data protection in financial services are you seeing the bigger picture? 17 september 2008

Data Protection in Financial ServicesAre you Seeing the Bigger Picture?

17 September 2008

17 September 2008

Disclaimer

1. This presentation does not constitute specific legal advice

2. This talk is to raise awareness – not to solve specific problems

3. Opinions, errors and omissions are the speaker’s alone

4. This talk is designed to engender discussion about the risks associated with data security within the FSA regulated sector

17 September 2008

Why do we keep records?

17 September 2008

Data security: security of what?

17 September 2008

Rules, rules and more rules…

Data Protection Act 1988The Human Rights ActTelecommunications (Lawful Business Practice)

Interception of Communications Regulations 2000Companies ActFreedom of Information Act….

17 September 2008

Data Protection Act 1998

“personal data” means data which relate to a living individual who can be identified—(a) from those data, or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Section 1 Data Protection Act 1998

17 September 2008

Data Protection Principles

The Data Protection Act 1998 - ‘The Eight Principles’ Fair and lawful processing Obtained for one or more lawful process Adequate, relevant and not excessive Not kept for longer than is necessary Processed in accordance with the data subject’s rights Appropriate technical measures to prevent unauthorised access, loss ,

damage or destruction No non-EEA data transfers without adequate levels of protection of data

subject’s right

17 September 2008

FSA definition of ‘Data’ and ‘Personal Data’

17 September 2008

FSA Statutory Objectives

Statutory Objectives market confidence: maintaining confidence in the financial system; public awareness: promoting public understanding of the financial system; consumer protection: securing the appropriate degree of protection for

consumers; and the reduction of financial crime: reducing the extent to which it is possible

for a business to be used for a purpose connected with financial crime.

17 September 2008

The FSA’s approach to regulation

Risk based complianceLarge firms = safe?Small firms = risky?

Principles based complianceNo rule to point toOne size doesn’t fit all

17 September 2008

Regulatory overlap: FSA v ICO

• Statutory objectives

• Fair and lawful processing

• Obtained for one or more lawful process

• Adequate, relevant and not excessive

• Not kept for longer than is necessary

• Processed in accordance with the data subject’s rights

• Appropriate technical measures to prevent unauthorised access, loss , damage or destruction

• No non-EEA data transfers

17 September 2008


• Principles for Business– Principle 3 – Systems and

Controls– Principle 6 – Customer’s

Interests– Principle 10 – Protection of

Client Assets








17 September 2008

• Current initiative – ‘Treating Customers Fairly’









{

17 September 2008

Stuff the ICO, the FSA is the new data protection regulator!

ICO: £ 5,000 fine; personal liability for company officers; imprisonmentFSA: unlimited fines; personal liability for Approved Persons

17 September 2008

ISO 27002:2005 – Code of Practice for Information Security Management

Data Management

2. Secu

rity Policy

3. Organization of Information Security

5. Human Resources Security

4. Asset Management

7. C

omm

unic

ation

s and

O

pera

tions

Man

agem

ent

6.Physical and Environm

ental

Security

8. Acc

ess C

ontrol

10. Incident management

9. Information Systems Acquisition, Development, Maintenance

11. Business Continuity

12. Compliance

17 September 2008

Would you recognise when you have a data security issue?

17 September 2008

Their loss is your [potential] lossHBOSAlliance & LeicesterRoyal Bank of ScotlandScarborough Building SocietyClydesdale BankNatwestUnited National BankBarclays BankCo-operative BankHFC BankThe Post Office

• CGNU• BNPP Private Bank• Nationwide Building

Society• Capita Financial

Administrators• Merchant Securities Group

…to be continued?

17 September 2008

Steven HarrisonJohn ShelvinMail Source/Graphic Data…

17 September 2008

What is the biggest threat to data security in your firm?

17 September 2008

The true cost of good data managementHow to get senior management buy-in

Protecting the firm’s reputation – 99%Protecting the firm’s assets - 84%Improving efficiency/cost reduction – 75%Enabling business opportunities - 68%

Source: BERR 2008 Report

17 September 2008

Where do you go from here?

17 September 2008

Think laterally, not literally!Risk assessDraft, implement and test policies and proceduresTrain your staff appropriatelyRead widely from multiple sources , and assess relevance

to your firm.

17 September 2008

Further Reading

FSA Data Security in Financial Services Report – April 2008 - http://www.fsa.gov.uk/pubs/other/data_security.pdf

The BERR 2008 Information Security Breaches Survey - http://www.berr.gov.uk/files/file45714.pdf

FSA Enforcement Action Final Notices - http://www.fsa.gov.uk/Pages/Library/Communication/Notices/Final/

Information Commissioner’s Office Enforcement Actions - www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

Information Commissioner’s Office Good Practice Guides - http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx

17 September 2008

Further Information or Assistance

Email: [email protected]: www.b2bregulatorysupport.co.ukTel: 0870 042 1048

data protection in financial services are you seeing the bigger picture? 17 september 2008

Documents