Print
Discuss
Send to friend
RSS feedsBusinesses must meet privacy requirements at four stages of any project lifecycle that may involve personal information, according to a report from the Cyber Security Knowledge Transfer Network (KTN).
In order to protect customer and employee details, privacy must examined at the initiation, planning, execution and closure of a generic project lifecycle.
This will ensure organisations comply with any future guidelines as well as current ones, according to Nigel Jones, head of KTN.
"Trying to engineer privacy as an afterthought never works," he said. "This is the only way organisations can be sure they are doing the right thing."
The paper recommends that:
- At the project initiation stage high level privacy objectives need to be set - project owners need to be aware of applicable privacy laws and regulations, such as the EU Data Protection Directive and the US Safe Harbour agreement.
- Technology envisaged for use by the project should also be subject to a high level review to ensure that appropriate privacy controls can be implemented.
- At The project-planning stage technologies such as encryption should be considered to protect consumer and client data on storage media, and Privacy Imapct Assessments should be carried out.
- Audits and change control procedures should continue after the closure of a project to ensure privacy requirements are continually addressed.
- Organisations should ensure that a senior role is established with overall responsibility for privacy, and ensure that responsibility is not delegated, as in the case of the HM Revenue and Customs lost discs fiasco.
- When a project is decommissioned all relevant information needs to be carefully destroyed.
- Customers should also as far as possible be given the choice of opting out of services that require the collection of additional personal information.
- Systems should have strong access controls, to ensure that personal information is only accessed by those who are authorised to do so. Access should be logged, and logs regularly audited.
- Where possible, personal information should be stored together with metadata that describes it and its intended use.
- Organisations should implement transparent procedures for remediation of errors in personal information, or privacy breaches.
The Cyber Security KTN is run by QinetiQ on behalf of the government’s Technology Strategy Board.
See also:
Office will be given ability to spot check central government 22 Apr 2008
Controversial system must be opt in and keep information anonymous, says ICO 10 Apr 2008
Information Commissioner's Office wants experts to scrutinise the technology 07 Apr 2008
But Office of Government Commerce rejects use of assessments as standard 06 Mar 2008
Watchdog rules loss of 26,000 employees' details on unencrypted laptop breaks the law 25 Jan 2008All Privacy & Data Tags: Government, Security, Security
del.icio.us
Digg this
reddit!
