If you have read the first article you will have remembered that we discussed about PD0008?
Is it complicated to comply with PD0008?
Like any project or change of systems a starting point must be organized and followed, considerations must be taken into place. Before choosing any electronic document storage solution organizations, considerations must take place.
Data retention and disposal requirements
Derived from legislation including data weeding and disposal to ensure that destruction of data is secure and that evidential probity of scanned documents has been assured prior to hard copy data destruction
Audit data requirements
Meet ISO 17799, evidence legislation and the Data Protection Act1998
Access control considerations
Ensure compliance with ISO 17799, evidence legislation and the Data Protection Act 1998
Including encryption and safeguarding of encryption keys
Ensure use of optical WORM devices for legal integrity of data with0% data loss to prevent loss/corruption to ensure compliance with the Data Protection Act1998 and evidence based legislation
Disability Discrimination Act requirements
To ensure that the solution meets the needs of disabled users
Evidence of compliance with this standard assists in showing a Court that the
Computer records can be relied upon.
Auditing the auditors
Who is auditing the system administrators? Checks need to be in place to ensure integrity of data or all other controls can be called in to question by a Court of Law
The electronic storage solution and ongoing patches to it will need to be tested including IT health checks before they are operated within the live environment – they shouldn’t be tested using live data
The electronic storage solution’s application clock needs to be synchronized with those with the organization’s estate to ensure that audit data is consistent and reliable
Users that send information to or receive information from the solution must consent to and/or have been advised that interceptions of their communications may be made without notice
The storage solution will need to support swift and easy searches for information
Technical and organization controls
Derived from legislative requirements
Printing of Evidential Records
All data contained within the electronic storage solution should be capable of being printed to produce a permanent record accompanied by authentication of the data, i.e. a digital signature proving the integrity of the original file by showing that it hasn’t been tampered with and that it will satisfy the test of repeatability, i.e. it will create the same output of data every time.
- Accused of Illegal File-Sharing? Complain to the Government (torrentfreak.com)
- Data protection policy and your business [Iain Mackintosh] (ecademy.com)
- Guest blog: Ten tips for protecting sensitive data in your organisation (sophos.com)
- Data Protection Act costs country £53m every year (independent.co.uk)