Security, Audit and Compliance - Research Paper Example

SECURITY, AUDIT AND COMPLIANCE due: Table of Contents Table of Contents 2 Basic definitions 3 Abstract 4 Introduction 5 Literature review 6 Principles of data protection Act 1998 on business 6 The impact & interaction with other related standards and requirements (e.g. ecommerce rules) 8 The success of the enforcement of the laws 10 Data analysis 10 Limitations of the UK personal data protection laws 11 Discussion of findings 12 Conclusion 12 Recommendations 13 Bibliography 15 Basic definitions 1. Monetary penalty notice - notice compelling an offender to pay a particular amount of money decided by the Information Commissioner as specified in the notice. The notice is imposed when the data controller has seriously contravened the Act (Great Britain 2012: 4). 2. Data Protection Act (DPA) defines the ways in which information about people is legally handled. The intention is to protect individuals against abuse of information about them. It is enshrined in the UK parliament (Great Britain, 2012:4). Information Commissioner’s 3. Office (ICO) is an independent government authority which enforces compliance with the Act. 4. Data controller is a person who determines how personal data is processed .The data controller may either be a legal or natural person (Bott, 2005: 183). 5. Personal data is the data relating to a living person having certain information of the data controller. 6. Data subject refers to the person who is the concern of the personal data (Bott, 2005: 183). 7. Data is the information being processed by means of equipment operating automatically in response to a set of instructions given to it (Portela & Cruz 2010: 296). Processing refers to the whole process of acquiring, putting down or storing the facts and doing operations on it (Bott 2005: 183). Abstract The increasing challenges in the flow of information calls for a rigid mechanism for regulating the exchange of personal data. Measures have to be enforced to ascertain that the use of different forms of data processing like the closed circuit television (CCTV), does not infringe on the rights of the data subjects, by ensuring proper handling of the data. To this effect, Data Protection Act (DPA) 1998 of UK was formed. Data controllers are required to adhere strictly to this Act. Section 55A to 55E of the Act allows the Information Commissioner to issue monetary penalty notice to data controllers who breach the regulations of the Act. Principles of the Act guide the data controllers on how to manage the data. However, the data protection laws alone may not effectively apply to businesses making use of CCTV surveillance. General sound recorded by the CCTV in the public though intrusive, is not considered personal and therefore not covered by the UK case laws. The motivation for the formation of the Act was to regulate the handling of the data, which has been successful despite a few shortcomings. It would be recommended that the Act be amended towards the sealing of the limitations regarding handling of CCTV data. Advancement in the telecommunications technology is an indication that the surveillance will continue improving. The improvements will mean that data controllers will have an uphill task in containing the challenges which may result from the improvements. Introduction Data forms a critical part of any organization. Precautions, therefore, have to be taken on how the data is handled and managed, bearing in mind that some data is personal, and the owners have rights for protection against unauthorized access into their data. In this paper, report will be made on how the management of a business should implement data protection in the UK in accordance with the principles, issues and impacts of the UK data protection law. These are aspects outlined in the Data Protection Act 1998. Contravention of the act may result to issuance of a monetary penalty notice to the data controller by the Information Commissioner. Focus will be given on a restaurant/pub business which has a social media presence and uses CCTV for security reasons. The Information Commissioner’s duty is to ensure that data controllers observe good practice regarding data processing as well as disseminating information on the working of the policy. The Commissioner is required to present a general report to the each of the House of Parliament showing his or her exercise under the Act. The issue of which country to effect data protection comes in when the information happens to be exchanged between people in two different countries. The Act responded to this issue by installing rigid mechanisms of preventing the data transfer to a country outside the EEA, not unless the country has strong data protection strategies.UK maintains high standards of ensuring proper compliance with the data protection laws. Literature review Surveillance is a paramount security measure for business or institution. Development of the CCTV has made the main system in use in many public places and businesses like restaurants and pubs. In this report, explanation and analysis of the CCTV system is done to establish its effectiveness and how data controllers are required to manage it, in compliance with the principles of the DPA. The DPA 1998 requires businesses employing CCTV surveillance to put signs indicating the presence of the surveillance as state its purpose and the contact details of the data controller. This is to ensure people visiting the business can exercise their right of accessing the CCTV surveillance footage. The report seeks to establish the compliance of a business using the CCTV surveillance, with the principles of the personal data protection laws in the UK. Principles of data protection Act 1998 on business The Data Protection Act 1998(DPA) comprises of eight principles all aimed at regulating how businesses handle the data of its customers (BOTT 2005: 182). The first principle ensures that personal data is processed in a lawful and fair way. In compliance with this principle, the managers of this restaurant/pub should keep proper custody of the CCTV footages and ensure that no third parties access this data, not unless the data has to be given to the police officers in case of tracking down of suspects .The entire process has to be lawful. The second principle strictly requires the business only to obtain the personal data for lawful reasons. In the restaurant/pub business, the data will be obtained for security reasons. Further, the principle dictates that the obtained personal should only be processed in a way compatible with the purpose. Using the personal data for other reasons can only be done with the consent of the data subject or when a competent body grants that permission. This means, if the personal data of the members of public visiting the restaurant/pub is being collected for security reasons, then it should not be used for distribution or sharing with other parties (Kobsa 2001: 301-313). The third principle sheds light on the sufficiency and relevance of the personal data. The purpose for processing of the data should not be exceeded. In the case of the restaurant/club, CCTV data should only be collected in the most suitable points, without much infringing on the customers’ privacy and should be processed only for the security purposes. Accuracy of the personal data is given emphasis on the fourth principle. In the restaurant/pub, the personal data should be kept up to date, to enhance retrieval of the data during processing. This way, credibility of the data is guaranteed. The length of time that the personal data is stored is defined in the fifth principle. It clearly states that the personal data should only be stored by the business only for the required time, after which it should be removed from the database. For the case of the restaurant/pub, the monitoring of the customers by CCTV should be for a specific duration of time, meaning expiry of the information would call for clearance from the system memory. This simplifies the work of the will make it easy to trace the particular staff member who was in charge of a particular monitoring session if need be. Processing of the personal data should be done the as per the rights of data subjects in the umbrella of the Act, in line with the sixth principle. This is meant to ensure individual participation. The management of the restaurant/pub should notify the customers and the visitors to the place, of the data collection. The notification can be done by strategically putting notices which warn the visitors to the restaurant/pub of the CCTV surveillance within the facility. This principle allows the data subjects the right to demand correction of any incorrect or misleading data. Security of the personal data is taken care of by the seventh principle of this Act. For the prevention of any involuntary or unauthorized access, alteration, disclosure or even damage of the personal data, security steps should be taken. Compliance to this principle by the management of the restaurant/pub will ensure that the customers’ right is upheld as far as data confidentiality is concerned. The authority to destruct the personal data can only be given by the management. The eighth principle prohibits transfer of the personal data to a nation or region outside the European Economic Area (EEA). The transfer can only be allowed if the country has rigid mechanisms for protection of the rights and freedom of the data subjects when it comes to data processing. The patrons to this restaurant/pub should, therefore, be guaranteed of privacy of their personal data as long as it is operating within EEA. The customers to the restaurant/pub should enjoy the use of the social media in the premises knowing that the data collected by the CCTV is confidential and protected by the Act (Fromholz 2000: 461). The impact & interaction with other related standards and requirements (e.g. ecommerce rules) The electronic commerce regulation 2002 outlines how retailers and consumers should relate online as far as provision of information is concerned. The regulation provides the information that consumers from the 27 EU (European Union) countries should receive from the online retailers or service providers. The retailers should be wary of the implications of violating the following discussed regulations in accordance with the e-commerce directive. The retailers must provide the technical steps to be followed by consumers when placing an order. This is meant to protect the consumer from misleading information which may result to him/her losing transaction money. The retailer has to provide clear information on the terms and conditions of making a contract with the consumer. The directive further requires the retailer to provide the data in a form which can be reproduced and stored. This will ensure that the purchaser is bound by the terms and conditions thus giving protection to the vendor. Clear information on the pricing should also be provided by the retailer or service provider. The consumer needs to understand whether the indicated cost includes taxes and shipping or not. Name of the retailer/service provider, email address as well as the geographical address has to be provided so as for the consumer to contact the retailer/service provider with ease. The retailer/service provider is also required to acknowledge the order by electronic means and provide information on how to amend errors which could be made during the process of ordering. Membership of the retailer/service provider to any professional association with all membership details need to be provided. In the case of a company, its registration number should also be provided. There is also a necessity for a website to have a disclaimer informing users of the website and when cookies can be used. This is important because the cookies can gather personal information relating to the users without the knowledge of the user and therefore without the user’s agreement. This is unfair since it is in breach of the data protection principle. Making it known that the site uses cookies will enable the user to have the option of accessing the site or not. Therefore, if the user goes ahead to use the site, it will be considered that he/she has given consent. Breaching of any of these requirements will be considered a breach of a statutory duty. Missing information on how the consumer can amend errors in an order may render the contract voided. The success of the enforcement of the laws This will better be achieved through harmonization of the data protection law with technical standards to improve the market-based and self-regulatory efforts for improvement of compliance throughout the ICT networks subject to EU law. Full implementation of this data protection law will ensure that the data subjects are well protected, and their privacy guaranteed. In accordance with the above-discussed principles of the DPA, the data subjects will be able to access the public places like the restaurant/pub at ease without fear of suspicion and unnecessary monitoring of their movements. The other benefit will be that suspects will avoid such places since they will be aware of the surveillance in the places, and this will help in the minimization of crime in the highly populated public places. The police department, on the other hand, will have an easy time maintaining security since they will be able to use the available data from these searchable databases allowing them to track down the suspects for a committed crime. Amendments on the directive on privacy and electronic communications has obliges telecoms operators to inform supervisory authorities and their customers on any data breaches. This has resulted to increase in reporting of data breaches by data controllers. Data analysis UK and especially the capital city London has recorded a tremendous increase in the employment of CCTV surveillance. Restaurants and pubs have not been left behind in the use of the systems. Installation of the many CCTV systems followed the IRA’s terrorist attack on Bishopgate in 1993. As a result, extensive CCTV coverage has been achieved in public car parks at Heathrow and Stanstead, to replace the dummy cameras which were there initially. The information collected from the cameras is stored in remotely accessible computerised database (Mccahill & Norris, 2002: 9). The massive use of the CCTV systems calls for a keen eye for ensuring compliance with the data protection laws. It would be effective enough if there is an instant deployment of personnel to the area of commotion as captured by the cameras. Limitations of the UK personal data protection laws Although the law seeks to protect the data subjects as outlined by the eight principles above, there are particular limitations regarding the integration of CCTV surveillance in the data protection laws. This means data protection laws alone may not be sufficient for regulation of business making use of the CCTV surveillance technology (Kobsa 2001: 301-313). Recording of the general sound out in public by CCTV microphones may not be considered personal data, though intrusive. It is not, therefore, covered by the UK laws on personal data protection, simply because it doesn’t focus on any particular individual in accordance with the UK case law. On the other hand, CCTV loudspeakers are not used to process personal data and therefore not covered by the data protection laws. Failure by the protection law to apply in these loudspeakers poses the threat to the right to be left alone. The data collected may later be used to identify, track and profile an individual even if RFID (Radio Frequency Identification) microchips may not be linked directly to an identified individual. Advanced data mining techniques and group profiling also poses a threat of inability to process data. Data protection laws also fail to apply in the case of encrypted data. The principles of data protection alone, therefore, fail to address the potential impacts and threats of the public surveillance technologies. This creates the need for lawmakers to do assessment on how the observation of public places like the restaurant/pub, using the CCTV surveillance systems poses a threat to the right to exercise freedom of assembly and speech. Discussion of findings The aim of the round-the-clock surveillance will be met well if the data captured is processed in accordance with the requirements of the data protection laws. In violation of this, the data controllers may face sanctions from the Information Commissioner. Sanctions will be imposed on anybody who violates the principles laid down in the Act. The magnitude of the sanction, however, depends on the magnitude of the violation. The sanctions which can be imposed for breach of data protection legislation include administrative fines. The fines will be imposed on the data controllers. The information Commissioner for UK has the authority to fine a data controller up to GBP 500,000 (Kuschewsky & Geradin 2014: 69-102). The other fine is a criminal fine which in UK, breach of the data protection legislation is punishable by an unlimited fine. Imprisonment is another possible form of fine for violators of the legislation. The government of UK is presently acting on a possible two years imprisonment for violators of the legislation. Other formal sanctions include confiscation of the media used to store the data, deletion of the personal data or even ban on processing of the personal data. Finally, there are the informal sanctions in which case the UK Information Commissioner requires a number of data controllers to announce to the public that they won’t repeat the mistake of breaching the UK Data Protection Act. Conclusion Data protection laws in the UK are meant to govern the operations of businesses and institutions in an effort to protect the members of the public from improper handling of their personal data. This has not been without the challenge of improper information by some businesses, for instance, the failure by managers to put proper signage on CCTV surveillance. To some extent, the members of the public may feel like they are denied of their freedom of association and expression, from the monitoring by the ubiquitous cameras. Data controllers in the business do not have a choice but to comply with the guidelines provided by the principles of data protection Act. The DPA has enabled UK to manage the voluminous data collected from the millions of CCTV surveillance all over. The data controllers in the various settings have contributed a lot in the success of the implementation of the data protection laws. Monitoring criminal activities have been made easy, and prompt deployment of officers to the areas of suspicion has given UK the value for their large investment in the surveillance systems. Recommendations Due to the increased need for surveillance especially in public places like the restaurant/pub, improvements on the surveillance systems and adjustments on the personal data protection have to be made (Raty 2010: 493-515). For instance, there is dire need for embracing the latest technologies in the surveillance world. The restaurant/pub will need to take advantage of new devices which have been made available in the computing and telecommunications industries. The devices are based on wireless telephony technology, and newly available GPS (Geographical Positioning Satellites) and Geographical Information Systems (GIS) to provide a much more surveillance potential. In the near future, the CCTV surveillance should be made perfect in keeping up with social trends towards greater improvement in the security of public places. Surveillance information pertaining the data subjects will need to be circulated more efficiently and faster to keep up with the increasing cases of insecurity especially in pubs. In future, CCTV surveillance systems need to be more computerized and should make use of increased image databases, as well as image-recognition software. Use of sophisticated image recognition software will help to identify individuals and also match them against details stored in the database. A system in test is Virtual Interactive Policing (VIP) enabling police officers to monitor the crowd and match their faces against images stored in the database of known offenders. Integration of neighbouring CCTV systems will make it possible to share room and personnel. Advances in computerization and integration of different CCTV systems should create much more intelligent systems than the current ones. Since personal data will continue to be processed for both lawful and unlawful reasons, there is a need for instruments to enhance the visibility and knowledge on how the personal data are used. There is also need for clear information on who is collecting the data, for what reason and the person to whom the data will be disseminated to. There are also recommendations that a more uniform approach should be taken in an effort to supervise authorities’ powers which include granting the supervisory authorities the authority to levy fines on data controllers and processors in breach of the data protection Act (Büllesbach 2010: 111). Bibliography BOTT, F. (2005). Professional Issues in Information Technology. Swindon, British Informatics Society.http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=393437 BÜLLESBACH, A. (2010). Concise European IT law. Alphen aan den Rijn, The Netherlands, Kluwer Law International. FROMHOLZ, J. M. (2000). European Union Data Privacy Directive, The. Berk. Tech. LJ, 15, 461. GREAT BRITAIN. (2012). Data Protection Act 1998: Information Commissioners guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998. London, Stationery Office. KOBSA, A. (2001). Tailoring Privacy to Users’ Needs 1. In User Modeling 2001 (pp. 301-313). Springer Berlin Heidelberg KUSCHEWSKY, M., & GERADIN, D. (2014). Data Protection in the Context of Competition Law Investigations: An Overview of the Challenges. World Competition Law and Economic Review, (1), 69-102. MCCAHILL, M., & NORRIS, C. (2002). CCTV in London. Report deliverable of UrbanEye project. PORTELA, I. M., & CRUZ-CUNHA, M. M. (2010). Information communication technology law, protection and access rights: global approaches and issues. Hershey, PA, Information Science Reference. RATY, T. D. (2010). Survey on contemporary remote surveillance systems for public safety. Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, 40(5), 493-515. Read More