LCZ-DPA 1.1 16 May 2009 This document specifies technical and non-technical security policy for the European Union Data Protection Directive as implemented by the UK Data Protection Act 1998. 1.1 16 May 2009 FOD Revised for re-release 1.0 18 June 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer To provide guidance to administators, developers, security personnel and data protection officers in implementing the UK Data Protection Act 1998. Controls specified in this document apply to all organisations who process personal data relating to citizens of the member states of the European Union. All of the organisation's information systems that process personal data will be subject to the policies specified within this security standard. The policies will be applied to both new and existing installations and should also be applied to organised manual systems. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This standard is not a substitute for legal advice or a data protection officer. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believes that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion. Ensure that all new uses of personal data by an application are made known to the data protection officer and notified to the data subjects Has it been ensured that all new uses of personal data by an application are made known to the data protection officer and notified to the data subjects? Identify all functional uses of personal data Make these known to the data protection officer Where appropriate notify the data subjects of the new uses Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that all uses of personal data by a new application are made known to the data protection officer Have you ensured that all uses of personal data by a new application have been made known to the data protection officer? Identify all functional uses of personal data Make these known to the data protection officer Where necessary update the registration of your organisation Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that explicit consent is given by the data subjects for processing of sensitive personal data originally obtained for a different purpose. Has it been ensured that explicit consent has been given by the data subjects for processing of sensitive personal data originally obtained for a different purpose? Identify all functional uses of sensitive personal data Make these known to the data protection officer Identify any different uses that are now being made of the personal data Seek explicit permission from the data subjects regarding these new uses Exclude those data subjects from the application database who do not provide explicit permission Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure you have appointed a data protection officer to manage compliance with data protection legislation. Have you have appointed a data protection officer to manage compliance with data protection legislation? Appoint an appropriate individual to act as the Data Protection Officer This may be a part time role, full time or even a team of people depending on the size of your organisation and the nature of it's activities Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Personal data must be kept only as long as required for the purposes for which it is to be processed. Is personal data kept only as long as required for the purposes for which it is to be processed? Identify every item of personal data to be processed For each data item determine a lifetime Ensure that the personal data is deleted at the expiry of that lifetime Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that the application has an audit trail that captures all uses made of personal data Does the application have an audit trail that captures all uses made of the personal data? Ensure that every application function that is used to read, write, change or delete personal data fields generates and audit record. The audit record must contain at minimum the user id associated with the action, the date and time, the action itself and the source of the user login Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information being subject to unauthorised to disclosure Business information being subject to unauthorised modification Business information being unavailable Ensure that the data gathering methods employed by the application, such as forms, only gathers correct and relevant information when processing personal data. Is it ensured that the data gathering methods employed by the application, such as forms, only gathers correct and relevant information when processing personal data? Ensure that only required data is collected Ensure that only registered processing purposes of that data is performed Ensure that data integrity checks are performed on the data to ensure that it is reasonable Ensure that the other controls in this security stanhdard are adhered to. Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be unavailable Business information may be subject to a loss of integrity Ensure that all outbound recipients of personal data from this application are identifiable in the application. is it ensured that all outbound recipients of personal data from this application are identifiable in the application? Identify all of the personal data processed by the application For each data item to determine all of the outbound recipients of the data Ensure that the application logic is able to both display and report on the outbound recipients of the personal data Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be unavailableh Ensure that no personal data is transferred outside the European Union unless the destination country and any intermediate countries have adopted legislation that offers an equivalent or higher level of data protection. Is it ensured that no personal data is transferred outside the European Union unless the destination and intermediate countries have adopted legislation that offers an equivalent or higher level of data protection? Identify non European Union destinations for personal data Determine whether their data protection legislation offers similar protection as that afforded in EU member states Where it does not, do not transfer the daa Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Unauthorised disclosure of business information Unauthorised modification of business information Ensure that all personal data to be processed is adequate, relevant and not excessive in relation to the purposes for which it is processed. Have you ensured that all personal data to be processed is adequate, relevant and not excessive in relation to the purposes for which it is processed? Collect only the personal data that you need Process the personal data in accordance with your organisations registered uses Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that the data subjects are notified of the purposes for which the personal data has been acquired or collected Do you ensure that the data subjects are notified of the purposes for which the personal data has been acquired or collected? On all collection forms include a section describing the uses that the personal data will be put to Periodically notify the data subjects of the uses of personal data that has been collected. Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that the data gathering forms include a checkbox to indicate that consent has been received from the data subject for the processing Is it ensure that the data gathering forms include a checkbox to indicate that consent has been received from the data subject for the processing to take place? Include a consent field on the forms for the data subject to indicate whether consent has been obtained Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that the application only processes the minimum amount of personal data necessary to achieve the business objectives of the application. Has it been ensured that the application only processes the minimum amount of personal data necessary to achieve the business objectives of the application? Verify that every field of personal data isjustified in relation to the registered purposes and the processing required. Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Unauthorised disclosure of business information Ensure that the application includes definitions for all abbreviations or codes used in the application so as to allow data subjects to have relevant information disclosed in an intelligible form. Has it been ensured that the application includes definitions of all abbreviations or codes used to allow data subjects to have relevant information disclosed in an intelligible form. Identify all abbreviations, acronyms, codes etc For each one that is used ensure that when viewing or reporting data a means of eliciting the full meaning is available Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that all sources of personal data are identifiable within the application. Is it ensured that all sources of personal data are identifiable within the application? Ensure that all fields or files that will contain personal data are identified Ensure that for each data item to be stored that a source attribute is include Ensure that the application logic has the ability to both display and report on the sources of data Ensure that unknown sources of personal data are validated through a subject survey or deleted Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to a loss of integrity Business information may be unavailable Ensure that all the personal data is subject to appropriate technical measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage. Have you ensured that all personal data is subject to appropriate technical measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage. Perform a risk analysis against all applications or systems that process personal data Define a technical security architecture in line with the results of the risk analysis Retain the risk analysis documentation and reports to provide an audit trail of the reasoning behind the technical measures deployed Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be subject to a loss of integrity Business information may be unavailable Ensure that employees dealing with the personal data processed by this application have been trained so as to understand the principles of the Data Protection Act and the impact that these principles have on the way they work. Have employees that deal with the personal data processed by this application been trained so as to understand the principles of the Data Protection Act and the impact that these principles have on the way they work? Train the employees who handle/process personal data to understand the data protection act and how this impacts working practices. Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Unauthorised disclosure of business information Unauthorised modification of business information Unauthorised loss of business information Ensure that all the personal data is subject to appropriate organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage. Is the personal data subject to appropriate organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage? Ensure that access to personal data is based upon requirements of a role and is authorised by the application or business process owner Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Unauthorised disclosure of business information Unauthorised modification of business information Loss of availability of business information Ensure that the application design and documentation includes a clear description of the purposes for which personal data is being processed. Does the application design and documentation include a clear description of the purposes for which personal data is being processed? Identify the application data to be processed Identify the processes that are to be performed on the personal data Ensure that the data and the processes to be performed are documented Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be unavailable Business information may be subject to a loss of integrity Ensure that a schedule of maintenance for the personal data that is processed by this application is developed and includes destruction and retention. Has it been ensured that a schedule of maintenance for the personal data that is processed by this application has been developed that includes destruction and retention. Identify all of the personal data processed by the application Create a schedule of periodic maintenance Ensure the schedule includes validation Ensure the schedule includes destruction of data that is no longer required to be held or data that is no longer correct and does not required to be held for historical purposes Ensure that the schedule includes retention/archiving for personal data that must be kept for historic or regulatory reasons or otherwise for lawful processing Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be unavailable Ensure that the application design both now and in future phases will result in processing of personal data that is both fair and lawful. Will the application design both now and in future phases result in processing of personal data that is both fair and lawful. Ensure the application design complies with the controls in this standard Ensure that the application design complies with the requirements of your organisations legal department and data protection office Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Business information may be subject to unauthorised disclosure Business information may be unavailable Business information may be subject to a loss of integrity Ensure that all personal data that is to be processed i.e. collected, organised, stored, retrieved, disclosed or destroyed is done so fairly and lawfully. Ensure that all personal data that is to be processed i.e. collected, organised, stored, retrieved, disclosed or destroyed is done so fairly and lawfully. Ensure categories of data collected match that which are actually collected Ensure that the uses of the data match the uses for which your organisation is registered. Ensure that data subjects are aware of the data that your organisation collects about them Ensure that data subjects are aware of the processing of the data that your organisation performs Ensure that as a minimum you comply with all of the controls in this security standard Ensure one of the following conditions are satisfied - The data subject gives his or her consent to the processing or If the data subject is an employee or a prospective employee, ensure that the processing is necessary for the performance of a contract to which the employee is a party or for the taking of steps at the prospective employees request with a view to entering into a contract. - The processing is necessary for compliance with a legal obligation. - The processing is necessary to protect the interests of the data subject - The processing is necessary in the public interest or in the exercise of official authority - The processing is necessary for the purposes of the legitimate interests of the processing party except where these interests are overridden by the fundamental rights and freedom of the data subject. Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission Ensure that every category or type of personal data that your organisation processes is registered with the Data Protection registrar Have you ensured that every category or type of personal data that your organisation processes is registered with the Data Protection registrar? Identify every category or type of personal data processed by your organisation Register these data types with the data protection registrar Put in place a process to ensure that this is maintained up to date For a new application processing personal data perform a gap analysis to determine whether new categories of personal data are to be processed Update your organisation's registration accordingly Non-compliance with legal requirements Censure from the Data Protection Commission Fines from the Data Protection Commission