1 / 24

Data Protection in Financial Services Are you Seeing the Bigger Picture?

Data Protection in Financial Services Are you Seeing the Bigger Picture?. 17 September 2008. Disclaimer. This presentation does not constitute specific legal advice This talk is to raise awareness – not to solve specific problems Opinions, errors and omissions are the speaker’s alone

thuyet
Download Presentation

Data Protection in Financial Services Are you Seeing the Bigger Picture?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection in Financial Services Are you Seeing the Bigger Picture? 17 September 2008

  2. Disclaimer • This presentation does not constitute specific legal advice • This talk is to raise awareness – not to solve specific problems • Opinions, errors and omissions are the speaker’s alone • This talk is designed to engender discussion about the risks associated with data security within the FSA regulated sector

  3. Why do we keep records?

  4. Data security: security of what?

  5. Rules, rules and more rules… • Data Protection Act 1988 • The Human Rights Act • Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000 • Companies Act • Freedom of Information Act • ….

  6. Data Protection Act 1998 “personal data” means data which relate to a living individual who can be identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Section 1 Data Protection Act 1998

  7. Data Protection Principles • The Data Protection Act 1998 - ‘The Eight Principles’ • Fair and lawful processing • Obtained for one or more lawful process • Adequate, relevant and not excessive • Not kept for longer than is necessary • Processed in accordance with the data subject’s rights • Appropriate technical measures to prevent unauthorised access, loss , damage or destruction • No non-EEA data transfers without adequate levels of protection of data subject’s right

  8. FSA definition of ‘Data’ and ‘Personal Data’

  9. FSA Statutory Objectives • Statutory Objectives • market confidence: maintaining confidence in the financial system; • public awareness: promoting public understanding of the financial system; • consumer protection: securing the appropriate degree of protection for consumers; and • the reduction of financial crime: reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime.

  10. The FSA’s approach to regulation • Risk based compliance • Large firms = safe? • Small firms = risky? • Principles based compliance • No rule to point to • One size doesn’t fit all

  11. Regulatory overlap: FSA v ICO • Fair and lawful processing • Obtained for one or more lawful process • Adequate, relevant and not excessive • Not kept for longer than is necessary • Processed in accordance with the data subject’s rights • Appropriate technical measures to prevent unauthorised access, loss , damage or destruction • No non-EEA data transfers • Statutory objectives

  12. Regulatory overlap: FSA v ICO • Principles for Business • Principle 3 – Systems and Controls • Principle 6 – Customer’s Interests • Principle 10 – Protection of Client Assets • Fair and lawful processing • Obtained for one or more lawful process • Adequate, relevant and not excessive • Not kept for longer than is necessary • Processed in accordance with the data subject’s rights • Appropriate technical measures to prevent unauthorised access, loss , damage or destruction • No non-EEA data transfers

  13. Regulatory overlap: FSA v ICO { • Fair and lawful processing • Obtained for one or more lawful process • Adequate, relevant and not excessive • Not kept for longer than is necessary • Processed in accordance with the data subject’s rights • Appropriate technical measures to prevent unauthorised access, loss , damage or destruction • No non-EEA data transfers • Current initiative – ‘Treating Customers Fairly’

  14. Stuff the ICO, the FSA is the new data protection regulator! ICO: £5,000 fine; personal liability for company officers; imprisonment FSA: unlimited fines; personal liability for Approved Persons

  15. ISO 27002:2005 – Code of Practice for Information Security Management • Risk Management 2. Security Policy 11. Business Continuity 12. Compliance 3. Organization of Information Security 10. Incident management Data Management 9. Information Systems Acquisition, Development, Maintenance 4. Asset Management 5. Human Resources Security 8. Access Control 7. Communications and Operations Management • Physical and Environmental Security

  16. Would you recognise when you have a data security issue?

  17. Their loss is your [potential] loss • HBOS • Alliance & Leicester • Royal Bank of Scotland • Scarborough Building Society • Clydesdale Bank • Natwest • United National Bank • Barclays Bank • Co-operative Bank • HFC Bank • The Post Office • CGNU • BNPP Private Bank • Nationwide Building Society • Capita Financial Administrators • Merchant Securities Group • …to be continued?

  18. Steven Harrison • John Shelvin • Mail Source/Graphic Data • …

  19. What is the biggest threat to data security in your firm?

  20. The true cost of good data managementHow to get senior management buy-in • Protecting the firm’s reputation – 99% • Protecting the firm’s assets - 84% • Improving efficiency/cost reduction – 75% • Enabling business opportunities - 68% Source: BERR 2008 Report

  21. Where do you go from here?

  22. Think laterally, not literally! • Risk assess • Draft, implement and test policies and procedures • Train your staff appropriately • Read widely from multiple sources , and assess relevance to your firm.

  23. Further Reading • FSA Data Security in Financial Services Report – April 2008 - http://www.fsa.gov.uk/pubs/other/data_security.pdf • The BERR 2008 Information Security Breaches Survey - http://www.berr.gov.uk/files/file45714.pdf • FSA Enforcement Action Final Notices - http://www.fsa.gov.uk/Pages/Library/Communication/Notices/Final/ • Information Commissioner’s Office Enforcement Actions - www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx • Information Commissioner’s Office Good Practice Guides - http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx

  24. Further Information or Assistance Email: Elizabeth.Nelson@b2bregulatorysupport.co.uk Website: www.b2bregulatorysupport.co.uk Tel: 0870 042 1048

More Related