- Email: [email protected]
Data protection guidelines
Volume
7
Number6
APRIL1985
Editor: MICHAEL COMER, Director, Network Security. Management Ltd, London.
Editorial Advisers: Patrick M. Ardis, Partner, Wildman, Harold, Allen Dixon & McDonnell. Jay J. BloomBecker, Director, National Data Center for Computer Crime, Los Angeles. Robert P. Campbell, CDP, President, Advanced lnformatjon Management Inc, Virginia. Andrew Chambers, BP Professor of Internal Auditing, The City University Business School, London.
Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill, Minneapolis.
Pieter van Dijken, Former Chief of Fraud Department, N.C.1.S , The Hague. Dr. Jerry Fitzgerald, Jerry Fitzgerald&Associates,
California.
Fred M. Greguras, Attorney, Fenwick, Stone, Davis & West, California. Peter Hamilton, Managing Director, Zeus Security Consultants Ltd. London. Jocelin Harris, Lawyer and Banker, London Peter J. Heims, Fellow of the Institute of Professional Investigators, London Geoffrev Horwitz, Consultant, Johannesburg, Aliatair Wman,
South Africa.
Barrister and Legal Expert in Microelectronics and Computing, London.
Jules B. Kroll, President, Kroll Associates, New York. R. J. Lindquist, Lindquist Holmes & Co, Toronto. Norman Luker, Security Management, Northern Telecom Ltd, Montreal James Martin, Author and Lecturer. Special Technical Advisors: James Khosla Overseas Systems Security Officer, for Chemical Bank, New York. Martin Samociuk, Consultant, Network Security Management
Adrian R. D. Norman, Consultant, Arthur D. Little Ltd. Dorm 6. Parker, Senior Management Systems Consultant, Stanford Research Institute, California Alec Rabarta, Fellow of the Institute of Chartered Accountants, London. Michael I. Sobol. President, MIS Training Institute, Massachusetts. Timothy J. Walsh, President, Harris and Walsh Management Consultants, New York Graeme Ward, Head of Audit, Abbey National Building Society, London.
Ltd.
CONTENTS
DATA PROTECTION GUIDELINES
Philip Weights, Philip Weights&Associates
Inc. Panama,
Data protection guidelines Computer reports Copy protection system from Lancedata
1 4
US report on banking frauds 3ook review: Risk - A Computer Aided Strategy
6 9
5
A series of Guidelines is to be produced by the UK's Data Protection Registrar to inform data subjects of their rights and to assist users in understanding their obligations and requirements under the Data Protection Act. The Guidelines are meant to provide practical suggestions which enable readers to assess the provisions However, of the Act against their own particular circumstances. the Registrar points out that the Guidelines are not to be taken as definitive interpretations of the Act or precedent setting decisions. The first guideline to be published is titled "An Introduction to the Act and Guide for Data Users and Computer Bureaux" and is available from the Data Protection Registrar, Springfield House, Water Lane, Wilmslow, Cheshire SK9 5AX, UK. Tel: Wilmslow (0625) 535711. The Act sets down certain principles that users must follow and high amongst these is the need to maintain adequate security. Neither the Guideline, nor the Act, defines what it would regard as adequate and it is doubtful that specific instructions will ever be given. As under similar laws such as the Gaming Act, the onus will be placed on users and owners , who may be second guessed, with the
Vol 7. No 6. Page 2. benefit of hindsight if things go wrong. We could be wrong in this cynical opinion, but the Registrar would be an unusual Civil Servant if he were to set out and endorse standards and more importantly defend them on behalf of accused users who have compiled with them. The Guidelines are very useful, particularly in two areas. first is a clear timetable for implementation of the Act: B.9
The
DRAFT TIMETABLE
Some provisions of the Act are already in force, others will be implemented on the day to be appointed by the Home Secretary for the start of registration and the remainder will take effect over the following two year period. Much work remains to be done in the development of the registration process and the ‘appointed day” cannot yet be determined. However the Registrar is hoping to be able to meetadateattheendofsummer 1985-sayinseptember. Whenthedatehas beenfixed a further Guideline will be published giving the precise dates upon which the various provisions will come into force. In the meantime you may find the following draft timetable useful for planning purposes. Theitemsmarkedwithanasteriskareprovisionalonlyandmaywell
besubjecttorevision.
12th July 1984
Royal Assent.
12th September 1984
A Data Subject may seek compensation through the Courts for any damage or associated distress suffered on or after this date by reason of:a) the loss of personal data relating to him or b) access being obtained to the data or its destruction or disclosure without the authority of the Data User or Computer Bureau.
*September 1985
Registration commences. Data Users and Computer Bureaux may now submit applications to the Registrar.
*March 1986
Existing Data Users and Computer registration before this date.
Bureaux must apply for
Holding of personal data by an unregistered person becomes a criminal offence. Any person who knowingly or recklessly provides services without being registered as a Computer commits a criminal offence.
Bureau Bureau
Registered Data Users become bound to operate within the terms of their register entries. Data Users become liable to pay compensation in respect of damage or associated distress suffered on or after this date by reason of inaccuracy of personal data. The Court may order rectification/erasure of inaccurate personal data. *September 1987
The “subject access” provisions come into force. The Registrar’s powers of supervision are fully in operation. Any noticeswhich he hasserved beforethisdatemavnowtakeeffect.
The Guideline also gives an action plan for Users to ensure that they comply with the Act:
Vol 7. No 6. Page 3. PREPARING FOR THE ACT
B.10
It is essential that Data Users and Computer Bureaux start to consider how they will meet their obligations under the Act as early a possible. This section gives some simple guidance as to steps which might be taken. The detailed action taken will, of course, vary from organisation to organisation.
By taking the following steps NOW you can put your organisation in a position to comply with your obligations.
STEP 1 -Appoint
A Data Protection Co-ordinator
His or her job will be to lead your organisation through the processes of ensuring compliance with the Act, including establishing the on-going mechanisms to ensure future compliance. In large organisations this may be a full time appointment, at least during the preparatory stages. In smaller organisations the task may be combined with other duties. In either case, GIVE YOUR DATA PROTECTION CO-ORDINATOR THE TIME AND AUTHORITY TO CARRY OUT HIS OR HER TASKS. Data Protection Co-ordinators should: -
brief themselves on the Act by reading it and also the various publications now appearing on it so that they can provide information for their organisations;
-
make contact with appropriate trade or professional bodies. These bodies will becollecting experienceand noting problems. Theywill be helpful, not only for advising their members, but also by acting as a two-way channel between their members and the Registrar.
STEP 2 - Inform Your Staff Of The Implications Organisation
Of The Act For Your
By providing early guidance to your staff on the principles with which your organisation must comply, you will help to establish awareness and the attitudes necessary to meet your obligations. STEP 3 -
Conduct a Census of the Personal Data Used in
YOUr OrganiSatiOn
Locateallthepersonal datawhichmaybecovered bythe Act. (SeeB.Z- TheDefinitions.) Determine the purposes for which they are held, from whence collected and to whom disclosed. Establish who is responsibleforthe data. Identify particularly data which might require special security. Do not restrict this census of data to that held on mainframes or processed through data processing departments. Data held and used in other equipment, for example, microcomputers in user departments, may also be covered by the Act. STEP 4 -
Check The Exemptions
Consider whether any of the personal data you have identified as being covered by the Act are subject to any exemptions (see 8.6 - The Exemptions). STEP 5 -Check Your Current Compliance (see 84 - The Data Protection Principles)
With The Principles
For example, are your data secure, accurate, up-to-date? if not, institute action to correct the situation. In particular, initially, you should give attention to thesecurityof data bearing in mind the right that individuals now have to seek compensation for damage and associated distress which might arise from loss, destruction, unauthorised disclosure or access to data.
‘0 1985
Elsevier
No part of this means. (Readers
Science
Publishers
publication
electronic.
mechanical.
in the U.S.A.
B.V.
(Information
may be reproduced. photocopylng.
please see special
stored
& Business
recording
regulations
Division),
in a retrieval
or otherwise. listed
on
Amsterdam.
system.
or transmitted
without
back r:over].
the prior
184 / $0.00
+ 2.20
by any form permission
or by any
oftbe
publishers.
Vol 7. No 6. Page 4.
STEP 6 (see 8.3 -
Prepare For Registration The Registration Process)
Consult your trade association or professional body as to whether standard registration entries are being prepared which may be useful to you. Determine your policy towards registration - one registration or several? In determining this policy have regard not only to internal control and organisation but also to any future requirement for subject access. Your trade association may be considering this matter for its sector. Consider whether you should register as a Computer Bureau as well as a Data User. For many Data Users this will be necessary. They may, for example, wish to provide a back-up facility for another Data User, thus acting as a Bureau. STEP 7 - Establish Future Procedures Establish the organisation, responsibilities and procedures necessary to: -
monitor compliance with the Data Protection Principles;
-
warn of changes necessary in your registration entries;
-
meet subject access requests when this becomesa requirement under the Act.
STEP 8 -
Set Up and Maintain Appropriate
Training Programmes
ldentifythosestaff whosedutieswill havea bearingonthecollection, monitoring, useand protection of personal data. Then ensure that they are fully trained in the procedures necessaryforcompliance. Makesure that other staff areawareof the proceduresandany requirement for them to contribute to their observance. STEP 9 - Keep Informed of Developments in Data Protection Maintain a Data Protection Co-ordinatton responsibility for this purpose, even after you have registered and established your on-going mechanisms for complying with the Act. Computer
Bureaux
If your organisation is a Computer Bureau, you must register the fact. Registration will be simple, essentially requiring the name and address of the organisation. Computer Bureaux should review and assess their security procedures for this will be a principal concern.
the inset sections are direct quotations from the Footnote: The Registrar's permission to reproduce these is Guidelines. gratefully acknowledged.
COMPUTER
REPORTS
After the six day war against Egypt, General Dayan was asked what he would have done if Israel had lost. He is alleged to have said that he would have started another war in the name of his wife! The quotation came to mind in light of the plethora of reports on It seems computer crime now being assembled throughout the World. if work is a bit slack, anyone can compile such a report and float it on the unsuspecting public as the definitive article. It is always amazing that different authors, using the same source In one, the major material can produce such disparate results. threat to computer security is said to be the auditor, in another it is "miscellaneous users" and in another, programmers are the danger. Average losses range from $3000 to $450 000, depending on the report concerned. Recent publications have been sponsored by the Audit Commissioners for Local Authorities in England and Wales, which can be obtained from Her Majesty's Stationery Office, Holborn, London WCl, price cr‘1985 Else&r NG part
myans,electronic, (Readers
Science
Publishers
ofthis publication
mechanical.
in the IJ.S.A.
B.V. (Information
may be reproduced. please
photocopying. see
special
stored
& Business
recording
regulations
Division),
in a retrieval
Amsterdam.
system.
or transmitted
orotherwise.without
listed
on
back cover).
tho prior
184 / $0.00
+ 2.20
hv any term permission
or by dny
ofthe
publishers
7
Number6
APRIL1985
Editor: MICHAEL COMER, Director, Network Security. Management Ltd, London.
Editorial Advisers: Patrick M. Ardis, Partner, Wildman, Harold, Allen Dixon & McDonnell. Jay J. BloomBecker, Director, National Data Center for Computer Crime, Los Angeles. Robert P. Campbell, CDP, President, Advanced lnformatjon Management Inc, Virginia. Andrew Chambers, BP Professor of Internal Auditing, The City University Business School, London.
Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill, Minneapolis.
Pieter van Dijken, Former Chief of Fraud Department, N.C.1.S , The Hague. Dr. Jerry Fitzgerald, Jerry Fitzgerald&Associates,
California.
Fred M. Greguras, Attorney, Fenwick, Stone, Davis & West, California. Peter Hamilton, Managing Director, Zeus Security Consultants Ltd. London. Jocelin Harris, Lawyer and Banker, London Peter J. Heims, Fellow of the Institute of Professional Investigators, London Geoffrev Horwitz, Consultant, Johannesburg, Aliatair Wman,
South Africa.
Barrister and Legal Expert in Microelectronics and Computing, London.
Jules B. Kroll, President, Kroll Associates, New York. R. J. Lindquist, Lindquist Holmes & Co, Toronto. Norman Luker, Security Management, Northern Telecom Ltd, Montreal James Martin, Author and Lecturer. Special Technical Advisors: James Khosla Overseas Systems Security Officer, for Chemical Bank, New York. Martin Samociuk, Consultant, Network Security Management
Adrian R. D. Norman, Consultant, Arthur D. Little Ltd. Dorm 6. Parker, Senior Management Systems Consultant, Stanford Research Institute, California Alec Rabarta, Fellow of the Institute of Chartered Accountants, London. Michael I. Sobol. President, MIS Training Institute, Massachusetts. Timothy J. Walsh, President, Harris and Walsh Management Consultants, New York Graeme Ward, Head of Audit, Abbey National Building Society, London.
Ltd.
CONTENTS
DATA PROTECTION GUIDELINES
Philip Weights, Philip Weights&Associates
Inc. Panama,
Data protection guidelines Computer reports Copy protection system from Lancedata
1 4
US report on banking frauds 3ook review: Risk - A Computer Aided Strategy
6 9
5
A series of Guidelines is to be produced by the UK's Data Protection Registrar to inform data subjects of their rights and to assist users in understanding their obligations and requirements under the Data Protection Act. The Guidelines are meant to provide practical suggestions which enable readers to assess the provisions However, of the Act against their own particular circumstances. the Registrar points out that the Guidelines are not to be taken as definitive interpretations of the Act or precedent setting decisions. The first guideline to be published is titled "An Introduction to the Act and Guide for Data Users and Computer Bureaux" and is available from the Data Protection Registrar, Springfield House, Water Lane, Wilmslow, Cheshire SK9 5AX, UK. Tel: Wilmslow (0625) 535711. The Act sets down certain principles that users must follow and high amongst these is the need to maintain adequate security. Neither the Guideline, nor the Act, defines what it would regard as adequate and it is doubtful that specific instructions will ever be given. As under similar laws such as the Gaming Act, the onus will be placed on users and owners , who may be second guessed, with the
Vol 7. No 6. Page 2. benefit of hindsight if things go wrong. We could be wrong in this cynical opinion, but the Registrar would be an unusual Civil Servant if he were to set out and endorse standards and more importantly defend them on behalf of accused users who have compiled with them. The Guidelines are very useful, particularly in two areas. first is a clear timetable for implementation of the Act: B.9
The
DRAFT TIMETABLE
Some provisions of the Act are already in force, others will be implemented on the day to be appointed by the Home Secretary for the start of registration and the remainder will take effect over the following two year period. Much work remains to be done in the development of the registration process and the ‘appointed day” cannot yet be determined. However the Registrar is hoping to be able to meetadateattheendofsummer 1985-sayinseptember. Whenthedatehas beenfixed a further Guideline will be published giving the precise dates upon which the various provisions will come into force. In the meantime you may find the following draft timetable useful for planning purposes. Theitemsmarkedwithanasteriskareprovisionalonlyandmaywell
besubjecttorevision.
12th July 1984
Royal Assent.
12th September 1984
A Data Subject may seek compensation through the Courts for any damage or associated distress suffered on or after this date by reason of:a) the loss of personal data relating to him or b) access being obtained to the data or its destruction or disclosure without the authority of the Data User or Computer Bureau.
*September 1985
Registration commences. Data Users and Computer Bureaux may now submit applications to the Registrar.
*March 1986
Existing Data Users and Computer registration before this date.
Bureaux must apply for
Holding of personal data by an unregistered person becomes a criminal offence. Any person who knowingly or recklessly provides services without being registered as a Computer commits a criminal offence.
Bureau Bureau
Registered Data Users become bound to operate within the terms of their register entries. Data Users become liable to pay compensation in respect of damage or associated distress suffered on or after this date by reason of inaccuracy of personal data. The Court may order rectification/erasure of inaccurate personal data. *September 1987
The “subject access” provisions come into force. The Registrar’s powers of supervision are fully in operation. Any noticeswhich he hasserved beforethisdatemavnowtakeeffect.
The Guideline also gives an action plan for Users to ensure that they comply with the Act:
Vol 7. No 6. Page 3. PREPARING FOR THE ACT
B.10
It is essential that Data Users and Computer Bureaux start to consider how they will meet their obligations under the Act as early a possible. This section gives some simple guidance as to steps which might be taken. The detailed action taken will, of course, vary from organisation to organisation.
By taking the following steps NOW you can put your organisation in a position to comply with your obligations.
STEP 1 -Appoint
A Data Protection Co-ordinator
His or her job will be to lead your organisation through the processes of ensuring compliance with the Act, including establishing the on-going mechanisms to ensure future compliance. In large organisations this may be a full time appointment, at least during the preparatory stages. In smaller organisations the task may be combined with other duties. In either case, GIVE YOUR DATA PROTECTION CO-ORDINATOR THE TIME AND AUTHORITY TO CARRY OUT HIS OR HER TASKS. Data Protection Co-ordinators should: -
brief themselves on the Act by reading it and also the various publications now appearing on it so that they can provide information for their organisations;
-
make contact with appropriate trade or professional bodies. These bodies will becollecting experienceand noting problems. Theywill be helpful, not only for advising their members, but also by acting as a two-way channel between their members and the Registrar.
STEP 2 - Inform Your Staff Of The Implications Organisation
Of The Act For Your
By providing early guidance to your staff on the principles with which your organisation must comply, you will help to establish awareness and the attitudes necessary to meet your obligations. STEP 3 -
Conduct a Census of the Personal Data Used in
YOUr OrganiSatiOn
Locateallthepersonal datawhichmaybecovered bythe Act. (SeeB.Z- TheDefinitions.) Determine the purposes for which they are held, from whence collected and to whom disclosed. Establish who is responsibleforthe data. Identify particularly data which might require special security. Do not restrict this census of data to that held on mainframes or processed through data processing departments. Data held and used in other equipment, for example, microcomputers in user departments, may also be covered by the Act. STEP 4 -
Check The Exemptions
Consider whether any of the personal data you have identified as being covered by the Act are subject to any exemptions (see 8.6 - The Exemptions). STEP 5 -Check Your Current Compliance (see 84 - The Data Protection Principles)
With The Principles
For example, are your data secure, accurate, up-to-date? if not, institute action to correct the situation. In particular, initially, you should give attention to thesecurityof data bearing in mind the right that individuals now have to seek compensation for damage and associated distress which might arise from loss, destruction, unauthorised disclosure or access to data.
‘0 1985
Elsevier
No part of this means. (Readers
Science
Publishers
publication
electronic.
mechanical.
in the U.S.A.
B.V.
(Information
may be reproduced. photocopylng.
please see special
stored
& Business
recording
regulations
Division),
in a retrieval
or otherwise. listed
on
Amsterdam.
system.
or transmitted
without
back r:over].
the prior
184 / $0.00
+ 2.20
by any form permission
or by any
oftbe
publishers.
Vol 7. No 6. Page 4.
STEP 6 (see 8.3 -
Prepare For Registration The Registration Process)
Consult your trade association or professional body as to whether standard registration entries are being prepared which may be useful to you. Determine your policy towards registration - one registration or several? In determining this policy have regard not only to internal control and organisation but also to any future requirement for subject access. Your trade association may be considering this matter for its sector. Consider whether you should register as a Computer Bureau as well as a Data User. For many Data Users this will be necessary. They may, for example, wish to provide a back-up facility for another Data User, thus acting as a Bureau. STEP 7 - Establish Future Procedures Establish the organisation, responsibilities and procedures necessary to: -
monitor compliance with the Data Protection Principles;
-
warn of changes necessary in your registration entries;
-
meet subject access requests when this becomesa requirement under the Act.
STEP 8 -
Set Up and Maintain Appropriate
Training Programmes
ldentifythosestaff whosedutieswill havea bearingonthecollection, monitoring, useand protection of personal data. Then ensure that they are fully trained in the procedures necessaryforcompliance. Makesure that other staff areawareof the proceduresandany requirement for them to contribute to their observance. STEP 9 - Keep Informed of Developments in Data Protection Maintain a Data Protection Co-ordinatton responsibility for this purpose, even after you have registered and established your on-going mechanisms for complying with the Act. Computer
Bureaux
If your organisation is a Computer Bureau, you must register the fact. Registration will be simple, essentially requiring the name and address of the organisation. Computer Bureaux should review and assess their security procedures for this will be a principal concern.
the inset sections are direct quotations from the Footnote: The Registrar's permission to reproduce these is Guidelines. gratefully acknowledged.
COMPUTER
REPORTS
After the six day war against Egypt, General Dayan was asked what he would have done if Israel had lost. He is alleged to have said that he would have started another war in the name of his wife! The quotation came to mind in light of the plethora of reports on It seems computer crime now being assembled throughout the World. if work is a bit slack, anyone can compile such a report and float it on the unsuspecting public as the definitive article. It is always amazing that different authors, using the same source In one, the major material can produce such disparate results. threat to computer security is said to be the auditor, in another it is "miscellaneous users" and in another, programmers are the danger. Average losses range from $3000 to $450 000, depending on the report concerned. Recent publications have been sponsored by the Audit Commissioners for Local Authorities in England and Wales, which can be obtained from Her Majesty's Stationery Office, Holborn, London WCl, price cr‘1985 Else&r NG part
myans,electronic, (Readers
Science
Publishers
ofthis publication
mechanical.
in the IJ.S.A.
B.V. (Information
may be reproduced. please
photocopying. see
special
stored
& Business
recording
regulations
Division),
in a retrieval
Amsterdam.
system.
or transmitted
orotherwise.without
listed
on
back cover).
tho prior
184 / $0.00
+ 2.20
hv any term permission
or by dny
ofthe
publishers