Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Catchup - Government Data Handing Review

Wednesday, June 6, 2012 - 09:36

I've been reminded that at last year's Network Strategy Workshop I promised to keep you informed about Government policy on handling personal data...

Most readers will remember the incident a couple of years ago when two CDs containing bank details of a significant proportion of UK adults were lost in transit somewhere between HMRC and the Audit Commission, and the subsequent rash of reports of personal data lost by both public and private sector organisations. In response the Government commissioned the O'Donnell Review of Data Handling Procedures in Government, whose recommendations are now a requirement for central government departments. Many departments are also passing these requirements on, sometimes in modified form, to agencies and others involved in delivering their services. This has resulted in derived guidance such as that provided by Socitm and the Local Government Association which I find rather more readable than the original report. In education this trickle-down process seems to have progressed furthest in the schools sector: Becta have published good practice guidance on how technology can be used to support the data handling requirements.

Most of the recommendations of both reports concern organisational measures, responsibilities and training, however the reports recognise that these must be supported by appropriate use of technology. Too many privacy breaches involve personal data on laptops, memory sticks and other portable storage media that are either lost or stolen. So, as well as reminding organisations to take better care of their hardware, the reports also recommend that encryption should be considered so that if devices are lost then the data they contain cannot be read. The original O'Donnell report suggested that encryption be mandatory for any portable device with information about more than a thousand people, or information likely to cause significant harm if disclosed; departments are allowed to reduce the threshold but not to increase it.

Since the O'Donnell report is being cascaded down through government it seems likely that some variant of it will reach most of us one day, if it hasn't done so already. In any case the value of protecting portable data using encryption is now well established in public opinion, and that of regulators, so when the Data Protection Act requires that all organisations take "appropriate technical and organisational measures" to protect personal data (principle 7) it seems likely that encryption of portable devices is one of those measures. Organisational measures are required too - don't be like the person (or their employer) who lost an encrypted memory stick with the passphrase stuck to it on a post-it note!

Data Protection Act
Privacy
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo