Custom Search

Personal Information: BSI and Scotland's Information Commissioner

Tuesday 12th May 2009
Torpig, Sinowal and Mebroot: http://computersecure.net/blog/torpig-sinowal-and-mebroot/

Gaberlunzie, ignominiously tossed out of his dental practice for non-attendance over 12 months, but with no other warning, duly registered for another dentist and ambled off to get his records. The receptionist explained she could not provide what were the practice's own dental records. Gaberlunzie suggested it was his data. He's getting less confident of that fact daily.

Provision of a name and birthdate were then sufficient for record copies which be collected in 24 hours.  Looking at the photocopied, hand scrawled records, it seems to him his former dental practice had never heard of the computer!

And looking at his latest smart white data stick, he's beginning to wonder if it held all his medical and dental records, he couldn't simply  take these away with him and bring them back for new  visit updating. Then doctors and dentists wouldn't need to hold any file details (if they used a computer that is) to put them at risk from hackers.

His considerations are again slightly jolted by news that University of California researchers had gained control of the  botnet, known as Torpig or Sinowal, one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials.

They were able to monitor more than 180,000 hacked computers exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, records the researchers'  paper but during that time they turned up 70GB of personal financial data. Which makes one really wonder about secure, digitally held personal data and the benefits of paper records.

BSI to the rescue
But that useful, if now slightly contraversial institution, the British Standards Institute is about to emerge with BS 10012:2009 Data protection. Specification for a personal information management system. BS 10012 - standard coverBS 10012 is the British standard that specifies the requirements for a personal information management system (PIMS), which provides an infrastructure for among other things maintaining and improving compliance with the Data Protection Act (DPA) 1998.

BS 10012 is for use by organisations (BSI has opted to abandon British spelling of organisation in preference to the 'organized' US version: Microsoft influence again? It does get hard to fight the spell checker every time!!) of any size, in both the public and private sectors. It is intended to be used by those responsible for initiating, implementing and maintaining a PIMS within an organisation. BS 10012 aims to provide a common ground for the management of personal information for providing confidence in its management, and for enabling an effective assessment of compliance with amongst other things the DPA by both internal and external assessors.

Users of this British standard should be aware that other legislation (such as the Freedom of Information Act 2000) can have an effect on decisions taken in relation to the processing of personal information. Such legislation is not covered by this British standard, but needs to be taken into account when processing personal information.

So BS 10012’s main objective is to enable organisations to put in place a personal information management system (PIMS) which provides an infrastructure for maintaining and improving compliance with amongst other things the requirements of the Data Protection Act 1998 (DPA).

The DPA implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the DPA as information relating to living individuals. This British standard uses the term “personal information” in place of the term “personal data”.

The DPA is regulated and enforced by the Information Commissioner, who is responsible for promoting the protection of personal information. The Information Commissioner promotes good practice by the issue of guidance materials, rules on eligible complaints, provides information to individuals and organisations and takes appropriate action when the law is broken, having powers to investigate complaints, make assessments as to whether processing is compliant with the DPA and to issue information notices, enforcement notices and “Stop Now Orders."
BSI Data Protection specification for Personal Information Management

Scotland's Information Commissioner
Kevin Dunion  was born in Bridge of Allan, brought up in Alloa and Glenrothes. was educated at the University of St Andrews (MA (Hons) Modern History and at the University of Edinburgh (MSc (Dist) African Studies 1991.

He joined Oxfam as Campaigns Manager then took up the post of chief executive of Friends of the Earth Scotland. From 1996 to 2000 he also served as chairman of Friends of the Earth International, heading delegations to the United Nations and European Commission. It was for this role that he was awarded an OBE in 2000.

IHe was appointed the first Scottish Information Commissioner in February 2003. His appointment by HM The Queen, on the nomination of the Scottish Parliament, ran for five years. In November 2008 he was elected Rector of St Andrews University for a term of three years and reappointed Information Commissioner for a second, and final term, for four years until 2012.  He is also co-director of the Centre for Freedom of Information at The University of Dundee, launched in January 2009.

He employs 23 staff in his offices in St Andrews, Fife, to assist him in enforcing and promoting the Freedom of Information (Scotland) Act 2002.

Since the Act came fully into force on 1 January 2005, Dunion has taken over 700 formal decisions in respect of appeals. Some have been high profile such as requiring the disclosure of MSPs' expenses claims, the publication of surgeons' mortality rates (the first such comprehensive disclosure anywhere in the world), and the release of an entire PFI contract for building and maintenance of the Edinburgh Royal Infirmary.

Dunion champions the spirit and principle of freedom of information. Over the past few years he has hosted a visit by the Chief Commissioner for India, worked with the British Council, to advise on the Malawi Access to Information Bill, and contributed as an international consultant to the Carter Center's programme on access to information in Jamaica.   He addressed the 5th International Conference for Information Commissioners in New Zealand, in November 2007 and the 2nd International Access to Information and Protection of Personal Data Conference in Mexico City, in November 2008 (building up flu immunity perhaps?).

Scotland, Computer News in Scotland, Technology News in Scotland, Computing in Scotland, Web news in Scotland computers, Internet, Communications, advances in communications, communications in Scotland, Energy, Scottish energy, Materials, Biomedicine, Biomedicine in Scotland, articles in Biomedicine, Scottish business, business news in Scotland.

Website : beachshore