bsi british standards information governance workshop presentation
DESCRIPTION
BSI British Standards Information Governance Workshop Presentation. Information Governance Workshop: Where next for Standards? Examines data protection and the role of standards, including BS 10012 for data protection.TRANSCRIPT
1
BSI Information Governance Workshop Where next for Standards?
05 October 2009
Read more at: http://shop.bsigroup.com/ictstandards
2
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
3
Timeline: BSI and Information Governance
1995 Data Protection Directive 95/46/EC implementedBSI publishes Information Security standard BS 7799
1998 UK Data Protection Act receives Royal Assent
1999 BSI publishes guidance for Data Protection Act (PD 0012)BSI publishes Code of Practice for Legal Admissibility of electronic information (PD 5000)
2000 Freedom of Information Act comes into forceInformation Security standard ISO/IEC 17799 published
2001 Records Management standard ISO 15489 published
2002 Freedom of Information (Scotland) Act comes into forceBSI publishes guidance for Records Management ISO 15489
2003 BSI publishes guidance for Freedom of Information Act (BIP 0001)
2005 Information Security ISO/IEC 27000 series publishedBSI publishes revised guidance on Legal Admissibility (BIP 0008)
2008 BSI publishes Legal Admissibility standard (BS 10008)BSI publishes revised guidance on Legal Admissibility (BIP 0008)
2009 BSI publishes Data Protection standard (BS 10012)
Read more at: http://shop.bsigroup.com/ictstandards
4
Objectives for today
• Has BS 10012 achieved what it set out to do?
• What else needs to be done?
• What are the issues around Information Governance standardization?
• How can BSI best serve the Information Governance sector in future?
Read more at: http://shop.bsigroup.com/ictstandards
5
Data Protection Agenda for new ICO
• Risk, governance and accountability
• Too important to be left to experts
• Appetite for simplification and clarity
• Liberty versus Security balance
• False comfort of mass data collection
• Less centralisation / Government collection
• Data cleansing and wider data quality
• Privacy by design / Privacy Impact Assessments
• Reform of EU Directives & International Standards
Read more at: http://shop.bsigroup.com/ictstandards
6
Where next for BSI and Information Governance?
• Now
– The first formal standard on data protection, complementary to other data protection publications & information governance standards
– Need to continue working with stakeholders to meet user needs
• Next?
– Ongoing developments in information governance standards
• Revisions to Information Security ISO/IEC 27000 series (2012)
• New ISO/IEC Information Security standards relating to Privacy & Identity Management
• ISO standard for Management System for Records (2012)
– Increasing ICO powers?
– Future revisions to European Directives?
– Societal responses to e.g. increased use of biometrics, etc?
Read more at: http://shop.bsigroup.com/ictstandards
7
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
8
Timeline: BSI and Data Protection
1999 BSI publishes guidance to practical implementation of the DPA 1998(PD 0012)- BSI Access & Privacy Editorial Board (APEB) established- Assistance and introduction from ICO
2000 First major revision (BIP 0012)
2003 Second major revision (BIP 0012)
2006 Third major revision (BIP 0012)
2007 Workshop identified a stakeholder desire for a formal data protection standard
2008 New project added to BSI work programme for Technical Committee,IDT/1 Document Management Applications - Drafting panel IDT/1/-/4 set up to develop standard (Chair: Gordon Wanless)
2009 Draft for Public Comment launched on 2nd January for a 3 month period - Panel reviews the comments and develops final textBS 10012 published on 2nd June
Read more at: http://shop.bsigroup.com/ictstandards
9
Original business case (1)
Description of the product
Working title:
“Code of Practice for the Management of Personal Information in Compliance with the
Data Protection Act 1998”
Read more at: http://shop.bsigroup.com/ictstandards
10
Original business case (2)
Working Scope
This Code of Practice gives recommendations for the management of personal information by organisations in both the
public and private sectors. It is intended for those who are responsible for initiating, implementing and maintaining
compliance with the Data Protection Act 1998 (DPA) within their organisation. It is intended to provide a common ground for the management of personal information, for providing confidence in
its management, and for enabling an effective assessment of compliance with the DPA by both internal and external
assessors, and by consumers.
Read more at: http://shop.bsigroup.com/ictstandards
11
Original business case (3)
Expansion on the title for non-experts
The Data Protection Act 1998 implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the
DPA as data relating to living individuals. The DPA requires organizations known as “data controllers” to comply with Eight
Data Protection Principles and to notify the Information Commissioner of their data processing (to ensure openness).
The DPA also gives individuals or “data subjects” rights of access to their personal data, to object to or to stop certain types
of processing and to sue data controllers for damages when breaches of the law occur.
Read more at: http://shop.bsigroup.com/ictstandards
12
Formation of the drafting panel
• Panel IDT/1/-/4 formed with the specific task of drafting the standard
• Gordon Wanless becomes Chairman - Panel supported by BSI Content Developer
• Expertise taken from Government (including The National Archives), NHS trusts, healthcare, legal, insurance, telecom, banking, education, local authorities, consultancy, consumer & privacy groups
• ICO aware of work being carried out and provided comments at key stages
Read more at: http://shop.bsigroup.com/ictstandards
13
Public Comment process
• Launched on 2nd January 2009 – BSI circulated press release
• Over 500 comments received from over 60 respondents
• Commenting period closed 31st March 2009
• IDT/1/-/4 met in April to resolve public comments
• Final draft circulated to panel and BSI committee in early May 2009 for approval
• BS 10012 published 2nd June 2009 – launched at DP Forum AGM
Read more at: http://shop.bsigroup.com/ictstandards
14
Launch of BS 10012
• Launched on 2nd June 2009 at the Data Protection Forum AGM
– BSI Press Release
– Survey of 500 Small Medium Enterprises
• Associated books – www.bsigroup.com/bip0050
• BSI Conference and Workshop 30th June / 1st July “Information Governance & Data ProtectionStandards, Guidance and Best Practice”
• BSI Data Protection Online tool launched 16th September
Read more at: http://shop.bsigroup.com/ictstandards
15
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
16
Survey of BSI DP guidance subcribers (2006)
DP Purchasers by SectorCommercialLocal Government
EducationHealthcare & NHS
Government AgencyMuseums, Art Galleries
PoliceCentral Government
FinancialHousing Association
ManufacturingCharity
Professional BodyLegal
ConsultantPublisher
Read more at: http://shop.bsigroup.com/ictstandards
17
Survey of BS 10012 users by Sector
Commercial
Local Government
Education
Healthcare / NHS
Government Agency
Museums / Galleries
Emergency Services
Central Government
Financial
Housing Association
Manufacturing
Charity
Professional Body
Legal
Consultant
Publisher
Read more at: http://shop.bsigroup.com/ictstandards
18
Survey of BS 10012 users by Sector
% Change in sector share
-15
-10
-5
0
5
10
15
% c
han
ge
Read more at: http://shop.bsigroup.com/ictstandards
19
Survey of BS 10012 users by organisation
Global Orgs / UKFTSE 100
UK Manufacturers
UK Service Providers
Central Government
Government Agencies
Local Authorities /PCT
Others
Read more at: http://shop.bsigroup.com/ictstandards
20
Survey of other BS 10012 users
Professional /Research OrgsLibraries
Museums / Galleries
Charities
Housing Associations
Training
Publishers
Overseas
Read more at: http://shop.bsigroup.com/ictstandards
21
BSI Research: Data Protection and Public Sector
• BSI – UK Government Engagement Event, March 2009
• Key conclusions
– Reputational harm from DP breach cannot be ignored
– Cultural issues key to successful compliance
• Culture change needs senior level champion
• Clear accountability required for data protection & privacy
– Particular challenges
• Supply chain - interface with private sector, other public sector
• Outsourcing contracts & enforcement of DP requirements
• Data sharing – what, how, when?
– Specific guidance needed for different sectors?
Read more at: http://shop.bsigroup.com/ictstandards
22
BSI Research: Data Protection and SMEs
• BSI survey of UK SMEs, May 2009
• Key conclusions
– 20% thought they had unwittingly breached the DPA
– 32% felt complexity of DPA restricted their compliance capability
– 43% confirmed there is no one in their business with specific responsibility for data protection
– 65% provide no data protection training for their staff
– 15% were not confident that their data sharing practices conform to the DPA
• 5% frequently share data regardless
– 18% said that data protection is less of a priority in the current economic climate
Read more at: http://shop.bsigroup.com/ictstandards
23
Marketing & Media Coverage
• BSI Stakeholders
• Coverage of BS 10012 widely reported in general & regional news, business, IT, HR, security, legal, manufacturing, financial & public sectors
• Articles for Financial Services Technology magazine, Business Standards magazine, Information Age
• BSI Product Marketing (web page, e-shots)
• Positive reviews (Pinsent Masons, Eversheds, Wragge & Co, Data Council)
• Broadcast on http://www.smallbusinessadvice.tv
• Blogs
Read more at: http://shop.bsigroup.com/ictstandards
24
BSI input into Public Consultations
Read more at: http://shop.bsigroup.com/ictstandards
25
ISO TMB Privacy Task Force
Recommendations – September 2009
• ISO lead effort to engage broader standards community to intensify interaction (Conference?)
• Establish common terminology on privacy and principles (Consult existing committees?)
• ISO establish live inventory for all committees to share ongoing privacy work
• Engage with public policy organisations
• Indentify key stakeholders, work streams & standards work that can support international privacy standardisation
• ‘Privacy technology’ committee to be systematically informed about sector specific needs in order to address their own work programme
Read more at: http://shop.bsigroup.com/ictstandards
26
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
27
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
28
Topic 1
What are the main issues for organizations relating to Data
Protection?
• Has data protection become an issue at boardroom level?
• Can organizations confidently share data with each other?
• How can organizations become more proactive rather than being reactive to data protection compliance?
Read more at: http://shop.bsigroup.com/ictstandards
29
Topic 2
Does BS 10012 (and associated guidance) meet the needs of its
users?
• How does the standards user benefit from using BS 10012?
• What improvements should it bring to their organization?
• What do users or organizations need to achieve from using a Data Protection standard?
Read more at: http://shop.bsigroup.com/ictstandards
30
Topic 3
Are there any missing or new themes & products to develop? How does BS
10012 link to other standards?
• Can further ‘sector specific’ guidance be produced?
• Are there future topics that should be considered?
• Can BS 10012 be used as part of a suite of Information Governance standards?
• Can BS 10012 be linked to other ‘technology based’ standards?
Read more at: http://shop.bsigroup.com/ictstandards
31
Topic 4
How can BS 10012 relate to European and global requirements?
• Will an international standard assist global organizations, regions, or those trading across borders?
• What will be the challenges involved in producing a truly global standard?
• Can BS 10012 be applied globally in the interim before the publication of an international standard?
• How can any impact of revisions to EU Directives be captured within the standards making process?
Read more at: http://shop.bsigroup.com/ictstandards
32
Topic 5
What are the certification requirements of organizations?
• Is it desirable for an organization to become certified to the standard?
• What are the primary benefits and drivers for certification?
• Is this unique to certain sectors, or specific parts of organizations?
• Are there any disadvantages to certification?
Read more at: http://shop.bsigroup.com/ictstandards
33
Topic 6
What are the training requirements of users?
• Do users undertake Data Protection training?
• How do users currently obtain Data Protection training?
• What are the different ways that such training can be delivered?
• Can training based around the standard benefit organizations?
Read more at: http://shop.bsigroup.com/ictstandards
34
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
35
Topics 1, 2, 3
• Topic 1: What are the main issues for organizations relating to Data Protection?
• Topic 2: Does BS 10012 (and associated guidance) meet the needs of its users?
• Topic 3: Are there any missing or new themes & products to develop? How does BS 10012 link to other standards?
Read more at: http://shop.bsigroup.com/ictstandards
36
Topics 4, 5, 6
• Topic 4: How can BS 10012 relate to European and global requirements?
• Topic 5: What are the certification requirements of organizations?
• Topic 6: What are the training requirements of users?
Read more at: http://shop.bsigroup.com/ictstandards
37
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
38
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
39
Electronic preservation
The problem:
Information stored in an electronic form has a finite life (retention period)
– Storage media may become obsolete
– Electronic format may be incompatible with retrieval software
•Retention requirements may exceed this requirement
•It may be necessary to demonstrate authenticity at any time
Read more at: http://shop.bsigroup.com/ictstandards
40
Electronic preservation
Storage media
Information stored in an electronic form always has a finite life
•Longevity of storage media
•Support by manufacturer
•Reliability of off-line media in store
•New technologies provide faster / cheaper storage
If storage media is changed, a migration process is required
•Costs / resource requirements
•Proof of integrity / completeness
Read more at: http://shop.bsigroup.com/ictstandards
41
Electronic preservation
Electronic format
How long will a particular electronic format be supported?
Is there a need for a long term storage format
If electronic format is changed, a conversion process is required
•Costs / resource requirements
•Proof of integrity / completeness
•Accuracy of rendition
Read more at: http://shop.bsigroup.com/ictstandards
42
Electronic preservation
What we have now (1)Long term preservation
ISO/TR 18492:2005 - Long-term preservation of electronic document-based information
‘How to’ guide - Digital records preservation JWG (TC 46/SC 11 & TC 171)
Storage media
ISO/TR 10255 - Document management - Optical disk storage technology - Management and standards (at final proof stage)
ISO 12142:2001 - Electronic imaging - Media error monitoring and reporting techniques for verification of stored data on optical digital data disks (in ballot for withdrawal, replaced by:)
ISO 23868:2008 - Document management - Monitoring and verification of information stored on 130mm optical media
Read more at: http://shop.bsigroup.com/ictstandards
43
Electronic preservation
What we have now (2)Processes
ISO/NP XXXXX Digital records conversion and migration processes (Records management)
Use of microfilm
ISO 11506:2009 - Document management applications - Archival of electronic data - Computer Output Microform (COM) / Computer Output Laser Disc (COLD)
Authenticity
ISO 12654:1997 - Electronic imaging - Recommendations for the management of electronic recording systems for the recording of documents that may be required as evidence, on WORM optical disk (Adopted as BS 7768 in UK)
ISO/TR 15801:2004 - Electronic imaging - Information stored electronically - Recommendations for trustworthiness and reliability (revision due 2009)
Read more at: http://shop.bsigroup.com/ictstandards
44
Electronic preservation
What we have now (3)Electronic preservation formats
ISO 32000-1:2008 - Document management - Portable Document Format - PDF 1.7
ISO/NWI 32000-2 - Document management - Portable Document Format - PDF X
ISO 19005-1:2005 Document management - Electronic document file format for long-term preservation - Use of PDF 1.4 (PDF/A-1)
ISO/CD 19005-2 Document management - Electronic document file format for long-term preservation (PDF/A) - PDF 1.7 (Due 2009/10)
ISO 24517-1:2008 - Document management - Engineering document format using PDF - Use of PDF 1.6 (PDF/E-1)
ISO/NWI 14289 - PDF / Universal Access
Read more at: http://shop.bsigroup.com/ictstandards
45
Electronic preservation
What we have now (4)
BSI publications:
Preservation
BIP 0089:2008 A manager’s guide to the long-term preservation of electronic documents
Authenticity
BS 10008:2008 Evidential weight and legal admissibility of electronic information
BIP 0008:2008 Code of practice for implementing BS 10008
Read more at: http://shop.bsigroup.com/ictstandards
46
Electronic preservation
What we have now (5)
Other Information Governance topics:
Records Management
ISO 15489:2001 Records management
– Part 1 – General
– Part 2 – Guidelines
BIP 0025 series supports ISO 15489
Information Security Management
ISO 27000 series – Information Security Management
BIP 0071-75 supports ISO 27000 series
BS 25999 – Business continuity management
BIP 0020:2008 – Securing email and electronic messages
Read more at: http://shop.bsigroup.com/ictstandards
47
Survey of BS 10008 users by Sector
Commercial
Local Government
Education
Healthcare / NHS
Government Agency
Museums / Galleries
Emergency Services
Central Government
Financial
Housing Association
Manufacturing
Charity
Professional Body
Legal
Consultant
Publisher
Read more at: http://shop.bsigroup.com/ictstandards
48
Electronic preservation
Where do we go from here?
Workshop topics:
1. Electronic preservation – do we need more guidance? How do we get more take-up with PDF/A?
2. Legal admissibility – still seems to be an issue – how do we solve the issue?
3. Information Governance is growing in stature – what guidance is needed? What existing standards topics need to be included within Information Governance?
Read more at: http://shop.bsigroup.com/ictstandards
49
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
50
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
51
Topic 1
What are the issues for the user with regard to electronic preservation?
• Do we need more guidance to assist users with the technologies?
• How do we get more take-up with PDF/A?
• Are there specific sector products that can be developed?
Read more at: http://shop.bsigroup.com/ictstandards
52
Topic 2
What are the issues for the user with regard to legal admissibility of
electronic documents?
• How do the needs for public and private sectors differ?
• Can compliance schemes and self assessment tools assist users of BS 10008?
• Can BSI improve its products to assist organizations?
• Can BS 10008 be linked to other topics?
Read more at: http://shop.bsigroup.com/ictstandards
53
Topic 3
What do stakeholders need from BSI in relation to Information Governance?
• What additional guidance is needed?
• How can guidance on Freedom of Information be delivered?
• What topics should BSI include within the Information Governance portfolio?
• Would more regular BSI workshops & stakeholder events benefit the user?
Read more at: http://shop.bsigroup.com/ictstandards
54
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
55
Agenda
10.00 Introduction
10.10 Review of BS 10012 versus original business case
10.30 BS 10012 success and general feedback
10.50 Briefing for morning workshop
11.00 Workshops to consider BS 10012 and Data Protection
12.00 Feedback from morning workshop teams
12.30 Lunch
13.30 Preservation of electronic records
14.10 Briefing for afternoon workshop
14.15 Workshops to consider preservation of electronic records and information governance
15.00 Feedback from afternoon workshop teams
15.15 Closing remarks
Read more at: http://shop.bsigroup.com/ictstandards
56