is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Providing and protecting personal information: BS 10012
06 Aug 2010
Topics: Data protection, BS 10012, Information security, ISO/IEC 27001, Information mgt
Organizations face two big pressures when it comes to dealing with personal data: transparency and security. How can they ensure that the right information is accessible by the right people at the right time? New standard BS 10012 can help the public and private sectors alike to get their data houses in order.
The world has reaped the benefits of the fast flow of information for many years. Ten years ago organizations had to deal with gigabytes of data. Five years ago they started talking about terabytes. Today petabytes of data are being transferred and stored, with exabytes just around the corner. Each one is a thousand times larger than the last, offering huge business opportunities.
At the same time this information has been opened up for many more to see. Information is moved and shared in many forms far more readily, but growth and openness has come at a cost. The biggest concerns surround ensuring information stays safe at all stages of any journey and that it is always used appropriately.
A global problem
This isn't always easy and even the largest, most technologically advanced, international companies can apparently struggle with it. Google, for example, has recently run into complications with its ambitious Street View project to produce photo-based mapping of towns and cities all over the world. The internet giant had to admit that it had been "mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks" whilst it was gathering mapping information - although it was quick to add that it "never used that data in any Google products".i
Google senior vice president of engineering & research, Alan Eustace, explained the situation in an official company blog post in May: "As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible.
"This incident highlights just how publicly accessible, open, non-password-protected WiFi networks are today."
Google insists the error was an innocent "mistake", but the row has made data-protection waves right around the world.
Connecticut attorney general Richard Blumenthal recently formed a 37-state coalition in the US, all calling on the search giant to answer further questions and list the specific locations where the unauthorized data collection occurred.
"We will take all appropriate steps, including potential legal action if warranted - to obtain complete, comprehensive answers," he said in a statement. "Google must come completely clean, fully explaining how this invasion of personal privacy happened and why."
Keeping compliant
The Google case effectively highlights the way all businesses must be able to demonstrate that risk-management policies for data are entirely fit for purpose.
The EU's Data Protection Directive, for example, lists eight principles for anyone storing and processing personal data, including that information is relevant, accurate, processed for limited purposes only, not kept for longer than is necessary, and is fully secure. Other jurisdictions have similar sets of principles. However, data protection legislation such as the UK's Data Protection Act (DPA) does not typically offer a cast-iron framework for ensuring compliance. Each organization is instead responsible for establishing its own systems and technology as appropriate.
The BSI standard for data protection - BS 10012:2009 Data protection. Specification for a personal information management system - can help here, as it has been specifically developed to help mitigate an organization's risk profile in managing personal information. Suitable for public and private organizations alike, the standard lays out a series of steps for the creation of a robust personal information management system (PIMS), including decisions surrounding employee training and general risk assessment, as well as strategies for devising data sharing, retention, disposal and disclosure policies.
"Legislation tells you what you have to do, but it doesn't tell you how to go about doing it," summarizes BSI's head of market development for ICT, Breda Corish.
"An organization has to consider the various jurisdictions in which it operates, which will define the minimum acceptable bar. The standard provides a highly structured management framework within which it can embed the details of policies to meet the needs of those jurisdictions."
Following the well-established Plan-Do-Check-Act (PDCA) management methodology for incremental improvement, it also recommends management structures for effective risk mitigation.
It calls for an accountable and responsible "data controller" to be appointed, well supported by sufficient resources and suitably trained staff. Then it lists the data duties that need to be carried out by all staff on a daily basis and details methods to ensure the correct classification of any personal data collected for business purposes.
However, the standard also acknowledges other approaches that might be taken for especially complex operations, including international businesses.
"Where organizations are part of a longer supply chain, or operating in multiple jurisdictions, the framework provides a very good way of showing this is where it is personally setting the bar," explains Corish.
Finally, in the event that lines of risk management do fail, it includes guidance for triggering corrective action, such as notification to the relevant regulator that a breach has occurred.
Stakeholder strategy
The long-term vision of BS 10012 should help to minimize the risk of unauthorized access and accidental data leaks alike, as well as increasing confidence in personal data handling and demonstrating ingrained commitment to data security. Productivity also increases, as employees are more assured of their roles and responsibilities.
Compliance with the standard can also be an early indication that development of strategy and procedures is robust enough to seek out external certification to a further standard, ISO/IEC 27001:2005 Information technology which demonstrates general information security excellence. Certification to this standard can reassure customers, trading partners and auditors - anyone with whom the organization must have a strong relationship.
ISO/IEC 27001 specifies requirements for an organization to show it has the proportionate security controls in place to form a full Information Security Management System (ISMS). Launched in 2005, the process is similar to that behind the BS 10012 PIMS, involving continuous monitoring and maintenance for gradual improvement. BSI's Richard Taylor, global product manager for risk, explains that there are clear "touch points" between the standards. ISO/IEC 27001 provides the requirements and guidance for an ISMS, and BS 10012 provides detailed requirements as to how to implement a PIMS, which provides a framework for maintaining and improving compliance with data protection legislation - a control required within ISO/IEC 27001.
The consultancy Ultima Risk Management (URM), for example, has already had its internal ISMS certified to ISO/IEC 27001, but it now sees the introduction of BS 10012 as an important further milestone.
"Being able to demonstrate to key stakeholders, including customers and suppliers, that your organization complies with the DPA has always been a challenge," explains business development director Liza Dargan.ii
"BS 10012 represents a major breakthrough in this respect and will enable organizations to demonstrate that they are handling personal information in a structured and responsible way."
It is especially vital for URM to demonstrate it embodies the highest information security standards, as it provides consultancy and training in business continuity and information security to clients itself.
The company describes its mission as being to "get the balance right".
"There are a number of different perspectives to getting the balance right but one of the most important is the concept of achieving the optimum management system," it says.
Taylor agrees. There is currently no independent statement of certification for BS 10012 in the UK, but he says that there are significant signs of companies using the standard and enquiring about certification, and the BSI UK office will continue to monitor the situation as interest develops. It has also launched a BS 10012 data protection training course, while a certification scheme based on the standard is already underway in Korea.
Indeed, Corish points out that BS 10012 has generated significant international interest since its launch in 2009, including in Malaysia, where the Personal Data Protection Act 2010 recently passed into law.
Concerning consensus
However, the increasing globalization of businesses has clearly complicated legal compliance. Different jurisdictions still set their own data protection legislation. Although there have been some notable recent moves towards more international cooperation, including the suggestion of an "umbrella" arrangement between the EU and the US allowing greater volumes of personal data to be shared, there is no globally agreed code of conduct.
How then can security of data be ensured when it is sent overseas, for example in an outsourcing arrangement? The economic downturn has led many more businesses to consider the potential benefits of offshoring operations to lower-cost locations, and this means letting go of at least some of their information. But as BS 10012 is clear, responsibility for that data still rests with the data controller who collected it.
"It's very important that businesses appreciate that while they may have delegated day to day management of information, they're not also delegating responsibility for personal information," says Corish. "It is the organization obtaining the information in the first place that is the data controller.
"Compounding that, you have the fact there isn't just one Data Protection Act around the world. Even within Europe there are some variations in how the data protection legislation is implemented. In some countries differences can reflect cultural stances around issues such as privacy.
"For businesses that means you don't only have to meet the requirements of the country you're based in. You have to consider the international dimension as well."
"Advances in technology have generated global data flows on a scale which was unimaginable when most laws were drafted," explains Richard Thomas, a global strategy advisor to the Centre for Information Policy Leadership at international law firm Hunton & Williams. "The difficulties faced by national laws in coping with the challenges of cross-border activity accelerate the need for new thinking."iii
A complication blurring jurisdictional boundaries still further, meanwhile, is the growth of so-called Cloud Computing - outsourcing some computing requirements to a team of IT specialists that may be located many miles away. In July, UK regulator the Information Commissioner's Office (ICO) therefore outlined a new code of practice specifically for online personal information, which urges businesses to ensure that they have a written contract for any Cloud services that clearly stipulates data expectations.
"Organizations may not be certain where the personal data is being processed," the code states. "Your use of an internet-based service must not lead you to relinquish control of the personal data you have collected, or expose it to security risks that would not have arisen had the data remained in your possession in the UK."
The power to protect
Meanwhile, the cost of being caught not complying is increasing. The UK regulator recently won new powers to penalize firms that fall foul of its rules. From April this year it was able to fine businesses as much as £500,000 - up from a previous maximum of £5,000 - for the most serious breaches.
The fundamental consideration here will be whether a company's actions have been "reckless", Corish explains. There could be a major breach that has happened by accident, for example, but the data controller has failed to show due diligence in attempting to prevent a possible contravention.
The new financial deterrent is as yet untested, but the watchdogs also have other weapons. Reputation is at stake if the ICO opts to publicize cases, which it seems increasingly keen on.
In May, for example, it thrust the spotlight on the UK's National Health Service (NHS) after a spate of new data breaches. It transpired that one NHS Trust had emailed a spreadsheet of patient records, without password protection, through an unsecured email address, with another body failing to file some 2,000 records and subsequently losing them. After an accumulation of cases, this prompted the ICO to go public with its assessment, explaining the NHS had accounted for a quarter of all reported breaches.
At the same time, Information Commissioner Christopher Graham has recently called for even tougher, custodial sentences for the growing illegal trade in personal data. Many of the most high-profile cases of data losses have been a result of negligence - lost laptops and other electronic devices, or procedures not followed - but in November last year it emerged that employees of mobile telephone operator T-Mobile had deliberately passed on the personal data of thousands of customers, including contract details, to third-party brokers for personal gain.
"Respect for information rights is not optional," Graham has warned. "Organizations that ignore their responsibilities will not only lose the confidence and trust of citizens and consumers but could face painful enforcement action from the ICO as well."
Tough times ahead
One thing's for sure. Data protection and information security requirements are unlikely to get any less onerous any time soon.
In June the European Commission expressed fresh frustration with the way its EU Data Protection Directive had been worked into UK law to date, as it has on a number of occasions in the past. Although one of the EU's principles is that information should not be transferred to another country without adequate protection, the EC believes the UK regulator does not, in fact, have the power to assess other countries' data protection policies properly.
Other concerns include the fact that the regulator is not permitted to perform random checks of those processing personal data.
"Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement," criticized Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship.iv
With that same watchdog voluntarily sharpening and showing its teeth, companies caught not handling personal data with care could be in for a very difficult time.
For more on the data protection standard BS 10012.
For more on information security management solutions.
i http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html
ii http://www.ultimariskmanagement.com/consulting/DP/bs10012.asp
iii http://www.hunton.com/news/news.aspx?gen_H4ID=16650
iv http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/811
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Monarch Airlines chooses BSI for its European Union Emission Trading System (EU ETS) verification
Monarch Airlines has selected BSI as its provider of verification services against the requirements of the EU ETS directive. This comes in response to the industry's requirement to monitor its CO2 emissions and demonstrate compliance with the directive by submitting a verified annual emissions report by 31 March every year from 2011 onwards.
A little bit extra for Kitemark® bodyshops and garages
It's all well and good for an automotive bodyshop to earn the Thatcham BSI Kitemark® for Vehicle Body Repair, but it won't have as much impact if potential clients don't know about it. As a consequence, BSI decided to offer an Extras marketing toolkit to bodyshops and garages that have earned the Kitemark.
How do you put a price on a brand? An international standard in the making will provide a consistent, reliable approach to brand valuation.
Integra ICT Hits environmental high
Integra ICT, the Bedfordshire-based telecoms provider, has achieved certification to ISO 14001 Environmental management from BSI.
Gerda, a leading developer and manufacturer of products for the security industry, has become the first company to be awarded the Kitemark for thief-resistant lock assemblies, in line with BS 10621:2007 Thief resistant dual-mode lock assembly.
Question: Are health and safety issues at risk of being lost in the current financial turmoil?
When business isn't going well - whether it's due to a recession or simply because a company is going through a slow patch - there is a temptation to cut costs by cutting corners. Instead of treating an issue like product and consumer safety as vital to a organization's growth and reputation, it can become just another expense or regulatory requirement.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
