the Act must be the same as what we would expect regulated firms to have. This means that we are expected to comply with all of the Principles of the Act, and with any guidance and Codes of Practice issued by the Information Commissioner. The Act applies to all records (both electronic and paper) and requires all organisations that handle personal information (such as the FCA) to comply with a number of important principles regarding privacy, security and the disclosure of information. The misuse or unregistered use of personal data by the FCA or its employees can result in criminal prosecution and claims for compensation under the Act. There is also a risk of adverse publicity so it is important that both the public and the industry have confidence in the security of personal information collected, held and used by the FCA. It affects everyone employed by the FCA since individuals who knowingly breach the Act can be held personally (and potentially criminally) liable. The Act's eight principles establish enforceable standards for obtaining, holding, using or disclosing information. The DPA also requires appropriate security arrangements to be in place to protect personal data. The DPA applies to any personal data held on FCA's systems, including paper records. The DPA also gives individuals the right to have access to personal information held about them. Anyone can therefore ask the FCA whether we (or someone else on our behalf) are using their personal data and if so, to be given a copy of the personal data being used; a description of the purposes for which the data are being used; and a description of those to whom the data is, or may be, disclosed. What is personal data? Personal Data is data that relates to a living individual who can be identified either from those data, or from those data and other information which is in the possession of (or is likely to come into the possession of) the Data Controller i.e. the FCA. The Act therefore does not apply to deceased persons, or limited companies. It will apply to sole traders and may also apply to individual partners depending on the circumstances. Personal data includes financial information, any expression of opinion, or indication of intentions, held by us regarding the individual. What should I do when sending personal data to external organisations? Below are some recommendations on how send personal data safely. Before doing so, you should consider the sensitivity of the personal data - what is the best way to send it to the external recipient safely? What are the risks to the individuals if their data got lost or stolen
on route? If you are unsure what is the best method to send information, please contact IS Security. Any questions about the sensitivity of personal data should be directed to the Information Access team Method Recommendation Scanned copy on CD in post You must encrypt the CD or files on the CD before
sending to a named individual by special delivery. If particularly sensitive, you may wish to consider sending the CD by courier. You should check that the information has arrived.
Scanned copy attached to an email, or in text of an email
Send the email to a specific person rather than a group or team email address. If particularly sensitive, you must encrypt the email. You should check that the information has arrived. Please note, emails from Blackberries cannot be encrypted.
Scanned copy on memory stick
This may not be the most appropriate way of sending personal data to an external organisation, however, if used, you must use an encrypted FCA memory stick before sending to a named individual. The password should then be sent to the individual by separate email or verbally. You should check that the information has arrived.
Hardcopy in post If you are unable to send the personal data by email or on an encrypted CD, you should send the hardcopy to a named individual by special delivery. If particularly sensitive, you may wish to consider sending by courier. You should check that the information has arrived.
For more information on IS security, or any queries regarding use of memory sticks or CDs, please contact IS Helpdesk. What should I do if the information does not arrive? If the information has not arrived, you should report the loss of FCA material to all of the following, and the guidelines and procedures outlined within the Security policy are also to be followed.
• Line management. • Corporate Protection and Resilience (CP&R) Department. • The IS Security Manager, in the case of loss or compromise of information contained
on computer systems including laptops, Blackberries and palm tops. • The Deputy Security Officer in the case of loss or compromise of government
classified material. • The Data Protection Officer in the case of information protected under the auspices of
the Data Protection Act. If you require any further information or have a query about this guidance, please contact the Information Access Team.
June 2011
