...W A T S O N H A L L UK data retention requirements information data retention and disposal Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Each type of data within an organisation should be identified and classified. Once this has been completed and during periodic reviews, it is necessary to define the retention and disposal policy. Business data records should be assessed for the statutory and legal requirements, business and accountability requirements and the risks associated with keeping or disposing of the data records. A records management system or schedule of data retention criteria can be used to document the data records, the requirements and the security controls needed for their identification, storage, protection, retrieval, retention and disposal. There are a large number of statutes, case law and regulations defining how long some data must be kept for before it is destroyed — some of which are outlined on the following pages. A few requirements such as records of wages apply to almost all sectors, but we have listed some specific requirements for the communications, financial and governmental sectors. Other sectors have equally important requirements. The exact minimum retention period varies with the specific data type, and the starting date is often context related e.g. period from an event like an accident, retirement or the advertisement of a product. This document is based on the previous work...
Words: 1676 - Pages: 7
...Data Protection Act 1998 – The Principles explained Introduction There are eight guiding principles to the Data Protection Act 1998 (DPA) which the council must adhere to when processing personal data. The DPA defines processing as obtaining, organising, adapting, accessing, using and deleting. 1. First Principle “Personal data shall be processed fairly and lawfully” In order to comply with the first principle; one of the following conditions from Schedule 2 must be met if personal data is being processed: 1. The ‘data subject’ has given their consent 2. The processing is necessary a. For the performance of a contract to which the data subject is party, or b. For the taking of steps at the request of the data subject with a view to entering a contract 3. The processing is necessary to comply with legal obligation 4. The processing is necessary in order to protect the vital interests of the data subject 5. The processing is necessary for the Administration of justice 6. The processing is necessary for the legitimate interests of the data controller (except where unwarranted because of prejudice or legitimate interests of data subject) 2. Second Principle ‘Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes’ To comply with the second principle, the council must inform the Information Commissioner of all the purposes for which it processes personal...
Words: 887 - Pages: 4
...Data protection act The Data Protection Act is a law designed to protect personal data stored on computers or in an organised paper filing system. Businesses, organisations and the government use computers to store information about their customer’s clients and staff in databases. For example: • Names • Addresses • Contact information • Medical history etc. Principles 1. Data is to be used fairly and lawfully 2. Should be used for limited specifically stated purposes 3. Used sufficiently, relevant and not excessive 4. Data should be accurate and kept up to date 5. Personal data should be kept for any longer than is necessary 6. Data shall be processed and handled according to the data protection rights 7. Should be kept securely and should be safe 8. Should not be transferred outside of the UK without adequate protection Freedom of information act The freedom of information act handles access to officialinformation. It allows people and organisations rights to ask for information from public authorities which includes central and local government, the police, NHS, colleges and schools. The authorities then have up to 20 days to provide the information that has been...
Words: 1538 - Pages: 7
...Data Protection and Recovery. Exist several ways to protect our data such having a good firewall to prevent attacks to our network or if we are looking to for a more strong way to protect the data, why not with the server we only give access using the MAC direction, this way only local computers in the network will be capable of accessing to the information in the network, if the server doesn’t recognize the MAC address, the server won’t share the information, this is one way to protect the data and we can combine this method with any other one. Data corruption, having the data storage in any server, can cause data corruption at any time, windows server or third parties software can cause data corruption, the is no 100% method to prevent data corruption, this is why having always a backup of all information is the only way to be sure our data is safe of corruption. To be sure data can be recovery safe and quick, it will be important to have a backup server or RAID system to make sure all our data is getting duplicated, now in days, is not only safe using one method to backup that the data, I will also recommend cloud backup system, these type of backups system can cost a lot money, but data loss in any company can lead to end of any institution. My way to handle the backups will be have a central data sever, where all the information will be send, this data server will a RAID setup, where all the data will be duplicated, with the RAID system backups will complete in real time...
Words: 384 - Pages: 2
...DATA PROTECTION- what is this act? What it is for? Controls how your personal information is used by organisations, businesses or the government. It also imposes restriction on the transfer of data, also like placing the materials on the web. Everyone responsible for using data has to follow strict rules called data protection principles, they must make sure the information is: * used fairly and lawfully * used for limited, specifically stated purposes * used in a way that is adequate, relevant and not excessive * accurate * kept for no longer than is absolutely necessary * handled according to people’s data protection rights * kept safe and secure * not transferred outside the UK without adequate protection There is stronger legal protection for more sensitive information, such as: * ethnic background * political opinions * religious beliefs * health * sexual health * criminal records State the principles- 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant...
Words: 1441 - Pages: 6
...FXT2 Task 2 Follow-Up re: Human Resources Data Modification 1. Identify areas that were not addressed by the IT staff’s response to the incident. Based on the narrative, the only corrective measure the company implemented was PKI. As noted in the original evaluation, several areas need to be addressed: * Climate/culture of the organization * Employee training for social engineering attacks * Positive identification of employees when granting role-based access * Vulnerabilities within and without the network, specifically to sniffers and eavesdropping * The ease with which the employee changed his pay rate, indicating a single system used for HR profiles rather than segregated duties & systems * The PKI that was installed only addressed the HR system, rather than the entire organization Honestly, the whole environment at this company needs a complete evaluation and overhaul! 2. Outline the other attacks mentioned in the scenario that were not noticed by the organization. * Social Engineering * Sniffing/Eavesdropping * Unauthorized Privilege Escalation * Network Penetration * Spoofing a. Describe the nature of the attacks not noticed by the organization. By “the nature of the attacks” I interpret this to mean the source of the attacks, or the skillset required to carry out the attacks. I believe this employee was tenured based on their ability to: * Hack into the HR system * Successfully intercept the email from...
Words: 801 - Pages: 4
...Abuse is Suspected Appropriate Responses When Child Maltreatment or Abuse is Suspected BY Victoria Rothwell This is a guide to be aimed and to be used by professionals in which are the appropriate responses for a professional to follow if a child is being maltreated or if abused is suspected to be taking place. It includes the procedures to follow maltreatment is considered, suspected, confirmed or excluded and the roles and responsibilities of the professionals, as well as responding to direct or indirect disclosure. Content Procedures where maltreatment is considered, suspected, confirmed or excluded: * Whistle blowing * Reporting arrangements * Security of records * Sequence of events leading to registration on child protection register or care proceedings Roles and responsibilities: * Following policies and procedures * Observing children and their families and their interaction * How to respond if maltreatment is suspected * What action to take following disclosure * Maintaining confidentiality Responding to direct or indirect disclosure: * Listening skills * Communicating with the child at their own pace and taking them seriously with unconditional acceptance * Reassuring and supporting * Dealing with your own feelings Procedures where maltreatment is considered, suspected, confirmed or excluded Procedures where maltreatment is considered, suspected, confirmed or excluded Whistle Blowing This happens within an organisation, such...
Words: 1990 - Pages: 8
...Data Protection Act 1998 The data protection controls how your personal information is used by the government, organisations and businesses. this is the main piece of legislation that governs the protection of personal data in the UK. There are strict rules that should be followed by everyone responsible for using data. These rules are called ‘data protection principles’ * The data should not be kept for longer than its necessary * It only should be used for the specific purpose and nothing more * It must be used fairly and lawfully * Must be used in a way that is adequate, relevant and not excessive * It must be kept safe and secure * It must be handled according to people’s data protection right * It must not be transferred outside the European Economic Area without adequate protection There is stronger legal protection for more sensitive information, such as: * ethnic background * political opinions * religious beliefs * health * sexual health * criminal records The data protection gives the right to any person to know what information the government or other organisations have about them. People can send a letter to the desired organisation and ask them about what information they have about them. the organisation is legally required to give a copy of the information to the person who’s asked for it. However, there are some situations such as * the prevention, detection or investigation of a crime * national...
Words: 326 - Pages: 2
...Outline Database 2 Data Protection for Business Continuity Introduction Motivation Recovery Objective Data Protection Techniques Classes of Data Mapping of Company Size, Classes of Data, and Techniques Denny (denny@cs.ui.ac.id) International Bachelor Program Faculty of Computer Science 2004/2005 Version 1.0 - Internal Use Only DB2/DP/DN/V1.0/2 Introduction Why do we need data protection? SEPTEMBER 11, 2001 = 100 MEGABYTES OF DATA MORE THAN US$ 1 MILLION DATA PROTECTION DB2/DP/DN/V1.0/3 DB2/DP/DN/V1.0/4 1 Why do we need data protection? Causes of unplanned outages (Disaster Recovery Journal, 2001) Why Do We Need High Data Availability? CAN COST 1 HOUR OF DOWNTIME US$ 6.5 MILLION DB2/DP/DN/V1.0/5 DB2/DP/DN/V1.0/6 Why Do We Need High Data Availability? Data Protection and Business Continuity So, in this topic, we will see: techniques to protect data and ensure business continuity when disaster occurs. GLOBALISATION DB2/DP/DN/V1.0/7 DB2/DP/DN/V1.0/8 2 Recovery Objective LAST BACKUP DISASTER OCCURRED SYSTEM BACK TO OPERATION Data Protection Techniques Overview 1. TIME DATA LOSS RECOVERY POINT OBJECTIVE (RPO) RECOVERY TIME OBJECTIVE (RTO) 2. 3. 4. 5. 6. Vaulting Physical: backup to tape Electronic: backup over the Internet Server fortification RAID: same copies, or split into several disks Dual power supplies Network cluster NAS: independent disks connected directly to network SAN: a network...
Words: 1858 - Pages: 8
...dissemination of data on the internet, guidelines that are enacted to protect data security have to undergo a lengthy process and several amendments to effectively address problems that may arise from data breach involving data subjects and organizations. Such is the case for the Philippines Data Privacy Act of 2012 and the EU Directive of 1995 which have both undergone reforms to keep up with the evolving demands of data security. This research aims to tackle how the newly revised policies of the Philippines Data Privacy Act of 2012 and the European Union’s new data protection framework would affect issues on data protection as business relationships...
Words: 866 - Pages: 4
...Introduction Generally, e-business (electronic business) is running a business on the internet. It is not only buying and selling but also providing services to customers and collaborating with business partners. The first one using this word was IBM when it launched the thematic campaign around the term in October, 1997. Recent years, many companies are rethinking their business in terms of the new culture of the Internet and capabilities. They are using the Web to buy supplies from suppliers, to make sales promotions, and to do the marketing research. In order to understand the moral, ethical and legal issue, it’s necessary to fully understand the advantages and disadvantages compared to the traditional business (The Economist, 2000b). For the buyers, the main advantage is the sale price will be 9% - 16% lower than in brick-and-mortar store (Varian, 2000). Other factors such as vast goods and services offering are also benefits. However, there is a drawback for some people; the cheaper prices are superficially an advantage because online shopping could not provide them with a gratifying social contract. For the seller, there are two significant advantages which should not be forgotten. It can allow interactive communication among user and distance-collapsing. Companies do not have to pay for the higher rent for the retail stores and warehouses. Most e-business companies use the computer to cut the cost of employees’ wages. Companies do not have to wait for cash as they...
Words: 3437 - Pages: 14
...Section 6. Disaster recovery procedures For any disaster recovery plan, the following three elements should be addressed. Emergency Response Procedures To document the appropriate emergency response to a fire, natural disaster, or any other activity in order to protect lives and limit damage. Backup Operations Procedures To ensure that essential data processing operational tasks can be conducted after the disruption. Recovery Actions Procedures To facilitate the rapid restoration of a data processing system following a disaster. Disaster action checklist 1. Plan Initiation a. Notify senior management b. Contact and set up disaster recovery team c. Determine degree of disaster d. Implement proper application recovery plan dependent on extent of disaster (see Section 7. Recovery plan--mobile site) e. Monitor progress f. Contact backup site and establish schedules g. Contact all other necessary personnel--both user and data processing h. Contact vendors--both hardware and software i. Notify users of the disruption of service 2. Follow-Up Checklist j. List teams and tasks of each k. Obtain emergency cash and set up transportation to and from backup site, if necessary l. Set up living quarters, if necessary m. Set up eating establishments, as required n. List all personnel and their telephone numbers o. Establish user participation plan p. Set up the delivery...
Words: 495 - Pages: 2
...Kudler Fine Foods’ Information Needs Kudler Fine Foods’ have a significant starting platform for their key business and information needs. With three stores and the profitability to increase their numbers in the future, it is necessary to evaluate Kudler Fine Foods in order to facilitate any technology changes needed to decrease the chances of growing pains in the foreseeable future. Keeping Kudler Fine Foods in a competitive position through technological growth will allow the company to expand and persevere in hard economic times. Kudler Fine Foods has three stores that are all connected through a T3 dedicated line. This allows all stores to remain in proper communication with the other stores and helps each store assist the others when needed. Strengths Kudler Fine Foods has many strengths in their information systems. The Retail Enterprise Management System (REMS) that Kudler Fine Foods received from Smith Systems Consulting laid the groundwork for an effective information system however; there are areas of needed improvement. The REM system came with a General Ledger module, Accounts Payable module, Point of Sale module, Bank Reconciliation module, and installed backup generators to assist in times of power failure. Kudler Fine Foods also has a dedicated T3 line that connects all 3 of their stores together. This line allows to effortless communication between administration and their stores so that information is ready quickly and easily when needed. Weaknesses...
Words: 1049 - Pages: 5
...Corporation, incorporated on April 19, 1988, is a security, backup and availability solutions. The Company’s products and services protect people and information in any digital environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. The Company’s software and services protect against advanced threats independent of the device and environment in which information is used or stored. The Company operates in three segments: User Productivity & Protection, Information Security, and Information Management. User Productivity & Protection The User Productivity & Protection segment focuses on making customers to be protected at home and at work. These products include its Norton solutions, endpoint security and management, encryption, and mobile offerings. Its Norton products help customers protect against increasingly complex threats and address the need for identity protection, while also managing the increase in mobile and digital data, such as personal financial records, photos, music, and videos. The endpoint security and management offerings support the evolving endpoint, providing advanced threat protection while helping reduce cost and complexity. The mobile solutions help organizations secure corporate data while gaining visibility into and control of all mobile platforms and enforcing...
Words: 513 - Pages: 3
...team usually does not know the business processes and will focus their efforts on specific threats and technology and then would not be able to justify the need for new security products. Whereas business personnel will know their processes and what data is important for them, but most likely have little knowledge of the technology supporting their processes. • What will they do? they should be able to establish that protecting data is the primary goal of Yummy Good Treats and that all of the people processes, hardware, software and other technology are tools used to do view/modify the data. • What are the expected outcomes? Once the assessment is understood and sensitive data elements are identified, it is time to bring teams together to link business processes that access the sensitive data and the technology used to support those processes and evaluate where risks are present. Once this is complete the teams can define and evaluate controls that are appropriate for the protection of the data. • What will be done based on the outcomes? Once the sensitive data elements and needed security controls are identified, the teams can define and evaluate new controls that are appropriate for the protection of the data. • Why is this step important in the risk assessment? I consider this step to be very important because it is the step where all the assets are identified so that they can be properly secured. 3) Evaluate the importance of the organization’s...
Words: 561 - Pages: 3