I S S U E  4 NOVEMBER 1998

The New Data Protection Act

How the British Standard BS7799 can help you comply
By Kerry Davies, Managing Director, Echelon Consulting Ltd

Who'd be a pension system trustee or administrator ?

So many regulations, so many rules, so much best-practice to try and meet, so many penalties for getting it wrong, or worse, not doing it at all.

Just when you thought you had got to grips with the Pensions Act 1995, along comes a whole new raft of legislation and fundamental changes to the way you do business such as the adoption of EMU (from 1 January 1999), the new Data Protection Act 1998 (which became law on 24 October) and a world-wide computer problem known as the millennium bug which looks like it could consume your entire IT resource until well into the new century!

So the last thing you really need to hear is that your pension system must comply with the new Data Protection Act and that the penalties for not meeting the Act include heavy fines and even imprisonment.

Some people may have tried to advise you that pension systems are actually exempt from the requirements of the new Data Protection Act. However, any payroll/pension system which performs calculations such as the retirement date of its members or uses the data for any other purpose is most definitely subject to the Act.

So that's all of them isn't it! So how are you going to make sure that you comply with the new Data Protection Act ?

At a conference on the Data Protection Act 1998 in London in October, Elizabeth France (the Data Protection Commissioner nee Registrar), stated that the evidence her office would require to prove any sizeable organisation is compliant with Article 17 of the new Data Protection Act would be Certification against the Commercial Information Security Standard: BS7799. In case you are not fully familiar with Article 17 of the new Act, it makes the Data Owner responsible for protection of that data whether it be in paper or electronic format. Failure to take adequate precautions to protect that data can result in fines or imprisonment for the worst breaches.

Apart from being the only guaranteed way of demonstrating compliance with the Act, British Standard BS7799 is a very good way of making sure that your organisation is adopting best security practice, that the organisational IT strategy is not just right for the operational needs of the organisation but allows the users to behave securely. Remember, most people in your company want to work securely but if you have never trained them to see that certain practices such as sharing passwords, leaving filing cabinets unlocked and leaving personnel files on desks overnight are insecure then you cannot legitimately complain when sensitive information is accidentally or deliberately released outside the organisation.

There have been several quite public occurrences of 'Expression of Wish' forms being released to newspapers to the embarrassment of the individuals concerned and the financial chagrin of the pension organisations concerned. In future, if such things happen the civil case brought by the individual will be accompanied by a civil prosecution by the Data Protection Commissioner and for the most flagrant breaches, possible criminal charges for which the data owner can face imprisonment.

Many commercial companies, and pension fund organisations have to juggle the conflicting demands of running a successful organisation with meeting the challenges of technological change, best practice targets and numerous legislative requirements.

A straw poll Echelon conducted earlier this year indicated that pension organisations are feeling stretched with so many demands on them and are having to prioritise the way in which they deal with these different areas. The order of priority appeared to be:

  1. Pensions Act
  2. Year 2000 (Y2K)
  3. EMU and single currency issues
  4. I.T. Strategy (including Intranet and Internet strategy)
  5. Data Protection Act
  6. Security (including BS7799 compliance and Certification)

As can be seen from the list above, several of the activities are computer related and should be considered together rather than as completely independent items.

An IT strategy cannot realistically be completed without consideration being paid to security requirements, particularly if the pension company wants to service its members via the Internet. Failure to address security in such an environment would almost certainly fall foul of the new Data Protection Act and could leave the pension organisation and individuals liable to penalties.

We recommend that a BS7799-based Information Security Risk Assessment be conducted as the first stage in any IT Strategy project as the results of this risk assessment will indicate what level of assurance (or confidence) is required in the IT aspects of the computer systems. The risk assessment will help to identify suitable operating systems, databases, access control packages, firewalls and other components to be used within the IT strategy. For instance, a risk assessment may indicate that a level of assurance of ITSEC E3 is needed. By consulting the Government's Evaluated Products List (UKSP06) one can pick and choose different products to meet the required level of assurance and effectively build the 'system' from secure, evaluated components such as Windows NT, Oracle, etc. (i.e. components which have been independently assessed against strict criteria).

By carefully analysing the results of the risk assessment it may be possible to reduce the level of assurance required in the systems through, for instance, requiring better physical and procedural controls to be instituted. A good example of where improvements in procedures can reduce the dependence on electronic security is in the booking-in procedure for visitors to your sites. If you make visitors sign-in at reception and wait there until they can be escorted to their eventual destination (always in the company of an escort) then the assurance level may be reduced from say E3 to E2 which is easier and cheaper to achieve.

British Standard BS7799 is the only commercial security standard and considers security in a holistic way, addressing Policy, Physical Security, Procedural Controls, Personnel Security and Electronic Security (i.e. the security of your computers, networks and interconnections with other companies and the Internet). Since BS7799 covers a very wide scope it is very good for companies wishing to become secure or improve their security to achieve industry best practice. It cannot be long before large commercial organisations will refuse to deal with companies which cannot demonstrate that they take security seriously and will protect any data passed to them. Such commitment to security can realistically only be demonstrated by becoming certified to BS7799.

The good news is that the Department of Trade and Industry is fully behind the continued development of the BS7799 standard and the establishment and promulgation of the Certification scheme which has Europe-wide (and hopefully soon World-wide) acceptance. Several Certification bodies exist which are typically the same ones that offer ISO9001 Quality certification.

By addressing security as soon as possible through conducting a risk assessment using BS7799 you will be contributing to the development of your organisation's IT Strategy, compliance with the Data Protection Act, possible BS7799 Certification and general improvements in best practice.

Don't forget
Security is everybody's responsibility, so don't assume that someone else is taking care of it because they're probably thinking exactly the same thing!

Home Page