Personal Data Guardianship

7/29/2019 Personal Data Guardianship

1/12

Enabling theinformation society

Personal DataGuardianship Code


2/12

Personal DataGuardianship Code

Why is a code necessary?Personal data is data about ourselves that we may wish to keepprivate, such as our mobile phone number, medical history or religiousbelief. We should all recognise the value of our personal data, and alsotreat other peoples personal data as we would wish them to treat ourown. Personal data is held by many organisations (e.g. central andlocal government, banks, retail stores, service providers and socialclubs). This means that we are all data subjects in legal terms.

All organisations holding personal data have legal obligations underthe Data Protection Act 1998 to ensure that it is managed well. Eachorganisation should appoint at least one senior level responsible

person who is accountable for the purpose and manner in whichpersonal data is collected, processed, stored and disposed of. Workersacross an organisation, because of the nature of their roles, may alsoact as data handlers to manage personal data.

The Data Protection Act 1998 (DPA) contains eight Data ProtectionPrinciples. These state that personal data must be:

1. processed fairly and lawfully;2. obtained and only used for specied and lawful purposes;3. adequate, relevant and not excessive;4. accurate, and where necessary, kept up to date;5. kept for no longer than necessary;6. processed in accordance with the individuals rights;

7. kept secure;8. only transferred to countries that offer adequate data protection.

Example 1:To ensure your newspaper is delivered, your newsagentcan create a database containing your personal details andsubscription records. This imposes the same basic obligations onthe newsagent as on a large private or public sector organisation tomanage personal data well.

Organisations generally describe how they intend to ensure theyfollow the eight Data Protection Principles. Organisations also publishPrivacy Notices to inform personal data subjects about what willhappen to the data collected about them and how that data will beprocessed and shared.

The loss of our personal data, say through theft of anunencrypted laptop, may leave us vulnerable to a variety of risks,dependent on our circumstances. The increased use oftechnology and the growth of identity fraud have increased thatvulnerability, demanding increased vigilance from individuals, as wellas organisations.

Mobile phones and the internet have provided us with enormouscommercial and social opportunities, enriching our lives by enablingsocial networking. They have also stimulated a growth in the use andrange of tools employed, such as: email, SMS and blogs. The desire

to volunteer and broadcast our personal data openly to our friends,family and colleagues can be more risky in the electronic environment,than face to face. We all need to be aware of the risks of sharingour personal data with others and take common sense precautionsthroughout our personal and working lives. Equally we need to beaware of the consequences of withholding our personal data, but weshould not be coerced into providing it.

Example 2: Information about a party at home posted on a personalnetworking site may result in hundreds of uninvited guests arrivingat your home, unless you ensure that the security settings restrict theinformation to those you would choose to invite.

Example 3:An employer has a legal right to look at emails on their

server. Your employer may have asked you to sign a code of practicein relation to email that gives the employer the right to access andread personal data that you have sent in an email to a friend at workor vice versa.

Every organisation which handles personal datashould have in place specic rules and proceduresthat protect the rights of data subjects. ThisPersonal Data Guardianship Code is intended tohelp organisations and the people in them whohandle personal data understand their individual

responsibilities. It aims to promote best practiceand provide common sense guidance, in the sameway that the Highway Code provides guidance tomotorists to enable them to drive safely for the benetof both themselves and other road users. This is acode of good practice that encompasses dischargingyour legal duties. It will also help the general publicunderstand how to protect their personal data.

www.bcs.org www.theisaf.org

This Code is not intended to be legal advice and where the reader is unsure about any aspect of the DPA or other Acts and regulationsthey should seek legal advice or visit the website of the Information Commissioner www.ico.gov.uk


3/12

Structure of the codeThe Code identies the principles and responsibilities on whichbest practice is based. The Data Life Span is shown below and isdescribed in detail in this booklet. The three reference sheets providean alignment of the Code with the roles and responsibilities of theresponsible person and the data handler and an overview of the rights

and responsibilities of the data subject. See inside front cover for anexplanation of these roles.

The data life spanPersonal data is normally collected in order to provide some service tothe data subject. Personal data goes through a three-stage handlinglife span: input, use and output, as shown in the diagram below,together with its components and processes.

Key referencesThe key acts and regulations that this Code is based on are: the DataProtection Act 1998, the Human Rights Act 1998, the Freedom ofInformation Act 2000 and the Privacy in Electronic CommunicationsRegulations 2003. Other UK and EU legal rules and work led by BCS todevelop a simple and consistent framework for handling personal data

have also been drawn on.

Personal Data Guardianship Code

INPUT USE OUTPUT

Collection Verificationand

CleansingPrimary Use

Maintenance

UpdatesBackups

Sharing

Secondary use

CopyingReuse

Exporting

Disposal

Review Review Review

Approved distribution

to partners and intermediaries

Requirement initiated by policy

or commercial decision

Review




4/12

AccountabilityAll those holding personal data should follow publicly accessible, datagovernance principles that include clear management responsibility,authority and the processes for: collecting, retaining, identitymatching, sharing, disseminating, disposing of, risk assessment,security and audit of personal data. If this is done correctly, it willfoster public trust and safeguard the personal data within their care.

Example 4: An organisation that sends an unencrypted CD containingsensitive personal data by post is clearly not following soundgovernance procedures for protecting personal data held in theircharge. People who should be considered at fault are: (1) the Board,who are ultimately responsible, (2) the responsible person who isaccountable and (3) the data handler who sent out the CD.

VisibilitySubject to some legal exceptions, data subjects have the right tobe informed of and to access all data about themselves that anorganisation holds. There may, however, be a charge for this. Theyhave the right both to correct this data if it is wrong and to know whohas had access to it.

Example 5: Data subjects have the right to see their personal data

held by credit rating agencies and the right to correct the data whenthey can demonstrate that it is wrong.

ConsentIn each situation the collection and use of personal data has to be fairand lawful and in accordance with the eight data protection principles.There must be a proper basis for processing personal data meetingone of the conditions for processing set out in schedules 2 and 3 of theDPA. Individuals should be given as much control as is possible overhow their personal information is used and disclosed. This meansgiving them clear information about this when they provide theirpersonal data and seeking their consent where this is appropriate.Explicit consent will be particularly necessary where uses/disclosuresof sensitive data, such as medical information, is contemplated.

Example 6: Your employer is legally obliged to pass on data relating toyour earnings to HM Revenue and Customs and getting your consentto this is clearly inappropriate but a request for your earnings detailsfrom a building society to verify a mortgage application would requireyour explicit consent before these details could be passed on.

Otherwise, personal data should only be used for the purposesto which the data subject has agreed. If the collectingorganisation wishes to use the personal data for another purpose orpass it on to a third party, the data subjects consent should beexplicitly obtained.

Example 7: The delivery address provided to a retailer during thepurchase of a washing machine should not subsequently be used forsending marketing material about a new television or passed to a thirdparty, without rst obtaining the data subjects consent.


The principles of gooddata governance




5/12

Data subjects should also consider the potential implications ofwithholding their consent.

Example 8: Failure to provide a minimum of personal data (such as ahome address) may result in a supplier being unable or unwilling toenter into a delivery contract with the data subject.

Example 9: If a data subject withholds their medical records, it maynot be possible for a hospital to provide the level of medical care thatmight be possible if a full medical history were known.

AccessEveryone should have a right to know the roles and groups of peoplewithin an organisation who will have access to their personal data.There should be an audit trail within the organisation showing whohas actually accessed personal data. For certain types of personaldata, such as health, sexuality, religion and membership oforganisations like trade unions or political parties, data subjectsshould have the right to allow access to their personal data only withtheir explicit consent.

Example 10: Not all staff working in a medical clinic should haveaccess to a data subjects identiable medical records. These should

only be accessed by staff directly engaged in the data subjects careand treatment.

Example 11: The new girl guiding database holds personal data on allgirls and adults involved in guiding. It is the policy of Girlguiding UKthat all personal information will only be used for guiding purposesand will never be passed on to a third party.

StewardshipThose collecting personal data have a duty of care to protect itthroughout the data life span. They need to ensure that anyone using itunderstands the risks associated with its use, the purposes for which

consent has been obtained and its accuracy (e.g. whether the personaldata has been veried or is interpretation and hearsay, when it wascollected, if it has a nite useful life and if it has been cleansed).Where personal data is passed on to a third party, thus creating acommunity of sharing, the organisation that originally collected thepersonal data should ensure that any caveats associated with their useof it are passed on and permission is obtained from the data subject.Example 12: Many organisations have outsourced some supportservices, for example payroll. Where an organisation commissionsa supplier to collect personal data, the responsible person in theoutsourcer or third party supplier is equally accountable for abidingby data protection principles as the responsible person in the originalcollecting organisation.





6/12


7/12

All ogaisatios oldig psoal data must dsigat

at last o sio lvl sposibl pso, wo isaccoutabl fo psoal data. (W a ogaisatio asmultipl databass t may b a spaat sposiblpso fo ac databas.) T ogaisatio sould alsoav a data assuac ad pivacy policy. Tis policysould st out t govac aagmts fo datascuity ad pivacy. Ultimatly, sposibility sts witt Boad, spcically wit t Boad of a pivat sctoogaisatio, t accoutig ofc of a public sctoogaisatio ad t tusts of a caitabl ogaisatio.

Good govac maks cla wo is sposibl(t Boad) ad wo ty av mad accoutabl (tsposibl pso) fo t potctio of all psoal data

collctd. T sposibl pso wo is accoutablca dlgat to ot popl ad outsoucs tautoity fo all o pat of t pocsss i t Data LifSpa, .g. data iput, data coctio, data disposal. Itsould b cla, at all poits i t Data Lif Spa, woas b autoisd to adl psoal data ad txtt of ti autoisatio.

Ogaisatios tat old psoal data av a sposibilityto su t accuacy ad lvac of tat dataad to av ffctiv pocsss i plac fo its viw,maitac ad disposal. Ty also av a sposibilityoly to collct ad old t miimum of psoal datadd fo t svic(s) offd.

Input - collection,verication and cleansing

AccountabilityT sposibl pso is accoutabl fo collctig,maitaiig ad adlig psoal data witi tiogaisatio. Tis mas tat ty:

must claly stat t pupos fo wic t psoaldata is big captud ad usd, ad wit wom adwy t data will b sad;

sould su tat appopiat govac pocdus,

icludig udtakig a isk assssmt, a i placto safguad t data ad its us tougout t DataLif Spa;

a sposibl fo suig t lvac of t

psoal data ti ogaisatio collcts fo t statdpupos(s).

T sposibl pso i a outsouc o tid patysuppli is qually accoutabl fo abidig by datapotctio picipls as t sposibl pso i toigial collctig ogaisatio.

VisibilityT sposibl pso must claly stat t pupos(s)fo wic t psoal data is quid. T pupossould b cosistt wit t tasactio big offd.If t sposibl pso wiss to us t psoal datafo a wid pupos, tis sould b o t basis of t data

subjct optig i to t wid us, ot pat of t dfaulttms ad coditios. T sposibl pso souldstat if t psoal data is likly to b sad wit aytid paty.

ConsentT sposibl pso sould su tat tiogaisatio xplicitly scus t cost of psoaldata subjcts bfo stoig ad/o accssig psoaldata. Ty sould also su tat ty av cost tosa wit tid patis, if ty itd to do so (ot taw ty a lgally obligd to pass psoal data o togovmt bodis).

AccessT sposibl pso must su tat appopiatpysical, psol ad lctoic cotols admaagmt pocsss a i plac to potct ad scuaccss to all psoal data i ti custody, fom botxtal attack ad itfc ad ital abus.

StewardshipT sposibl pso must su tat ay psoaldata ti ogaisatio collcts is t miimum ddfo t statd pupos(s). T sposibl psosould su tat ay psoal data ld by tiogaisatio as poptis suc as ccks o accuacyad ttio tim o lvat xpiy dat associatdwit it. T itgity of psoal data must b maitaidtougout t Data Lif Spa. A isk assssmt of

Duties of theresponsible person

PerSOnAL DATA GUArDIAnShIP CODe


www.bcs.org www.theisaf.orgTis Cod is ot itdd to b lgal advic ad w t ad is usu about ay aspct of t DPA o ot Acts ad gulatios

ty sould sk lgal advic o visit t wbsit of t Ifomatio Commissio www.ico.gov.uk


8/12

t data oldigs sould b caid out fom t tim ofcollctio. Tis assssmt sould b associatd wit

t data tougout t Data Lif Spa. If t collctigogaisatio as cost to sa tat data wit ay tidpaty, t sposibl pso sould su tat t tidpaty udstads bot t isks associatd wit t dataoldig ad ay cavats associatd wit its itgity. Tsposibl pso i t collctig ogaisatio souldsu tat ty av passd o ti obligatio to potctdata tougout ay commuity of saig. T souldb a ous o t sposibl pso to maag txtt to wic f-fomat iput by data subjcts to blogsad foums is publisd wit attibutios ad to mak txtt of publicatio cla to data subjcts at t poit ofsig up.

Use - primary use,maintenance, updates,backup and sharing AccountabilityT sposibl pso is accoutabl fo psoal datald by ti ogaisatio ad must su tat:

appopiat opatig pocdus ad scuity cotolmcaisms, icludig accss loggig, a i plac topvt impop accss to psoal data;

t itgity ad sustaiability of t psoal datatat ty old a maitaid by gula maitac,

updats, backups ad appopiat data matcigpocdus.

VisibilityT sposibl pso must su tat ffctiv adtimly pocsss a i plac fo dalig wit data subjctquiis latig to ti psoal data ad also fopocssig data coctios ad movals.

ConsentW t is ot a lgal obligatio to sa psoaldata, t sposibl pso sould obtai cost fomt data subjct bfo passig it o to a tid paty o

usig it fo a scoday pupos, fo wic cost wasot obtaid at t tim of data collctio.

AccessT sposibl pso sould maitai a audit tail ofaccsss to psoal data.

StewardshipT sposibl pso sould gulaly viw tibusiss pocsss ad psoal data oldigs to sutat t scop, accuacy ad cucy of tat psoaldata is maitaid. T sposibl pso is sposiblfo coctig psoal data os poitd out by t datasubjct o otwis idtid.

Output - secondary use,

copying, reuse, exportingand disposal

AccountabilityT sposibl pso i a ogaisatio tat uss ouss psoal data:

sould claly stat ow log psoal data will bld ad must su tat psoal data is disposd ofsculy;

sould su tat, if psoal data is to b sad,t lvat autoisatio as b obtaid fom tdata subjct.

VisibilityT sposibl pso sould maitai a accuatcod of wat psoal data was sad wit tid patisad wy, ad cods of scu disposal.

ConsentW t is ot a lgal obligatio to sa psoaldata, t sposibl pso sould sk appoval fomdata subjcts if all o pat of ti psoal data is to bpassd to a tid paty ot pviously idtid.

AccessT sposibl pso must su tat o tid paty

may av accss to psoal data witout t appopiatautoity to do so.

StewardshipT sposibl pso sould su tat:

ay cavats latig to t psoal data at t timof collctio a likd to t data tougout aysaig pocss ad t boudais of stwadsip adowsip of isks a mad xplicit fo all patis;

psoal data o log quid to suppot tbusiss pocss is sculy dltd.

Duties of the responsible person





9/12


Responsibilities ofthe data handler


Data handlers are the people within organisations who are authorised to handle personal data.As an individual handling personal data, you need to know who, in your organisation, is ultimatelyresponsible (a board member) and accountable (the responsible person) for that personal dataand exactly what you, as an individual data handler, have been authorised to do with that data. Thatauthorisation should be in writing and not an informal arrangement or request. You should neverexceed your authorisation and should query anyone who asks you to exceed it.

The data life span



INPUT USE OUTPUT

Collection

Verification

and

CleansingPrimary Use

Maintenance

Updates

Backups

Sharing

Secondary use

Copying

Reuse

Exporting

Disposal

Input - collection,verication and cleansing

AccountabilityAutoisd psoal data adls a accoutabl to tsposibl pso i ti ogaisatio fo t accuatcollctio ad tasciptio of psoal data fom tdata subjct.

VisibilityData adls sould maitai ig tical stadadsw accssig psoal data.

ConsentData adls taskd wit t collctio of psoal datasould vify tat t cost of t data subjct as bobtaid fo t psoal data collctd.

AccessData adls sould oly collct ad sto t sstialpsoal data quid by t ogaisatio fo tpupos(s) statd.

StewardshipData adls av a duty of ca wit spct to tpsoal data ty adl to su tat its itgity is

maitaid.


10/12

Use - primary use,

maintenance, updates,backups and sharing

AccountabilityData adls sould su tat ty oly accsspsoal data i stict accodac wit lgitimatbusiss ds, witi ti dlgatd autoity.

VisibilityData adls sould maitai ig tical stadadsw dalig wit psoal data ad ot mak it availablto uautoisd popl.

ConsentData adls sould su tat ty av t lvatautoisatio pio to usig ad/o saig psoal data.

AccessData adls sould oly accss psoal data wty av a lgitimat aso ad autoity to do so, adsould su tat t itgity of t psoal data ismaitaid duig tasit ad saig.

StewardshipData adls sould pot, ad w possiblsolv, icosistcis ad/o os i t itgity

of psoal data.

Output - secondary use,

copying, reuse, exportingand disposal

AccountabilityData adls sould su tat ayo qustigaccss to, o copis of psoal data is autoisd tociv it.

VisibilityData adls sould maitai cods of ay tasf odisposal of psoal data.

ConsentData adls sould su tat ty av autoisatioto us, sa o xpot psoal data.

AccessData adls sould oly copy o pass o psoal dataw ty av a lgitimat aso ad t autoity todo so.

StewardshipData adls sould su tat if psoal data is to bst to a tid paty it lctoically, o via movabllctoic mdia, t t data is cyptd o potctdi a ma appopiat to its ssitivity ad accompaid

by spcic istuctios claly latig to ay cavatsabout o stictios o accss o us.


Responsibilities of the data handler




11/12


Rights and responsibilitiesof the data subject


Our personal information is held by manyorganisations, which means in legal termsthat we are all data subjects.

Protecting your personal dataW psoal data gos missig o falls ito t wogads, it ca b mbaassig, costly ad motioallydaiig fo tos ivolvd.

You av sposibilitis ov t potctio ofyou ifomatio. You also av t igt to xpctogaisatios to adl you ifomatio lawfully.

What do you need to know? Ogaisatios av to opat witi t law wadlig ifomatio about you. Tis icludsifomatio about you tat is i t public domai.

Ogaisatios d a aso fo oldig youifomatio.

What are your rights?You av t igt to:

obtai a copy of all of t psoal ifomatio tat aogaisatio olds about you. You may d to pay asmall f to t ogaisatio;

coos ot to civ dict maktig ifomatio.You ca qust tis by witig to t ogaisatiococd;

av icoct, misladig o out-of-dat psoalifomatio about you coctd;

kow wt a ogaisatio, o somo actigo ti balf, is pocssig psoal ifomatioabout you;

kow wat ifomatio is big pocssd, wy it isbig pocssd ad to wom it may b disclosd;

kow w a ogaisatio civd its ifomatioabout you.

What are your responsibilities inprotecting your personal data? Tik bfo disclosig you ifomatio, adthink agai...

nv giv you bak accout o passwod ifomatiow t covsatio was ot iitiatd by you.

Oly disclos ifomatio tat is dd by togaisatio.

Qustio wy somo migt ask fo you paticulapsoal ifomatio.

Visit Gt Saf Oli (www.gtsafoli.og) ad applyits advic.

What can you do when itgoes wrong?If you tik a ogaisatio may av bacd tData Potctio Act i t way it olds ad adls youpsoal ifomatio, you ca complai to t IfomatioCommissios Ofc.

Fo advic o ow to complai, visit www.ico.gov.uk otlpo ti lpli o 08456 306060.

T Ifomatio Commissios Ofc wbsit cotais aPsoal Ifomatio Toolkit ad ot soucs to assisti aisig awass of t igts of data subjcts s

ttp://www.ico.gov.uk.




12/12

BCS The Chartered Institute for IT

First Floor, Block D, North Star House, North Star Avenue,Swindon SN2 1FA, United Kingdom.T +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contactThe British Computer Society (Registered Charity: No. 292786)

The Information Security Awareness Forum www.theisaf.org

Documents

Personal Data Guardianship