data protection and data security guidelines for ......06 data protection and data security...

Managed Print Services A Business Tool for the Information Age

Data Protection and Data Security Guidelines for Offshoring and Outsourcing Second Edition

Contents Foreword 03 1. Introduction to the guidelines 04 2. Key data issues 06

3. The outsourcing and offshoring lifecycle – data protection and security obligations 07

4. Checklist 10

Phase 1. Analyse 10 Phase 2. Scope and select 20

Phase 3. Contract 27 Phase 4. Implement 28 Phase 5. Manage steady state 30

Phase 6. Termination, transfer or step-in 33 Phase 7. Exit 35

Appendix A: List of useful standards 36 Appendix B: Data protection laws in key jurisdictions 38

Appendix C : EU Security Breach Notification Requirements 42 Appendix D: Glossary 44

Appendix E: List of useful guidance documents 47

02 Data Protection and Data Security Guidelines for Offshoring and Outsourcing

Data Protection and Data Security Guidelines for Offshoring and Outsourcing 03

Foreword

Data security and data protection challenges arise in most outsourcing and offshoring transactions, particularly where services are cloud based. Unfortunately, these challenges are often resolved at the last minute, resulting in higher costs, unwieldy solutions and the increased prospect of regulatory intervention. In many cases, data governance issues are not addressed early enough because the parties do not know where to begin the dialogue or how to identify relevant concerns. There is little practical guidance in the market which addresses both data security and data protection issues in the context of international outsourcing and offshoring transactions. The advent of the provision of cloud-based services is bringing these issues into sharp

focus. Intellect’s Information Management and Security Group (the ‘Group’) feels that wider debate of these matters, from both a security and a data protection perspective, will ensure that these issues are dealt with pragmatically and constructively in the future, particularly as cloud computing achieves wider prominence.

The Group has worked across Intellect’s membership to produce these guidelines to stimulate debate and discussion. Hopefully, it will encourage parties to discuss these complex challenges as early as possible in the outsourcing lifecycle. We are grateful for the input from Intellect’s member companies who have enabled us to provide a broader perspective on these complex issues.

Bill Pepper Bridget Treacy Independent Consultant Hunton & Williams

Acknowledgments Bird & Bird | Bristows | British Standards Institute | CSC | IBM UK Ltd | Sopra Group Ltd | Speechly Bircham |


Introduction to the guidelines What are the guidelines? Data security and data protection requirements frequently trigger friction and frustration in international outsourcing and offshoring transactions. Too often, this is because the parties do not understand their

respective obligations or are unable to identify and focus on the key issues. This set of guidelines will encourage vendors and customers to work together to anticipate and address the data security and data protection issues which may affect the success of their outsourcing projects.

The guidelines also seek to eliminate last minute frustrations by providing both customer and vendor with a clear overview of the types of issues which arise, the stage of the project at which they can most easily be addressed, and indicating which party is best placed (or legally obliged) to deal with the issues.

Why are the guidelines important? In recent years, the media has been inundated with stories relating to data breaches in both the public and private sectors. In response to the public’s concerns about the security of their data, EU regulators have become more proactive in raising awareness of individual’s rights and enforcing compliance. In turn organisations are

becoming increasingly more focussed on addressing data security and data protection issues, recognising that data is often an organisation’s most valuable asset.

Failure to comply with the data security and data protection regulatory framework may: expose an organisation to financial risk (eg, delayed implementation and/or the costs of remedying

a breach); result in damage to an organisation’s reputation - the regulators are quick to publicise data breaches in

the press which may compromise trust in an organisation;

result in enforcement action (eg, an organisation may be prevented from processing data, or be required to implement compliant practices);

expose an organisation to civil penalties (eg, fines by regulators); result in an organisation’s officers and directors being convicted of a criminal offence.

Most outsourcing projects require data to be transferred from customer to vendor, frequently on an

international basis. Data security and data protection laws affect how data may be transferred between the parties. An increase in global data use and technological developments have made data security and data

protection challenging. An additional level of complexity arises where the data are transferred between multiple jurisdictions, particularly where the vendor utilises a cloud-based infrastructure. Many of the obligations rest with the customer, as owner of the data; however, in an outsourcing context,

customers (unlike vendors) do not usually deal with data issues. This can result in misunderstanding of data security and data protection requirements. It is essential that data security and data protection considerations are included in the initial vendor due diligence. Both the customer and the vendor should carefully analyse the proposed solution to ensure regulatory compliance issues are addressed. Crucially, if identified early in the outsourcing process, data issues can be dealt with in a practical, compliant and efficient manner. If ignored during the early stages of an outsourcing project, data issues can delay implementation or even require fundamental re-thinking of the structure of the data processing activity.

How do the guidelines work? These guidelines offer a checklist of common data security and data protection issues, structured around an outsourcing transaction. The guidelines identify issues that typically arise at each of the stages of the outsourcing lifecycle and indicate

which party (customer or vendor) is usually responsible for dealing with the issues. The early visibility of issues determines the expectations of both customer and vendor, enabling both parties to

anticipate and begin to address data issues from the outset of the project. This lead-time can be critical to developing efficient and cost-effective solutions to issues.


Who should use the guidelines? This set of guidelines is intended primarily for customers who, typically, do not deal as often as vendors with the

data security and data protection issues that arise in an outsourcing context. The guidelines will also be a useful tool for vendors. They provide a resource for enabling the parties to work collaboratively to address at an early stage issues which, if ignored, can cause unnecessary and unforeseen costs and delays later in the project.

For what types of projects should the guidelines be consulted? The guidelines should be consulted for all outsourcing projects which involve the processing of personal data.

They will be particularly useful where personal data relating to individuals are processed. European data protection laws require careful consideration of data security and data protection issues in an outsourcing context, especially where personal data are transferred outside the EU, or into the cloud.

Several non-European jurisdictions also have data protection laws, such as Argentina, Australia, Canada, Dubai, Israel, Korea and the United States of America. Resources relating to the data protection laws in key outsourcing

jurisdictions are set out in Appendix B. In addition, Appendix C provides an overview of emerging EU data breach laws.

Additionally the guidelines include at Appendix A and E lists of standards and guidelines documents that both customers and vendors will find useful.

An increase in global data use and technological developments have made data security and data

protection more challenging. An additional level of complexity arises where the data are transferred between multiple jurisdictions, such as when a vendor utilises a cloud-based infrastructure.


2. Key data issues This set of guidelines is structured around the key stages of the outsourcing lifecycle. The table below provides an overview of the key data issues which arise at each stage of the lifecycle.

Lifecycle stage Key data issues Page reference

Analyse

Conduct a Privacy Impact Assessment. Identify type of service to be outsourced. Determine type of personal data in scope.

Determine data flows, volumes and capacities. Identify data issues in existing arrangements. Specify data security and data protection requirements. Customer to fulfil any outstanding compliance requirements.

10

Scope and select

Complete confidentiality agreements.

Identify detailed data security requirements. Undertake data security and data protection audit of prospective

vendor.

20

Contract

Specify legally binding data security and data protection obligations

to apply throughout the lifecycle of the contract. Incorporate legal remedies for breach.

27

Implement

Plan and execute transition ensuring data security and data

protection requirements are adhered to. Effect data transfers, working with regulators or works councils,

as required.

28

Manage steady state

Monitor compliance. Manage changes and incidents, using Privacy Impact Assessments. Implement changes to security measures.

30

Termination,

transfer or step-in

Determine how data security and data protection is impacted by

termination, transfer or step-in. Satisfy data security and data protection requirements to permit

transfers of data to third parties, notifying regulators as necessary. Deal with overwriting/destruction of retained data.

33

Exit

Determine how data security is impacted by exit.

Satisfy data security and data protection requirements to permit transfers of data to third parties, notifying regulators as necessary.

Deal with overwriting/destruction of retained data.

35


3. The outsourcing and offshoring lifecycle - data protection and security obligations The diagram below sets out the typical lifecycle of an outsourcing and/or offshoring transaction. It forms the framework of our discussion of the key data security and data protection issues that need to be addressed in every outsourcing, offshoring and cloud-based transaction. The diagram encourages the parties to consider, at each stage of the transaction, the particular data security and data protection issues which may arise.

The checklists highlight specific issues to be addressed by the customer and the vendor and the information required to address such issues.

The checklists assist customers and vendors by addressing issues from both perspectives. They will be of particular assistance to IT and business managers, legal and contract managers and data security and data protection managers, from both customer and vendor organisations.


3. The outsourcing and offshoring lifecycle - data protection and security obligations The lifecycle stages Unfortunately, many organisations experience difficulty in fully understanding and addressing the detail of their data security and data protection obligations. This often results in solutions which are not fully legally compliant

and creates misunderstandings between customers and vendors as to their actual responsibilities. To help address this issue, the columns in the checklists which follow, summarise the types of activities that need to be undertaken at each stage of the outsourcing and offshoring lifecycle.

Below are the key considerations which arise at each stage of the outsourcing lifecycle from a data security and data protection perspective. It should be noted that the balance of activities may be uneven at different stages in the lifecycle.

Analyse An organisation makes the initial decisions on the scope of an outsourcing/offshoring transaction during the analysis phase. Successfully defining the project requirements at this stage can be difficult and requires discipline, but it is an essential pre-requisite to identifying and allocating data security and data protection

responsibilities.

Most of the activities at this stage will fall to the customer who must begin to identify the data security and data

protection issues that will need to be considered and addressed. This also includes the requirement to define the scope of services, the data types and flows, and contractual and legal issues. Legal issues include early consideration of the use of sub-contractors and capturing the data security and data protection requirements.

Employment issues should also be considered. Relevant persons within the business together with IT managers, security manager, the data protection officer, compliance or risk officer and legal should be engaged as early as possible in the project.

This is also the stage at which the due diligence process begins. Various documents which will need to be provided to the vendor will be identified and collated, and often held in a ‘Team Room’ to which vendors bidding for the project will be given access.

Scope and select Careful thought should be given to the extent to which confidential or personal data needs to be provided to

prospective vendors. At this stage, initial confidentiality and non-disclosure agreements should be entered into between the customer and prospective vendors. Where information exchanged between the parties includes the customer’s personal data, the customer must ensure this is provided on a lawful basis.

A number of project documents will be generated during this stage, typically: pre-qualification questions and request for information (RFI); Statement of Requirements (SoR); and/or Invitation to Tender (ITT) and/or request for proposal (RFP). The content of such documents should include detailed data security and data protection requirements which

are consistent with and reflect the organisation’s data security and data protection practices. The documents should embrace policy, implementation, maintenance and data security/data protection incident reporting and investigation. Prior to the selection of a shortlist of vendors, the customer will need to define the selection criteria and plan to undertake data security and data protection due diligence audits of vendors to verify their claims and to assess their likely capability to deliver against the pre-defined data security and data protection requirements.


Contract During this phase, detailed contract negotiations are conducted. A number of different business areas will be

represented, including commercial, technical and procurement professionals. This is also where the management of security and any changes to the existing security infrastructure (including who will bear the costs of such changes) will be documented and agreed. This is an important stage and it is essential that the data security and data protection obligations of both customer and vendor are fully understood and accepted by both parties. Without this clear understanding and agreement, the likelihood is that there will be differing assumptions and interpretations, potentially creating significant contractual disagreement.

Implement This is the stage during which the transition of services from customer to vendor takes place. The requirement for clear understanding and joint planning is very important to ensure that this process is as transparent as possible and that service levels are achieved and maintained. Managing and monitoring security during the transition is important as there may be short term security risk

exposures that must be identified and managed appropriately during this period of activity. Further, it is during this stage that relevant third party contracts will be novated to the vendor. Invariably, some security service or services contracts will be novated. The vendor may well insist on conducting its own due diligence security audit of such third party organisations.

Manage steady state Once the transition is complete and the service is under the vendor’s control, the agreed monitoring and

reporting of service performance and data security and data protection compliance becomes an ongoing requirement. This will include the management of technology and/or process change, incident management

and reporting, business continuity and data security and data protection compliance. This stage should quickly become ‘business as usual’ requiring only an appropriate and agreed level of monitoring to meet the contractual data security and data protection obligations.

Termination, transfer or step-in

This is where the contract terminates automatically (i.e. expires) or is terminated by either party, often as a result of business change, as opposed to poor performance. The services will either be transferred back in-house or to an alternative vendor. This stage has many similarities to the scope, select and implementation stages.

Although much of the activity is similar, there may also be significant issues which, if not resolved, can cause serious disputes. Frequently, intellectual property issues trigger friction here, but increasingly the arrangements for the transfer of data can also cause dispute.

This stage usually concludes with a final validation process which is reviewed by the customer to ensure that all activities have been completed in accordance with the agreed processes and plans. Exit In essence, this is almost identical to the termination, transfer or step-in stage.

Data and information security issues

Privacy issues

1. Identify type of service to be outsourced

Conduct a Privacy Impact Assessment to identify potential data security and

data protection issues. The following activities are often considered for outsourcing (i.e., BPOs)

Business Processes eg, HR, Accounting, CRM

IT Infrastructure

Telecoms

Applications development/support

Web development/support

Cloud computing, including SaaS

Consider where the outsourced service will be provided from

Onshore

Nearshore

Offshore

Homeshore eg, homeworkers What ‘personal data’ are currently processed within the function to be

outsourced? Can the outsourcing be achieved without transferring personal data to the

vendor?

Which entities/subsidiaries are legally responsible for this personal data? Which parties (customer/vendor or both) will determine the purposes and

means of processing of the data under the outsourcing arrangement?

For what purposes may the data legitimately be processed? Do the outsourced services require processing beyond the scope of

existing permissions?

Is there a legitimate basis for transferring the data to the vendor? Is consent or notice required prior to transfer? In which jurisdiction(s) does the data reside? Which entity will transfer the data to the vendor and will the transfer

involve an export of the data from Europe/to the cloud? Are any permits to export the data required from the relevant national

data protection authority? What will the export mechanism be? Model clauses? Safe Harbor? Are any of the services the subject of additional legal or regulatory

obligations for example, if the customer provides financial services or the transaction raises competition issues?

1.1 IT Infrastructure

Requires careful analysis of what personal data will be transferred as part

of the outsourced services. Frequently, personal data are transferred unnecessarily.

Where will key IT infrastructure components (eg, servers) be located physically?

Where will system and security administrator(s) be located physically?


4. Checklist Phase 1. Analyse This stage consists primarily of customer activity. The vendor’s role is limited during this phase but can extend to assisting the customer to identify data-related issues.



Privacy issues

1.2 Cloud Computing

There are a number of issues to be considered in this evolving

technology, including:

Cloud vendor’s processes and procedures

Cloud to cloud data transition or access

Identity/access control

Virtualisation security

Abuse and nefarious use of cloud computing

Insecure interfaces and malicious insiders

Shared technology

Data loss or leakage

Account or service hijacking

Unknown risk profile

Security of data at rest

Compliance

Vendor/customer audit rights

Mobile and dynamic workloads

Place of data origin

Place of data use

Privileged User Access and Access Segregation

Vendor/customer user access

Incident management/investigations

Customers and vendors should clearly agree and specify data security and data protection controls to meet the business and legal data security and data protection requirements.

1.3 Application development

Consideration should be given to the specific applications.

Frequently, very little personal data are transferred to the vendor.

How will the source code be protected?

Will software escrow be an issue? Will the source code be produced offshore? If so, what code reviews are

required before it is released into production?

1.4 Application support/maintenance

Consider the possibility of ‘added value’ services which may render

the vendor a ‘controller’ rather than a mere ‘processor’ of the

personal data.

1.5 Business Process Outsourcing (BPO)

BPO projects are likely to involve personal data or even sensitive

personal data.

2. Determine any partnerships

Collaborative arrangements, or the provision of ‘added value’ services

by a vendor, may fundamentally affect the data security and data protection analysis.

Which party/ies will be the controller? Consider which party determines the purposes and means of processing the personal data. It is the

controller (or co-controllers) who will have legal responsibility for personal data under the Data Protection Act 1998 (DPA).


Privacy issues

2.1 Customer

Customer will remain responsible as controller for the processing of any

HR, customer and business contact data which is outsourced to the

vendor. Consider how business data will be managed and processed, including

moving it offshore. Customer is still responsible for the data and communicating necessary processes and controls necessary to the

vendor.

2.2 Supply chain partner data

The parties must clearly identify which personal data are to be processed

as part of the transaction and who will be responsible for it. It may be that data from several sources (including supply chain partners) will form part of the data set which is outsourced. The customer should obtain legally binding assurances from supply chain partners that data received from them has been collected and processed legitimately at source and

transferred legitimately.

2.3 Potential vendors

Consider the specific roles of individual vendors. How will data be

transferred to individual vendors for processing? For what purpose(s) will each vendor process the data? In which jurisdictions are they based?

2.4 Multi-vendor solutions

In addition to the considerations listed above, consider the manner in which

data will flow between vendors, for what purposes and in which locations. Only when data flows are clear can responsibility for data processing be allocated and regulatory requirements in individual jurisdictions be addressed.

2.5 Consortium members

The consortium lead should be responsible for data security and data

protection within the consortium and should flow down to individual

consortium members’ specific data protection and data security requirements.

The scope should also include consortium members’ third party contracts that support the services.

3. Identify types of data in

scope

Data protection laws govern the collection, processing, storage and transfer

of personal data to third parties (including outsourcing vendors). Controllers are legally responsible for compliance with the principles of the DPA. It is essential to determine what personal data form part of the outsourced services.

3.1 System data

Typically, system data will not include personal data.

3.2 Personal data

Personal data is defined in broad terms by EU laws to include any data

relating to an identified or identifiable individual. The definition includes

name, address, postcode, email address, credit card details, family details, photographs and CCTV footage, HR records and performance reviews, expressions of opinion about somebody, and any combinations of information which permit individuals to be identified. Business contact details for an individual will be personal data. At present, IP addresses a re also considered to be personal data.




Privacy issues

3.3 Sensitive personal data

Sensitive personal data typically include medical records, details of

background checks which may reveal details of prior convictions, trade union membership, political opinions, details of sexual life and religious affiliation.

Additional conditions must be satisfied as a pre-requisite to processing

sensitive personal data. Additional security is required to safeguard such data. It is therefore more difficult to process sensitive personal data and to transfer it outside the EU for processing.

3.4 Financial data

For US individuals, specific considerations apply to the processing of social

security numbers.

3.5 Business data

Business data usually includes personal data – eg, email address, name

and telephone number.

3.6 Confidential business data

May include personal data.

May include customer IPR information/data. Additional legal and regulatory obligations may apply.

3.7 Critical business data

May include personal data, such as contact details.

3.8 Public domain data

May include personal data.

4. Identify the data flows,

volumes and capacities

Ensure a clear understanding of what data is in scope, how the data is

collected, processed and transmitted - this information is essential when considering the necessary security and data protection requirements.

4.1 Technical

Details of the technical infrastructure configuration and the related

technical data.

4.2 Network

Details of the network infrastructure configuration, routing and the

related network data.

4.3 System

Details of the system configuration and the related operational and

maintenance system management and operational data.


Privacy issues

4.4 Legal

Details of legal advisors’ data that will be within the scope of the

outsourcing, including any legally privileged data.

4.5 Business

Details of customer business data that will be within the scope of the

outsourcing.

4.6 In-house

Details of any in-house generated data other than that included above,

that will be within the scope of the outsourcing.

4.7 Third parties

What personal data do third parties process, in which jurisdictions and on

what basis?

Confirm that there is a legitimate basis for the processing of personal data. Review existing contractual arrangements to ensure the contract:

imposes sufficient security obligations having regard to the nature of the data being processed and the potential risks of unlawful processing;

imposes obligations on the vendor to process personal data in

accordance with the instructions of the customer;

requires the vendor to cooperate with data subject access requests, or any investigations or audits by the customers, its representatives or a regulator; and

makes provision for reporting and managing security breaches.

If the processing of personal data involves cross-border transfers, ensure there is an appropriate mechanism in place for the transfer.

Address contract novation and where contracts cannot be novated for any

reason then either an in-house solution or the procurement of services from

an alternative vendor should be considered.

4.8 In-country

What personal data do third parties process? Review existing contractual arrangements to ensure the contract:

imposes sufficient security obligations having regard to the nature of

the data being processed and the potential risks of unlawful processing;

imposes obligations on the vendor to process personal data in accordance with the instructions of the customer;

requires the vendor to cooperate with data subject access requests, or any investigations or audits by the customers, its representatives

or a regulator; and makes provision for reporting and managing security breaches.




Privacy issues

4.9 Across national borders

To which jurisdictions will personal data be transferred? How will the transfers operate: local customer entity to local vendor entity;

or single point of transfer of aggregated data? Cloud model? Have the ‘fair processing’ requirements been satisfied? Transfers must be

consistent with the information provided to individuals in the relevant

privacy notice and/or individuals’ preferences. On what legal basis is the transfer made? Consent? Model clauses?

Safe Harbor? Determining the most appropriate mechanism for

transferring the data is appropriate will depend on the outsourcing arrangements. Where the outsourcing arrangement contemplates the transfer of data across multiple jurisdictions (eg, where the customer is a multinational organisation or the vendor utilises a cloud model) consideration should be given to any applicable national laws that apply

to the data processing. Are there any onward transfers (i.e. processor to processor)? Is any sensitive personal data involved?

4.10 Management

To what extent is management aware of data security and data

protection issues?

4.11 Accountability

Determine roles: which entities will be controllers? Which will be

processors?

4.12 Responsibility

Are there joint controllers?

4.13 Liability

Consider how to apportion liability for breach of data security and

data protection obligations.

5. Confirm contract/legal issues

5.1 Third parties (contractors/sub-contractors)

Do existing sub-contracts deal adequately with data security and data

protection issues? Do provisions accommodate the outsourcing

arrangement if simply novated? Begin to identify which contracts will be novated.

5.2 In-country

Do existing sub-contracts deal adequately with data security and data

protection issues? Do provisions accommodate the outsourcing arrangement if simply novated? Begin to identify which contracts will be novated.

5.3 Cross national borders

Review data export arrangements. To what extent will the structure of the

outsourcing impact the existing data flows? Will export arrangements require change?


Privacy issues

5.4 IPR

To what extent is the processing of personal data dependent upon or

linked to specific intellectual property? Who owns the intellectual

property/system/application/database? Who owns the data?

5.5 Licensing

To whom is the database, application or data licensed? How does the outsourcing arrangement affect existing licence

arrangements?

5.6 Software export regulations

When sharing assets such as software, design materials, or technology,

customers and vendors must be aware of ‘export compliance’ requirements. Sending software, design materials or technology abroad, including via electronic means (eg, email, internet/intranet and wiki etc) there is an ‘export transaction’. Many server administration and support

services may require or coincidentally provide persons performing those tasks with ‘root access’ to the data on those servers. The UK Department of Business Innovation and Skills (Department of Trade & Industry, and Department for Business Enterprise & Regulatory Reform) considers such

access in an Offshore Delivery Centre to be an export. Failure to comply with all appropriate regulations can result in the loss of export privileges, including the right to sell products in certain countries, as well as other

penalties.

6. Identify data protection requirements

Similar constraints may apply where the assets are subject to the export

laws and controls of another country eg, USA

6.1 Notification and

registration

In which jurisdictions is the customer required to register its data

processing activities with the relevant national data protection authority? Are relevant data types, processing and purposes included in the

registration? Are registrations current?

6.2 Fair processing

Is there a legitimate basis for collection and processing of personal

data by the customer? Review data collection notices and collection points to determine the

permitted purposes. Does the anticipated processing under the outsourced arrangement fall

within the permitted purposes for which the data may be processed? In the case of sensitive personal data, can a second ground for

processing the data be established under Schedule 3 of the DPA?

6.3 Data quality

How much personal data really needs to be processed as part of the

outsourcing arrangement? Can the data set be reduced? Are all the fields relevant?

Is the data accurate and up-to-date?




Privacy issues

6.4 Data audits

When did the customer last conduct an audit on its data processing

activities, including security controls? Are there any recommended remedial steps which can be implemented

through or in parallel with the outsource? This may include data protection processes and controls as well as security processes and

controls.

6.5 Works councils

Is there a works council agreement? At what stage does the works council need to be notified of and involved

in the outsourcing proposal? What is the extent of the works council’s involvement? Failure to involve

the works council at the right stage can significantly delay the project.

6.6 Knowledge transfer

Are there written data protection policies and standards? Are they current?

Do they reflect existing practices? To what extent will the vendor be expected to comply? Will training of vendor staff be required?

6.7 Retention, removal and

destruction of data

What is the data retention policy? Ensure it covers the destruction of

electronic and paper records and removal of data from systems. Do these policies clearly address the mandatory legal retention periods? Is all the in-scope data covered by the retention and destruction policies?

6.8 Contractual security

instructions

What specific technical and organisational security policies, processes and

measures are in place to protect the data from unauthorised access, destruction or loss?

Is there any external certification covering security and/or data protection eg, ISO 27001:2005 and BS10012:2009?

Security and data protection measures should include a data breach

incident response plan with clearly identified roles, responsibilities and escalation paths.

7. Other factors

7.1 Taking account of the organisation’s strategic

direction

What impact will this have on the collection, processing, use,

dissemination and international transfer of personal data?

7.2 Identification of necessary documentation that vendor

will require, including system documents

Provide copies of relevant data security and data protection policies,

standards and processes - eg, customer’s data protection and record

retention policies and IT system documentation as it relates to data security and data protection.


Privacy issues

7.3 Identification of security policies, standards, processes

and procedures that the vendor will have to comply with, both internal and

external – ensure that all are available for release to the vendor(s)

Data governance policies (privacy programme and records management

policies)

Customer privacy policies, standards and procedures Information security and acceptable use policy and supporting processes Data integrity policy

Data retention policy Administrative privacy policies (eg, training)

7.4 Identification of industry regulations and their implementation obligations both onshore and offshore

Consider data security and data protection implications of industry

regulations eg, payment card industry requirements, FSA handbook, guidance issued by the Information Commissioner and Article 29 Working Party.

Where necessary, refer to relevant regulatory body/(ies) to understand their

requirements. Consider the compliance obligations that also need to be implemented

offshore. There may be an awareness training requirement to ensure that

the vendor fully understands the requirements and their obligations. Consider if there are any local country laws or regulations that may

impact processing in the offshore location.

7.5 Identify any necessary

insurance cover requirements related to the services, both existing and new, that will be required by the customer and vendor – also identify any that

will require novation to the selected vendor

Determine whether existing insurance policies cover the outsourcing

arrangement (eg, does the insurance cover services provided offshore?) Will the outsourcing arrangements impact the insurance premiums payable? Will insurance policies contain exclusions for specific offshore locations? Does insurance cover include business continuity? If so does it include

offshore locations?

Can existing customer insurance policies be assigned or novated to the vendor?




Privacy issues

8. Staff

8.1 Those in scope for transition, including selection criteria

Consider timing of disclosure of personal data to vendor, in light of data

security and data protection obligations and Transfer of Undertakings (Protection of Employment) Regulations (‘TUPE’). Disclosure of too much

data too early in the process may breach TUPE and DPA, delay the project and give rise to a claim for damages.

8.2 Vetting, work permit and

visa requirements both general and country specific

These can be complex tasks involving sensitive personal data. They must

be undertaken in compliance with data security and data protection obligations.

Verify whether the offshore location can meet all the required data security and data protection requirements related to vetting. There may

be a problem if this cannot be achieved.

8.3 Retained IT function specification

Ensure the scope of the retained IT function is clearly defined. It is

essential to balance managing the contract, service delivery and

performance of the vendor whilst allowing the vendor flexibility in operating its business.

8.4 Possible need for a

customer local ‘presence’ offshore

This needs to be considered and, if required, a clear role must be

defined together with the role the authorities will have. Reporting lines to customer and vendor must be clearly defined and

understood.

8.5 Works councils

This should be a relatively easy task but is often overlooked.

Customer data and information security issues

Vendor data and information security issues

Privacy issues

1. Produce confidentiality/non-

disclosure agreements for each vendor

Agree and sign confidentiality/

non-disclosure agreement. Address any IPR issues.

Consider to what extent it is

necessary to disclose personal data.

Ensure the fair processing/consent requirements are

satisfied prior to disclosure. If possible, consider anonymising data.

Ensure ‘confidential information’ includes personal

data

2. Identify detailed security requirements

Respond with suggested

methods of managing security to the customer assessment of

risks and compliance requirements.

Detail how customer’s

security requirements will be met in general terms.

Specify, where necessary, how

the requirements of ISO/IEC 27004:2009 (Information security management

measurements, generally known as security metrics) will be

achieved and what the reporting lines will be.

Consider whether proposed

security management impacts on data protection,

particularly systems monitoring.

Ensure access controls are in

place. Consult national law data

security and data protection

requirements.

2.1 Specify security roles and

responsibilities of customer, vendor and, if appropriate, offshore vendor/sub-contractor

Ensure that the security teams

of the vendor and customer are involved.

Ensure key individuals are

accountable. Ensure data protection team

is involved. Ensure appropriate

contractual arrangements

are in place in respect of any processing by vendors or

other third parties.

2.2 Identify and agree security risk management approach

Respond with examples of

vendor solution where this

differs from the customer’s and show how this could be used.

Based on issues identified as

a result of the Privacy Impact

Assessment, develop measures to mitigate security and compliance risks.

2.3 Identify overall security

management approach

Agree Information Security

Management System (ISMS) format, scope and content.

Ensure Information Security

Management System addresses any data protection issues.


Phase 2. Scope and select This phase involves both customer and vendor addressing some or all of the issues listed below.




Privacy issues

2.4 Assurance requirements

Link security audit and assurance

to data protection audit and assurance.

This may also include specific government/industry security

assurance requirements. Should also be included within

the security and data protection

due diligence, especially for offshore locations.

Link data protection audit

and assurance to security audit and assurance.

Incorporate regulatory and industry standards and

guidance (see Appendix E).

2.5 Incident reporting, management

and investigation, including third parties

Agree roles, responsibilities,

processes and escalation path. Agree records and evidence to

be captured and their availability to customer and vendor.

Maintain ‘chain of evidence’ and follow approved investigative processes, eg,

Good Practice Guide for Computer Based Electronic

Evidence issued by the UK Association of Chief Police Officers.

Include data breach incident

response management and reporting obligations.

2.6 Incident reporting to regulatory

or other bodies, eg, Information

Commissioner, FSA

Agree responsibilities for

reporting and process to be

used.

Agree records and evidence to be captured and their availability to customer and vendor.

Include data breach incident

response management and

reporting obligations.

2.7 Specify EU DP Directive compliance requirements

In accordance with Article 17

EU Data Protection Directive EC 95/46.

2.8 Specify compliance requirements to industry, national or international

security standards and where required formal certification obligations. eg, ISO 27001. NIST Encryption, BS10012:2009, ICO Guidance.

Provide evidence of compliance

and certifications in this area.

Agree who will certify. Agree responsibilities for

certification. Agree distribution of surveillance

audit reports and who is responsible for remedial/improvement actions.

Identify any costing issues and agree resolution.

Where appropriate the

regulatory body/ies should be contacted to fully understand

the obligations.



Privacy issues

2.9 Personnel security is a system of

policies and procedures, which seeks to manage the risk of staff or contractors exploiting their legitimate access to an organisation’s assets for

unauthorised purposes. (In this context ‘assets’ refers to anything the organisation feels is of value, such as its employees, premises, systems and

information.)

Agree standard and approach

to all aspects of personnel security.

Additional policies may be necessary to meet specific

threats in some countries. There may be some roles that

require greater trust and therefore more rigorous

background checks will be required, eg, system administrators.

Where more rigorous checks are not possible then consideration will need to be given to restricting the access of staff in such roles.

Requirements must be

consistent with local data protection and HR requirements.

2.10 Vetting/monitoring, specify minimum requirements for vetting and

which roles may require additional levels of vetting eg, system administrators. This may be difficult

in some locations for a number of reasons, for example: criminal records are not

maintained, cultural issues,

financial records are not available eg, debts, etc.

As a minimum the following

should be taken into account:

Ensure that the personal

information (eg, identification and employment history)

provided by new recruits and contractors is authentic.

Ensure that only people

who are unlikely to present

a security concern are employed.

Minimise the feasibility of

employees abusing their access to the organisation’s

assets.

Detect employees who become a security concern and ensure that these concerns are managed

appropriately.

Conduct effective investigations to resolve suspicions and provide an evidential basis to support

the organisation’s disciplinary procedures.

Apply personnel security measures in a way that is proportionate to the risks

and that reduces those risks to acceptable levels.

Providing an ongoing

security awareness

programme for all staff

within the scope of the contract.

Monitoring may be in breach

of the DPA.

Employees have a legitimate expectation that they can keep their personal lives

private and that they are entitled to a degree of privacy in the work environment -

monitoring is generally considered intrusive.

To the extent monitoring is used, it must be justified by the benefits to the employer.

Note: covert monitoring can only be justified in exceptional circumstances.

The fair processing requirements must be satisfied - employees should be aware of the nature, extent and reasons for any

monitoring. Information derived from

monitoring for one purpose should not be used for a different purpose.

Where monitoring is justified, the information derived should be kept secure with limited access.





Privacy issues

2.11 Access

The processes and authorities

for access controls must be agreed. Just transferring the customer processes may not be sufficient.

Access should be restricted to

those persons who are required to access the data to fulfil the relevant purpose.

2.12 Tracking

Requirements for system

tracking must be agreed in detail.

To the extent system tracking

falls within the ambit of data protection legislation, the system may need to be modified to ensure compliance with data

protection requirements.

2.13 Audit trails

Requirements for audit trails

must be specified and agreed, including:

detail required;

retention periods; and

process for requesting and

accessing audit trails.


those persons who are required to access the data to fulfil the relevant purpose.

Data should be retained in accordance with the organisation’s data retention policy and local data protection legislation. Note:

Requirements may vary per jurisdiction.

2.14 High access rights

The processes and authorities for

access controls must be agreed.

Just transferring the customer processes may not be sufficient.


those persons who are

required to access the data to fulfil the relevant purpose.



Privacy issues

2.15 Physical security

Vendor premises should

be physically secured

commensurate with protection against the prevailing national and local security threats to the customer’s business. A security

risk assessment should form the basis of identifying the requirements for physical security controls. These will

usually include:

defining the physical security perimeter of sites and buildings within the

scope of the services provided;

guarding and physical

access controls;

protection of environmental and utility supplies;

siting of equipment;

goods in/out controls (including physical assets);

data centre, computer room

and software development/support locations physical security controls;

disposal processes for physical assets; and

physical security breach reporting process.

Appropriate security measures

should be implemented

having regard to the nature of the data and the potential risks of a breach and harm to individuals. Measures will

usually include locked cabinets/offices/buildings, locks on laptops/PCs and access controls, eg, turnstiles

and swipe cards.

2.16 Technical security

Details of requirements and

processes must be agreed. Details of how changes/

enhancements will agreed and funded.


should be implemented having regard to the nature

of the data and the potential risks of breach and harm to

individuals. Measures will usually include anti-virus software, firewalls, etc.

2.17 Operational security

Details of requirements and

processes must be agreed.

Details of how changes/enhancements will be agreed and funded.


should be implemented

having regard to the nature of the data and the potential risks of a breach and harm to individuals. Measures will usually include the use of login IDs and passwords.





Privacy issues

2.18 Security risks

The risk assessment method

must be agreed, as well as responsibilities.

Frequency and trigger points for new assessments must be

agreed.

Details of risk reduction responsibilities must be defined.

These requirements would normally be included in the contract security schedule.

The details of the risk impact

assessment method must be specified.

Roles and responsibilities for risk impact assessments must

be clearly defined.

Frequency and trigger points for new assessments must be agreed.

Details of risk reduction responsibilities must be defined.

These requirements would normally be included in the contract security schedule.

2.19 Threat assessment

An annual joint customer/vendor

threat assessment should be

carried out. Details of and responsibilities for

any additional/changed security

controls must be defined and agreed.

Conduct Privacy Impact

Assessments and audits to

identify potential risks.

2.20 PCI compliance (as required)

Where required and if the

vendor is not compliant then it

may take some time to complete the compliance process, especially where multiple

jurisdictions are within scope.

3. Select preferred methods for managing security following vendors’

responses

Provide requested information

and access to sites, personnel to

demonstrate security competency and experience, including reference to customer

sites where necessary.

Implement vendor

management programme.

4. Carry out security due diligence of vendor(s) to verify vendor security

capabilities generally. Ensure that vendor obligations are consistent with the customer’s own data retention policy

Provide requested information

and access to sites, personnel to

demonstrate security competency and experience, including reference to customer sites where necessary.

Implement vendor

management programme.

Conduct vendor due diligence, particularly taking into consideration the technical and organisational

security requirements. Include demonstrable ability

to identify, notify and deal with data breach incidents.



Privacy issues

5. Offshore Security and Privacy Due

Diligence – required in addition to the requirements of question 4 on the previous page.

Consider the specific risks that

could impact the services, including:

political climate

geographical region

socioeconomics

environmental and climatical

considerations eg, hurricane area

culture

utility supply resilience

trade practices

local laws Cultural differences Technological capabilities

As for security but as it

impacts privacy.

6. SAS 70 is an independent audit carried out by an approved body that is paid for by the vendor. The audit

report provides independent evidence to a customer as to the state of internal controls, including security

and privacy.

Vendors may consider this an

appropriate method of providing independent security evidence

to the customer. SAS 70 audits may reduce/

support the due diligence

process.

SAS 70 audits may support

the due diligence process. Note: Compliance with SAS70

will not necessarily satisfy local data protection requirements.

7. Issue detailed statement of requirements and draft terms and

conditions to vendors and invite

tenders – customer invitation to tender (ITT) draws attention to the materiality of security, and refers to the security

risk assessment, compliance requirement, controls specification,

security management approach and assurance approach.

Respond to ITT/RFP proving

detailed security management

method to be used and both

managerial and technical security controls necessary.





Privacy issues

1. Specify the management of security

and security changes throughout the lifecycle of the contract

Demonstrate means to change/

upgrade services.

Translate security

requirements to binding contractual obligations and

include data protection.

2. Customer and vendor commercial, technical and procurement professionals negotiate and finalise

the contract – contract change and scope change processes agreed and incorporated into the contract

Contract change process to

trigger appropriate security risk profile updates. Security

protection must be reviewed as part of the change control approval process

Contract change process to

trigger appropriate data protection updates. Frequent

changes to services affect the data protection risk profile. Data protection must be reviewed as part of the change control approval

process.

3. Finalise contract security aspects

with procurement and commercial professionals to ensure it contains all necessary elements of the risk assessment, statement of compliance requirements, agreed security management approach, controls specifications, and assurance approach security-related contract change and

scope change processes are agreed

and incorporated into the contract.

Be fully engaged in the

negotiations of the security aspects of the contract.

Agree the Information Security Management System (ISMS) that will be implemented.

Involve data protection

specialists to negotiate data protection provisions.

Cover legitimate data collection and processing, purpose limitation, audit, subject access mechanism, security, as well as any international transfer issues.

The flow of international data

transfers must be clearly understood to ensure appropriate mechanisms cover

relevant stages of the

transfers, as between relevant entities. Transfers between sub-processors must also be addressed. Sometimes data exports require permits or

regulatory approval.

4. Define method/process the vendor must follow when required to overwrite/destroy personal data.

Agree how process will be

implemented and what records of destruction will be produced and maintained.

Ensure all processes map to sub-contractors and that main

contractual terms flow down to sub-contractors.

An approved software overwriting tools list is often

available from government sources.

Limit extent to which

subcontractors may process personal data or export data outside the EU.

Ensure all processes map to sub-contractors and that main

contractual terms flow down to sub-contractors.

Phase 3. Contract.



Privacy issues

1. Vendor and customer security

professionals jointly plan and execute transition security activities.

Vendor security professionals

manage security in accordance with the agreed contract to

ensure requirements are met for all operational services before, during and after transition.

Vendor and customer security professionals jointly plan and

execute transition security

activities. Ensure plans incorporate

mechanisms to mitigate the risk

of unauthorised access to, or disclosure of data and the risk of data corruption or loss or the compromise of the data during system testing. Note that the

risks are greater where testing is conducted using live data.

Vendor provides assurance to

customer as agreed in the contract.

Customer and vendor co-operate on agreed formal

security accreditation reviews.

Transfers of personal data

may take place during transition, or may await

completion of a design and build phase. Be clear about what data are transferred and

when. Ensure appropriate data

transfer mechanisms are in

place. Note: Regulator approval may be required before transferring personal

data. Consider carefully whether

customers/staff need to be notified of new arrangements - are the fair processing/

consent requirements satisfied?

Notify regulators where

required.

2. Vendor plans and monitors transition from their perspective

Transition plans should include

a security plan containing all

security activities.

Transition plans should

include a privacy plan to

ensure that all such activities are completed.


Phase 4. Implement



Privacy issues

5. Define requirements for external auditing of the services and processes to enable this.

Ensure processes are agreed and

understood by the vendor. Where necessary security

processes will need to ensure that auditors are restricted to

the services of the individual

customer.

Ensure processes are agreed

and understood by the vendor.

Where necessary privacy processes will need to ensure

that auditors are restricted to

the services of the individual customer.




Privacy issues

3. Manage security during processing

Vendor security professionals

manage security in accordance with the agreed contract to ensure requirements are met for all operational services.

Vendor provides assurance to the customer as agreed in the contract.

Monitor compliance with data

protection obligations. Maintain relationship via

governance and ensure issues are identified and dealt with.

Manage data breach incidents.

Exercise audit rights.

4. Plan and decommission any assets no longer part of the service

In line with agreed information

classifications and contracted process for the

decommissioning/destruction of assets.

Provide evidence of actions taken and retain records.

An approved software overwriting tools list is often

available from government sources.

Ensure data is destroyed/

disposed of in accordance with the data retention policy.

Ensure decommissioned assets are stripped of personal data.

Need to provide evidence of actions taken and retain records.

5. Complete the novation of third party contracts to vendor

Ensure that novated third party

contracts include adequate

security requirements as flow-down from the master contract.

Carry out audit to provide record

of all novation actions.

Determine what terms govern

the transfer and processing of

personal data by third parties. Is transfer permitted? Is an additional data

processing contract required?

Or an additional mechanism to cover international data

flows?

6. Customer responsibilities

Customer security

responsibilities must be understood by both customer and vendor.

Customer security

responsibilities must be understood by both customer and vendor.

7. Awareness training

Security awareness training for

vendor staff in relation to the

contract obligations and security processes will invariably be necessary.

Privacy awareness training for

vendor staff in relation to the

contract obligations and privacy processes will invariably be necessary.



Privacy issues

1. Assurance and conformance audits

Vendor operates security in

accordance with contract.

Data protection audits should

be conducted, including

audits of significant sub-contractors.

Vendor provides assurance to customer as agreed in the contract, including security audits.

2. Change management

Vendor manages security-related

change (either caused by service or security factors) in accordance with contractually agreed security change responsibilities and the service change

management approach.

Do any changes affect the

nature of the data or the nature of the processing which either party carries out?

3. Incident management

Reports and investigates in

accordance with agreed

contractual obligations. Where required the agreed

escalation process will be

initiated.

Regular reporting of incidents and their resolution should be

part of the SLAs.

Consider in each case

whether regulators and/or

affected individuals should be notified of any data breach incidents?

Ensure that the process

complies with the ICO guidance on data breach

notification.

4. Specification of subject access

request (SAR) process with the vendor

Confirm SAR support process.

Frequently vendor support is

required to enable the customer to comply with its SAR obligations. Clear procedures should be agreed between the parties.

5. Ensure vendor continuity plans meet specified business needs

including; back-ups, recovery, standby and people (recent examples of power and water issues)

Vendor demonstrates

competence by plan production

and maintenance and testing. Requirements should be

included within the contract.

Back up and continuity plans

must reflect good data

protection practices.

6. Management and change of cryptographic keys

Management and change of

cryptographic keys as agreed in contract.

Escrow of keys/pass phrases.


Phase 5. Manage steady state




Privacy issues

7. Agree the security and business processes for the transformation of IT and security solutions over the life of the contract – this will include the assessment of security risks and

updating of the security risk profile.

Agree the security aspects and

processes for transformation and deliver changes in accordance with them.

Impact on data protection

must be considered. As a result of providing

‘added value’ services, vendors often take on the role

of co-controller, which radically affects legal and contractual obligations and

risk management. Conduct privacy impact

assessments on new technologies.

8. Managing contracts

Contract management is key to

successful service delivery. Much of the activities outlined in

Phases 1 to 4 will need to be maintained and regularly

reviewed by both the customer and vendor on an ongoing basis.

Maintain effective

communication with staff delivering the service.

Monitor and review the service internally.

Ensure that all changes are

formally documented and that copies of supporting emails are kept as part of the record. Note:

changes, however minor, should be agreed in writing - SMS and Instant Messaging should not be

utilised for this purpose. Maintain risk registers (service

and security). Maintain asset inventory. This

may require several inventories where there are multiple customers.

Maintain data asset inventory.

This may require several

inventories where there are multiple customers.

Ensure compliance with contract procedures (eg, Incident Management)

Ensure a co-operative use of audit and information assurance rights - both the vendor and the customer benefit from early identification and resolution of

the issues.

Contract management is key

to successful service delivery. Many of the activities outlined

in Phases 1 to 4 will need to be maintained and regularly

reviewed by both the customer and vendor on an ongoing basis.

Monitor and review data protection compliance internally.

Ensure that all changes are formally documented and that

copies of assessments, compliance advice and supporting emails are kept as

part of the record. Maintain data flow maps. Ensure compliance with

contractual obligations such as reporting requirements or

rights of inspection/audit. Note: inspections/audits by customers of multi-tenancy environments may give rise to privacy concerns for other

customers.




Privacy issues

9. Agree the process to be used and decision points where offshoring is not included in the original contract.

Much of the content in Phases 1

to 4 will need to be considered by both customer and vendor.

Consider changes to the existing contract. In particular, the

customer should review contract

provisions relating to:

charges

personnel

termination Consider the impact on the

existing service scope and agree changes.

Consider the impact on existing service levels and agree changes.

Agree acceptance criteria applicable to the new solution/

deployment.

Agree how cost savings will be realised.

Agree any security vetting variances.

Much of the content in Phases

1 to 4 will need to be considered by both customer

and vendor. Does the offshore entity’s

country of establishment offer

adequate data protection? What measures are in place

between the local and offshore entities to ensure continued compliance with data protection obligations?

What measures are in place to ensure legitimate data transfers? Do any current measures need to be altered?

Is the offshore entity a third

party? If so, particular care should be taken to ensure the third party will comply with

the customer’s data protection requirements (eg, is the third party a reputable

organisation?) Does it have a history of (non-) compliance? Is the relationship between

the vendor and the third party established?)




Privacy issues

1. Customer manages transition of

the information security management system (ISMS) to new vendor in accordance with a contractually agreed ISMS termination plan.

Vendor transitions the

information security management system (ISMS) to the new vendor in accordance with a contractually agreed ISMS termination plan.

Plan transition of data from

outgoing vendor. This may include destruction of certain data.

Undertake audit of new vendor’s data processing and data security.

Consider whether and, if so, how personal data may legitimately be transferred to

the new vendor. Establish legal basis for data

processing by new vendor.

Are personal data transferred internationally? If so, analyse data flows and establish an

appropriate mechanism for transfer (typically model clauses or safe harbor).

2. Protection of customer IPR

Protection of IPR within

solutions. Should include actions required

by customer, vendor, sub-contractors and third parties.

Ensure personal data is

removed from any databases and/or secure ongoing

licences.

3. Staff

Staff transfers and maintaining

confidentiality of vendor IPR and

business information. Where appropriate vetting

records should be transferred as well as HR records.

Consider timing of disclosure

of personal data to new

vendor, in compliance with data protection obligations and TUPE. Disclosure of too much data too early in the process may breach TUPE and data protection laws, delay the project and give rise to a

claim for damages. Consider whether and, if so,

when to involve works councils.

4. Transfer of all personal data to

new vendor

Overwriting of personal data on

retained storage and/or systems. An approved software

overwriting tools list is often available from government sources.

Overwriting of personal data

on retained storage and/or systems.

An approved software overwriting tools list is often available from government

sources.

Phase 6. Termination, transfer or step-in




Privacy issues

5. Validate and final review

Overwriting/destruction of

personal data on retained storage.

A list of approved software overwriting tools is often

available through government

sources.

Implement the transition. Ensure the transfer is secure. Ensure unwanted data are

securely destroyed.

6. Step-in is often transitory and usually takes place in crisis situations,

including where the existing vendor has failed. The process outlined above should be followed where possible. Of paramount importance is to ensure security is maintained, in particular when data transitioned. Where

step-in is transitory, the transfer will

need to be reversed, with data being moved either to the original vendor or to a new vendor.

A security review would usually

be carried out to ensure that

security controls and levels are maintained.

Although step-in

arrangements may be made

in crisis situations, data protection requirements must still be met. The customer will need to establish a legal basis for the transfer of the data to the new vendor, limit by

contract the scope of

processing by the vendor, and ensure the vendor affords the data appropriate technical and organisational security. If the vendor is based abroad,

or processes data abroad, an adequate basis for transfer will be needed.




Privacy issues

1. Customer transitions the

information security management system (ISMS) from the vendor in accordance with a contractually agreed ISMS termination plan

Vendor transitions the

information security management system (ISMS) to customer in accordance with a contractually agreed ISMS termination plan.

As per termination, transfer

or step-in.

2. Vendor IPR agreement

Protection of IPR within

solutions.

Should include actions required by customer, vendor, sub-contractors and third parties.

Ensure personal data is

removed from any databases

and/or secure ongoing licences.

3. Staff transfers

Staff transfers and maintaining

confidentiality of vendor IPR and

business information. Where appropriate vetting

records should be transferred

as well as HR records.

Consider timing of disclosure

of personal data to new

vendor, in compliance with data protection obligations and TUPE. Disclosure of too

much data too early in the process may breach TUPE and data protection laws, delay

the project and give rise to a claim for damages.

Consider whether and, if so, when to involve works councils.

4. Recovery of all personal data

Overwriting of personal data on

retained storage and/or systems. An approved software

overwriting tools list is often available from government

sources.

Phase 7. Exit

For further information about these guidelines or Intellect’s work, contact Carla Baker, T 020 7331 2164, E [email protected]

Disclaimer These guidelines are consistent with English law as at August 2010. The information provided in these guidelines is not intended nor recommended as a substitute for professional, legal or other advice.

Good practice in Standard

Maintaining and improving compliance with data protection legislation

BS 10012:2009 Data Protection - Specification for a Personal Information Management System.

Information Security Management BS ISO/IEC 27002:2005 - Information Technology - Security Techniques - Code of Practice for Information Security Management.

Information Security Management (for third party audit) BS ISO/IEC 27001:2005 Information technology - Security Techniques - Information Security

Management Systems - Requirements.

Information Security Risk Management BS 7799-3:2006 - Information Security Management Systems - Guidelines for Information Security Risk Management.

Information Security Risk Management (in support of BS ISO/IEC 27001)

BS ISO/IEC 27005:2008 Information Technology - Security Techniques - Information Security Risk Management.

Sector Specific Information Security Management PD ISO/TR 13569:2005 Financial Services - Information Security Guidelines.

BS ISO/IEC 27011:2008 Information Technology - Security Techniques - Information Security Management Guidelines for Telecommunications Organisations based on ISO/IEC 27002.


Appendix A: List of useful standards 1. List of useful data protection and information security management standards Many of the standards listed below are part of the growing ‘27000’ family of international information security management standards. BS ISO/IEC 27000:2009 is an introduction to the series, providing both an overview of techniques and definitions of related terms. Data protection standards are relatively new - most standards that

refer to data protection are focussed on information security. However, new standard BS10012:2009 focuses on maintaining and improving compliance with data protection legislation and good practice, rather than specifically information security.


Good practice in Standard

IT Security Management BS ISO/IEC 27033-1:2009 Information Technology - Security Techniques - Network Security - Overview and Concepts. BS ISO/IEC 18023-1, -2, -3, -4, -5:2006 Information Technology - Security Techniques - IT Network

Security.

System Intrusion Detection BS ISO/IEC TR 15947:2002 - Information Technology - Security Techniques - IT Intrusion Detection Framework.

Information Security Incident Management PD ISO/IEC TR 18044:2004 - Information Technology - Security Techniques - Information Security Incident

Management.

Secure Destruction of Information BS EN 15713:2009 Secure Destruction of Confidential Material - Code of Practice

Business Continuity Management (general) BS 25999-1:2006 - Business Continuity Management - Code of Practice.

BS 25999-2:2007 - Specification for Business

Continuity Management.

ICT Business Continuity Management BS 25777: 2008 Information and Communications Technology Continuity Management - Code of Practice.

ICT Disaster Recovery BS ISO/IEC 24762:2008 Information Technology - Security Techniques - Guidelines for Information and

Communications Technology Disaster Recovery Services.

Security Screening (individuals) BS 7858:2006+Amendment 2:2009 Security Screening of Individuals employed by Organisations providing Security Services - Code of Practice.


Appendix B: Data Protection Laws in Key Outsourcing Jurisdictions Introduction Whilst some countries have implemented comprehensive data protection legislation, in other countries, personal data is protected by constitutional rights or privacy-related legislation, such as employment law. This appendix highlights the data protection laws applicable in the UK and in other jurisdictions that are common outsourcing destinations. Where a transaction involves the processing of personal data, and particularly where the data

concerns employee data or any data of a sensitive nature, additional legal issues may arise and the customer should seek specific legal advice.

Overview of UK Data Protection Law The processing of personal data in EU jurisdictions is governed by European data protection law, which is based primarily on the EU Data Protection Directive (EC/95/46). The Data Protection Directive places restrictions on the processing of personal data and their transfer outside the EU. National data protection laws within each EU Member State implement the Directive. The rules for determining applicable data protection law are complex, but the general rule is that the applicable law is that of the country in which the ‘controller’, who processes the data, is established. The legislation implementing the Data Protection Directive in the UK is the DPA. To understand how the DPA operates, it is critical to appreciate the following key definitions used within the legislation:

‘Processing’ - this is defined in very wide terms as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise

making available, alignment or combination, blocking, erasure or destruction. Even calling personal data up on a screen constitutes processing of the data.

‘Personal data’ - is any information which relates to a living individual who can be identified from such information. In the context of an outsourcing, HR data and customer and vendor contact details will all constitute personal data.

There is a further category of personal data, known as ‘sensitive personal data’ which consists of personal data

revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, details of criminal convictions and the processing of data concerning health or sex life. Additional safeguards

apply to protect sensitive personal data.

‘Controller’ - is the individual or entity which determines the purposes and means of the processing of personal data. The majority of the obligations under the DPA are imposed on the controller. If a customer decides to

outsource some of its functions, such as payroll, personal data will almost certainly need to be transferred to the outsource vendor as part of that transaction. In most (but not all) circumstances, the organisation transferring its data will remain the controller. In practical terms this means that even though the data will be processed by the outsource vendor, the customer will remain responsible at law for how those data are processed.

The legal status of a controller should be contrasted with that of a ‘processor’ which ‘processes personal data on behalf of the controller’. The processor has few, if any, direct obligations under the DPA. Where a controller uses a processor to process data on its behalf, the controller remains responsible and accountable to

the data protection regulators and to individuals for the processing of those data. Typically, a controller seeks to pass on some of its responsibilities formally by contract to a processor. Under the

DPA it is an express legal requirement that a controller must limit by contract the specific purposes for which data may be processed on its behalf. Further, a controller must ensure that a third party processor provides sufficient technical and organisational security measures to safeguard the data.


In addition, a controller is required by the DPA to ensure that: the collection and processing of the data are fair and lawful;

data are processed only for specified and legitimate purposes; data are adequate, relevant and not excessive in relation to the purposes for which they are collected; data are accurate and kept up to date; data are not retained for longer than necessary; the rights of individuals to gain access to their data are honoured; data is protected by adequate technical and organisational security measures;

transfers of data outside the European Economic Area (EEA) ensure an adequate level of protection.

The characterisation of a party as controller or processor determines the nature and scope of that party’s data protection obligations. The controller remains accountable, to both the regulators and to individuals, for the data it processes. It is often difficult to determine in practice which party is the controller and which is the processor, although it is a critical issue as it will determine the scope of each party’s legal obligations. The Data Protection Directive characterises the test of a controller in terms of the degree of discretion or decision-making authority exercisable by that party in relation to the data it processes. A party that was once merely a processor

might, over a period, assume a greater degree of responsibility in relation to the data and becomes a controller or co-controller in respect of the data. This might occur as a result of additional services being added or new technology being deployed. More subtly, as the relationship develops, the processor may simply be entrusted with greater discretion in relation to the data. Organisations should carefully analyse the capacity in which parties process personal data, not just at the outset, but throughout the outsourcing lifecycle.

Data Protection Requirements in Key Outsourcing Jurisdictions Argentina The Argentine Law on data protection was implemented in 2001. The legislation is based on the EU data protection framework and incorporates all of the Data Protection Directive’s data processing principles. Argentina was the first Latin American country to be approved under the EU regime as meeting the Data

Protection Directive’s ‘adequacy’ requirements permitting personal data to be freely transferred from the EU to Argentina.

Australia Australia’s federal Privacy Act 1988 regulates information privacy. The Act includes ten ‘National Privacy

Principles’ regulating the collection, use and disclosure of personal information by private sector organisations.

The legislation empowers the Federal Privacy Commissioner to formulate guidelines in relation to the interpretation of the National Privacy Principles, to investigate whether an agency or organisation has breached the Privacy Act and to resolve complaints. The federal Privacy Act does not regulate state or territory agencies,

except for the Australian Capital Territory. In 2008, the Australian Law Reform Commission undertook a review

of the Privacy Act, releasing its report, ‘For Your Information’ on 11 August 2008. The Government released its first stage response to the Australian Law Reform Commission’s review of privacy law on 14 October 2009 and has recently published draft legislation adopting a majority of the Australian Law Reform Commission’s recommendations. Bangladesh The Bangladesh Constitution recognises the right of privacy, however, Bangladesh does not have any specific

data protection law. Bangladesh’s Penal Code and telecommunications laws provide individuals with limited rights of privacy. Brazil Brazil does not have a comprehensive data protection law. The Brazilian Constitution provides for habeas data, which grants individuals the right to know what data public bodies hold about them and the right to require public bodies to correct or update their data. In addition, Brazil’s consumer protection and telecommunications

laws provide limited data privacy rights. There is no independent body that oversees the management of individuals’ personal data. Chile Chile was the first country in Latin America to legislate on data protection. Chile’s Law for the Protection of Private Life 1999 applies to the processing of the personal data of natural persons in the private and public

sectors. The law includes some elements of the EU Data Protection Directive, such as restrictions on the

processing of sensitive personal data and grants individuals rights to access and correct their data. However,

unlike the EU data protection framework, there is no data protection authority and individuals must pursue their own remedies. The law does not place restrictions on cross border data transfers.


Egypt Egypt does not have any specific data protection or privacy law. However, Egypt’s Constitution and Civil Code grants limited rights of privacy to individuals.

European Union The Data Protection Directive requires each Member State to implement national data protection legislation. The Data Protection Directive imposes broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected. The Data Protection Directive is also intended to harmonise national data protection laws throughout the EU. Differences between national

implementing laws have arisen as the Data Protection Directive gives Member States some discretion in

implementing its provisions, specifically allowing them to introduce or retain more stringent rules. Key requirements of the Data Protection Directive require organisations to inform individuals of the purposes for which their data are being collected (and in certain circumstances to obtain individuals’ express consent to such processing), guarantee the security of personal data and to restrict the transfer of data outside of the European Economic Area (EEA) unless the Data Protection Directive’s ‘adequacy’ condition is satisfied. Where a transaction involves a cross border transfer (whether or not within the EU), the requirements of each relevant data protection authority must be checked, as some countries require organisations to notify the data protection

authority prior to the transfer or to obtain the data protection authority’s authorisation to the transfer. The European Commission has approved standard contractual clauses for the transfer of personal data outside of the EEA. For controller to controller transfers organisations may choose to use either the 2001-approved model clauses (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:181:0019:0031:EN:PDF) or the

2004 - approved model clauses (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:EN:PDF). For controller to processor transfers organisations must use the 2010-

approved model clauses (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF). The Article 29 Working Party plays an important role in issuing opinions, recommendations, and other advisory documents on various EU data protection issues. These papers are not generally binding, but are highly

influential given that the EU data protection authorities are members of the Article 29 Working Party. Details of the Article 29 Working Party’s papers can be found at: http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm

India The protection of personal data is governed by the Information Technology Act 2000 which provides individuals

with limited protection in the context of commercial arrangements such as an outsourcing or technology transaction. The Personal Data Protection Bill was introduced in 2006. The Bill is based on the EU data protection model and provides for the protection of individuals’ personal information held by organisations for

commercial purposes and grants individuals rights to claim damages for unlawful disclosure of their data.

The Bill is still pending. Israel The Privacy Protection Act 1981, together with several other regulations, govern the collection and use of personal data in Israel. Amendments to the Act passed in 2007 established new requirements for the processing of personal data and established a data protection authority, significantly enhancing privacy protection within Israel. In December 2009, the Article 29 Working Party adopted an opinion finding that Israeli data protection

law largely provides an ‘adequate level of data protection’ under the EU Data Protection Directive. An ‘adequacy decision’ for Israel, which would provide that personal data may be freely transferred to Israel from the EU, is likely to be issued in 2010. Mexico In 2010, Mexico passed the Federal Law of Protection of Personal Information, incorporating key features of the EU data protection framework. The new law establishes the Federal Institute of Information Access and Data

Protection, with power to enforce the law against any individual or entity engaging in the collection, storage and/or transfer of personal data. Nigeria The Nigerian Constitution recognises the right of privacy, however, Nigeria has not yet enacted any specific data protection law. To date, the Nigerian Government’s legislative focus has been to address cybercrime. There are

currently two draft statutes before the National Assembly, the Computer Security and Critical Information

Infrastructure Protection Bill 2005 and a Bill to provide for the establishment of the Cyber Security and

Information Protection Agency. The draft legislation imposes certain security obligations on organisations operating computer systems and networks, but does not sufficiently address EU data privacy concerns.


Pakistan The Electronic Data Protection and Safety Act 2005 governs the processing of electronic data in Pakistan. The Act incorporates some of the key concepts of the EU Data Protection Directive including the restrictions on

disclosures and international data transfers. The Pakistani Government is focused on industry requirements for outsourcing. The Pakistan Software Export Board (PSEB) has issued Recommendatory Guidelines regarding the adoption of Model Clauses for the transfer of personal data from the EU to third countries and Binding Corporate Rules to assist companies with meeting the EU ‘adequacy’ requirements. Philippines There is currently no specific law in the Philippines governing the collection and processing of personal data.

In 2006 the Department of Trade and Industry (DTI) issued Department Administrative Order No. 8 prescribing the guidelines for the protection of personal data in information and communications systems in the private sector. The Order lays down general principles in collecting, processing, storing and transferring personal data. Enforcement is through a voluntary accreditation and certification process. The DTI is currently developing new guidelines. Russia The Laws on Personal Data Protection 2006 and on Information, Informatisation and Protection of Information 2006 were adopted in 2005 following ratification of the Council of Europe Convention. These laws provide for the protection of personal data. By 01 January 2011, operators of information systems which process personal data must ensure their information systems meet specific security requirements established by the Russian Government. South Africa The Electronic Communications and Transactions Act No. 25 of 2002 contains principles for dealing with personal data processed in communication systems. The South African Law Commission’s investigation into privacy and data protection commenced in 2003. The investigation was finalised in February 2009. The Protection of Personal Information Bill was introduced into Parliament in August 2009. Public hearings are due to take place during 2010 and it is anticipated that legislation will be enacted later this year.

United Arab Emirates (UAE) The UAE has no comprehensive data protection or privacy law. The right to privacy is guaranteed in its

Constitution and Penal Code. The UAE is in the process of establishing a Data Privacy Commission. There is speculation about whether the UAE will establish a data protection regime similar to the EU.

In 2007, Dubai became the first UAE nation to enact data protection legislation. The Dubai International Financial Centre (DIFC) (one of Dubai’s ‘free zones’) enacted the Data Protection Law based on the EU Data Protection Directive.

United States of America The United States of America has no comprehensive data protection legislation but does have extensive sectoral privacy laws. The US Department of Commerce has developed a ‘safe harbour’ in consultation with the European Commission which offers a method by which US organisations can comply with European data protection legislation on a voluntary basis. Organisations that sign up to the scheme are certified as offering ‘adequate’ protection under the EU data protection framework. The safe harbor website can be accessed via the link: www.export.gov/safeharbor.

The US has strict regulations dealing with the processing of personal data within the financial services sector (Gramm-Leach Bliley Act) and health insurance sector (Health Insurance Portability and Accountability Act). There are also strict data breach notification laws in most US states. Vietnam There are currently limited laws within Vietnam which provide for the protection of personal information.

The Civil Code, intellectual property and information technology legislation, which contain some aspects of the APEC privacy principles, provide limited legal protection. The Law on Access to Information which comes into force in June 2012 grants rights to individuals and imposes obligations on state organisations in respect of individuals’ personal data.


Appendix C: EU Security Breach Notification Requirements Introduction Ensuring that personal data is safeguarded and processed securely is a key requirement of the EU Data Protection Directive. ‘Data breach’ is a generic term applied to instances where the security and integrity of data is compromised, whether deliberately or not. There is currently no general provision in the EU Data Protection Directive requiring the notification of data breaches, whether to a data protection authority or to the

individuals whose data has been compromised. Despite this, many Member States have developed national notification requirements. National data breach notification requirements typically require organisations to implement a data breach notification policy, and include requirements for incident reporting and handling and

external breach notification. In the context of an outsourcing, organisations will wish to consider including specific security breach reporting and remediation procedures in contracts with vendors and also to reserve rights to use third parties to assist with incident mitigation and remediation at the cost of the vendor. Steps have been taken to harmonise the EU data breach notification requirements. In 2009 EU data protection and privacy legislation was amended to require Member States to implement national legislation by May 2011 imposing obligations on Internet Service Providers (ISPs) to notify data breaches to the relevant national data protection authority. The European Commission has also indicated that it would be appropriate to extend the scope of the data breach notification obligations to other organisations handling personal information. EU Data Breach Notification Requirements The table below sets out the current EU data breach notification requirements1. As noted above, all EU countries must implement data breach notification requirements applicable to ISPs by 2011. It is anticipated that many Member States will implement legislation imposing general data breach obligations on all organisations handling

personal information.

Country Mandatory/Voluntary Requirement

Whom to notify Sanctions for a failure to notify a data breach

Austria Mandatory: Organisations must report data breaches

where the impacted individual(s) may suffer damage.

Organisations need only notify the individuals whose

data has been compromised. The Data Protection Commissioner does not need to be informed about a data

breach.

Failure to notify a data breach may result in the

imposition of a fine of up to EUR 25,000.

France Mandatory (not yet implemented): There is currently no general

obligation for organisations to report data breaches. In 2009, the French Senate proposed amendments to

France’s Data Protection Act to require organisations to notify data breaches2.

If the draft Senate Bill is implemented, the data protection authority, the

Commission nationale de l'informatique et des libertés (‘CNIL’) must be notified. Organisations must also

inform the data subjects if the breach has an impact on their personal data.

If the French Data Protection Act is amended to incorporate the new

provisions on security breach notification contained in the draft Senate Bill, a failure to notify would be sanctioned

by a maximum fine of EUR 300,000 (which may be increased to EUR 600,000) and up to five years of imprisonment.

1 EU data breach chart current as of 31 July 2010.

2 Note: Under French telecommunications law, telecom operators must inform their subscribers if there is a particular risk of a breach of their network security. Subscribers must be informed about this risk, of any possible measures designed to protect themselves against such a risk, and

of the costs of such measures.


Country Mandatory/Voluntary Requirement

Whom to notify Sanctions for a failure to notify a data breach

Germany Mandatory: Organisations must report data breaches that are likely to have a serious impact on the rights or protected interests of individuals where the data

concerns: sensitive personal data; personal data subject to

professional or official confidentiality obligations;

personal data concerning criminal acts or

administrative offences; personal data concerning

bank or credit card accounts; and

traffic or usage telecommunications data.

The Data Protection Authority and individuals whose data has been compromised.

Failure to notify a data breach in accordance with German law requirements constitutes an administrative offence, which may result in the imposition of a fine of up to

EUR300,000.

Ireland Voluntary: There is currently no mandatory obligation for

organisations (whether public or private) to report data breaches (although it is expected that mandatory notification requirements will

be introduced in the second half of 2010). The Data

Protection Commissioner

published a draft Data Security Breach Code of Practice in May 2010 for

public consultation. The draft Code imposes mandatory

reporting obligations where the breach affects more than a hundred individuals or where it involves any loss of sensitive personal data or

personal financial data that

could be used to carry out

identity theft.

The Office of the Data Protection Commissioner

and, if appropriate in the circumstances, individuals whose data has been compromised. Organisations should also consider notifying

third parties such as the police, bank or credit card

companies who can assist in

reducing the risk of financial loss to individuals.

Currently not applicable as notification is voluntary.

United Kingdom Voluntary: The Information Commissioner encourages voluntary notification by the

private sector for serious breaches which result in loss, release or corruption of per-sonal data. The seriousness of a security breach should be assessed according to (i) the

potential harm to individuals, (ii) the volume of personal

data, and (iii) the sensitivity of the data lost, released or unlawfully corrupted.

Information Commissioner’s Office, and, if appropriate in the circumstances, individuals

whose data has been compromised. Organisations should also consider notifying third parties such as the police, insurers, professional bodies, bank or credit card

companies who can assist in reducing the risk of financial

loss to individuals.

Although there is no data breach notification requirement, serious breaches

of the data protection principles may result in the imposition of a fine of up to £500,000.


Appendix D: Glossary Article 17 Article 17 of the EU Data Protection Directive 95/46/EC which specifies that an appropriate level of security must be in place with regard to the processing of data. Article 29 Working Party The EU Data Protection Directive established a working party, which is an independent European advisory body on data protection comprised of representatives from data protection authorities of

each Member State Business Process Outsourcing The transmission of processes, eg, HR functions and associated operational

activities to a third party. Controller Person who determines how and for which purposes personal data is to be processed. Customer The original data controller who wishes to outsource the processing (and occasionally) control functions to a third party vendor. Data flows The physical and logistical stream of transfers of data through an organisation, often represented in a ‘data flow diagram’. Data Protection A national authority, for instance the UK’s Information Commissioner’s Office, set up to

promote and enforce data protection policies. DPA Data Protection Act 1998.

Data subject Living individual to whom personal data relates.

Information security The suite of processes and systems designed to manage data security within the management system of an organisation.

Model clauses The standard contractual terms issued by the European Commission which may be used as the basis for any transfer of personal data from the EU to other jurisdictions.

Personal data Data that relates to a living individual who can be identified from those data, or from those data

and other data in the possession of the data controller. This includes business contact data.

Privacy Impact Assessment A tool to assist organisations to assess and identify any privacy concerns in a systematic way and identify measures to address them.

Processor Any person, other than an employee of the data controller, who utilises or processes personal data on behalf of the data controller.

SaaS Software as a Service, a model of software deployment over the internet. Safe harbour A scheme initiated by the U.S. Department of Commerce which allows U.S. companies to register their intention to comply with the EU Data Protection Directive. By self-certifying, the company can have data

transferred to them from within the EEA. Sensitive personal data Personal data becomes sensitive if it includes any of the following types of information

about an identifiable, living individual: racial or ethnic origin | political opinions | religious beliefs | trade union membership | physical of mental health | sexual life | commission of offences or alleged offences.

Subject access request A written request from a data subject to a data controller for access to his/her personal data.

TUPE The Transfer of Undertakings (Protection of Employment) Regulations 2006 designed to protect the rights of employees in a transfer situation enabling them to enjoy the same terms and conditions, with continuity of employment, as formerly.

Vendor A third party willing to be employed by the customer to process personal data in the customer’s possession. Works council An entity formed within an organisation primarily for the protection of employee interests. Works councils are compulsory for entities of a certain size in some jurisdictions.

Appendix E: List of useful guidance documents

Good Practice in Guidance

Good general global security guidelines.

OECD, Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security - Paris - OECD, July 2002.

Information Security. European Network and Information Security Agency (ENISA) standards.

Good practice advice for the protection of Data Centres housing/supporting elements of the UK National Critical Infrastructure.

Centre for the Protection of the National Infrastructure (CPNI) Protecting Data Centres - Good Practice Guide.

Reference tool for those countries that do not have a legal and institutional structure for data protection, and for international companies.

International Conference of Data Protection and Privacy Commissioners - Draft Proposal for International Standards on the Protection of Personal Data and Privacy, 2009.

A complete guide to ensuring compliance with

the data protection principles.

Information Commissioner’s Guide to Data Protection.

A series of key commitments that senior officers will make on behalf of their

organisations to improve data protection compliance.

Information Commissioner’s Personal Information Promise - Mission Statement by Organisations.

Good practice recommendations to comply

with the DPA when outsourcing the processing

of personal information.

Information Commissioner’s Data Protection: Outsourcing

Guide for Small and Medium Sized Businesses - Good

Practice Note.

Good practice recommendations to comply

with the DPA when buying and selling

databases.

Information Commissioner’s Data Protection: Buying and

Selling Customer Databases - Good Practice Note.

A practical and comprehensive guide to help organisations who are developing projects to

assess and identify any privacy concerns (a Privacy Impact Assessment) and identify measures to address them.

Information Commissioner’s Privacy Impact Assessment (PIA) Handbook.

Security good practice in cloud computing

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 from the Cloud Security Alliance. This is

an evolving document highlighting the cloud security considerations in the following domains: 1: Cloud Computing Architectural Framework 2: Governance and Enterprise Risk Management 3: Legal and Electronic Discovery 4: Compliance and Audit 5: Information Lifecycle Management

6: Portability and Interoperability 7: Traditional Security, Business Continuity, and Disaster Recovery 8: Data Centre Operations 9: Incident Response, Notification, and Remediation 10: Application Security 11: Encryption and Key Management 12: Identity and Access Management

13: Virtualization



Guidance for board members and executive

management on information security governance

IT Governance Institute guidance document ‘Information

Security Guidance for Boards of Directors and Executive Management 2nd Edition’. A high level executive view of the requirements and responsibilities.

Guidance for information security managers on information security governance

IT Governance Institute guidance document ‘Information Security Governance: Guidance for Information Security

Managers’. Details of the Information security manager’s

requirements and responsibilities for Information Security Governance.

Guidance for managers on information security programmes

NIST document ‘Information Security Handbook: A Guide for Managers’. This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.

Good practice guide on how to deal with

computer based evidence and to provide legally admissible evidence

The ACPO Good Practice Guide to Computer based

evidence.

Guidance on forensic readiness planning

An Introduction to Forensic Readiness Planning -NISCC

Technical note 01/2005 (http:/www.cpni.gov.uk).

Digital investigations and evidence guidance

for directors and corporate advisors

Directors and Corporate Advisors’ Guide to Digital

Investigations and Evidence. (http://www.iaac.org.uk).

Guidance on managing security to safeguard intellection assets in outsourced and offshored

environments

BSI Publication BIP 0116:2010: Managing Security in Outsourced and Offshored Environments. How to Safeguard

Intellectual Assets in a Virtual Business World (http://www.bsigroup.com/).

Guidance on system testing

Data Protection: Guidelines for the use of personal data in system testing (http://www.bsigroup.com/).

CPNI security guidance on protecting data

centres

CPNI viewpoint 02/2010 protection of data centres - April

2010

(http://www.cpni.gov.uk/).

CPNI security guidance on cloud computing

CPNI viewpoint 01/2010 cloud computing - March 2010 (http://www.cpni.gov.uk/).

CPNI security guidance on personnel security

CPNI Personnel security: threats, challenges and measures -

December 2007 (http://www.cpni.gov.uk/)


in offshore locations

CPNI Personnel security in offshore locations - June 2009

(http://www.cpni.gov.uk/).

http://www.iaac.org.uk/

http://www.cpni.gov.uk/


Good Practice in Guidance


risk assessment

CPNI Risk assessment for personnel security - A guide -

Edition 2 (http://www.cpni.gov.uk/).

CPNI security guidance on cloud computing

CPNI Information Security Briefing 01/2010 Cloud

Computing - March 2010 (http://www.cpni.gov.uk/).

Guidance on service contract management

OECD Principles of service contracts – Contract management guidelines – 2002 (http://www.oecd.org/).

Intellect Russell Square House 10-12 Russell Square London WC1B 5EE T 020 7331 2000 F 020 7331 2040 E [email protected] W www.intellectuk.org © Intellect November 2010 Content may not be copied, distributed, reported or dealt with in whole or part without prior consent of Intellect.

Intellect works with and for members to: develop the UK’s capability to support a strong and growing technology sector improve their business performance by

providing insights into markets and supply chains and constructively influencing their development

engaging with government and regulators to create the most favourable environment for growth and employment

maintaining the industry’s reputation and championing its strategic importance

sharing and promoting best practice For more information visit www.intellectuk.org

data protection and data security guidelines for ......06 data protection and data security...

Documents