Cyber Security KTN issues privacy guidelines

Businesses should examine privacy implications at all stages of a project lifecycle

The KTN hope the guidelines will prevent information loses on the scale of HMRC

Businesses must meet privacy requirements at four stages of any project lifecycle that may involve personal information, according to a report from the Cyber Security Knowledge Transfer Network (KTN).

In order to protect customer and employee details, privacy must examined at the initiation, planning, execution and closure of a generic project lifecycle.

This will ensure organisations comply with any future guidelines as well as current ones, according to Nigel Jones, head of KTN.

"Trying to engineer privacy as an afterthought never works," he said. "This is the only way organisations can be sure they are doing the right thing."

The paper recommends that:

- At the project initiation stage high level privacy objectives need to be set - project owners need to be aware of applicable privacy laws and regulations, such as the EU Data Protection Directive and the US Safe Harbour agreement.

- Technology envisaged for use by the project should also be subject to a high level review to ensure that appropriate privacy controls can be implemented.

- At The project-planning stage technologies such as encryption should be considered to protect consumer and client data on storage media, and Privacy Imapct Assessments should be carried out.

- Audits and change control procedures should continue after the closure of a project to ensure privacy requirements are continually addressed.

- Organisations should ensure that a senior role is established with overall responsibility for privacy, and ensure that responsibility is not delegated, as in the case of the HM Revenue and Customs lost discs fiasco.

- When a project is decommissioned all relevant information needs to be carefully destroyed.

- Customers should also as far as possible be given the choice of opting out of services that require the collection of additional personal information.

- Systems should have strong access controls, to ensure that personal information is only accessed by those who are authorised to do so. Access should be logged, and logs regularly audited.

- Where possible, personal information should be stored together with metadata that describes it and its intended use.

- Organisations should implement transparent procedures for remediation of errors in personal information, or privacy breaches.

The Cyber Security KTN is run by QinetiQ on behalf of the government’s Technology Strategy Board.