Information Governance Professor Alan Gillies FBCS CITP MA PhD Hope Street Centre www.hopestreetcentre.com www.alangillies.com Alan.gillies@hopestreetcentre.com
28 Feb 2012
Information Governance? News release: 13 February 2012 The Information Commissioner's Office (ICO) has served monetary penalties totalling ÂŁ180,000 to two councils for failing to keep highly sensitive information about the welfare of children secure. These latest penalties bring the total amount served by the ICO to organisations found in serious breach of the Data Protection Act to over one million
pounds.
28 Feb 2012
Information Governance is more than data protection? • Personal data shall be processed fairly and lawfully • Personal data shall be obtained only for one or more specified and lawful purposes, .... • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. • Personal data shall be accurate and, where necessary, kept up to date. • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • Personal data shall be processed in accordance with the rights of data subjects under this Act. • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. • Personal data shall not be transferred to a country or territory outside the European Economic Area unless.....
28 Feb 2012
A Brave New World? Wot, no glossy cover?
28 Feb 2012
Why Brave New World? • No longer just an NHS view • ICO fines suggest that the NHS and LA view has failed • Fragmented market place, small third sector organisations may lack capability; large private providers may have a potential conflict • Commissioners have responsibility for the information they share (in and out) 28 Feb 2012
Is Data Protection speeding or Drink Driving?
28 Feb 2012
Confidentiality and Data Protection Traditionally • Common law duty of confidentiality and emphasis on “patient data” However • All personal data is confidential by law • Measures to protect it should be commensurate with risk of disclosure and degree of harm 28 Feb 2012
Simple ways to stay out of trouble 1. Don’t be a squirrel! Need to know means: • Need to collect, • Need to store and • Need to keep
28 Feb 2012
Simple ways to stay out of trouble 2. Don’t send faxes
28 Feb 2012
Simple ways to stay out of trouble 3. Keep data indoors: if it must leave, encrypt it!
28 Feb 2012
Your biggest threat • “If I wanted to hack a company, I’d hack the people, not the technology” – Anonymous
28 Feb 2012
What to do about it 1. Make them aware 2. Make them care
• • • • •
Give them the knowledge Give them the skills Give them the tools Give them the environment Help them learn from mistakes
28 Feb 2012
And here’s one for the nerds
•BS10012? •ISO27001? •BS11000? 28 Feb 2012
And finally Coming to the ICO You Tube Channel near you....
Hope Street Centre and Brightmoon Media present...
Data Day Hygiene and
Living By Numbers 28 Feb 2012
References and resources • www.ico.gov.uk • http://www.nigb.nhs.uk/pubs/guidance/NIGB %20Transition%20Guidance%2015%20Novem ber%20web%20version.pdf • www.alangillies.com
28 Feb 2012
Group discussions: Where we are In spite of all the work to date: • Not yet delivering the information that we need • Not yet protecting the information that we do have • Life is about to get a whole lot more complex So we need to answer the question: what are we going to do differently? 28 Feb 2012
Group discussion: Where do we want to be? • Each person in the group, please identify your biggest information problem or concern. • As a group, consider what you could do differently to address the issues raised • Identify for the wider group any actions that could be taken forward as this group or by BCS ASSIST, or that Hope Street Centre could help develop. 28 Feb 2012