cipfa pensions network
play

CIPFA Pensions Network How Safe Is Your Member Data? (and what - PowerPoint PPT Presentation

Jan 28, 2023 •111 likes •375 views

CIPFA Pensions Network How Safe Is Your Member Data? (and what risks are you running if it's not?) 5 th & 6 th July 2016 What Were Covering Why data security matters Common risks/pitfalls Introduction to changes under General

  1. CIPFA Pensions Network How Safe Is Your Member Data? (and what risks are you running if it's not?) 5 th & 6 th July 2016

  2. What We’re Covering  Why data security matters  Common risks/pitfalls  Introduction to changes under General Data Protection Regulation squirepattonboggs.com squirepattonboggs.com 2 2

  3. Why Data Security Matters Legal Obligations  Data Protection Act Principle 7  Requires taking of "appropriate technical and organisational measures against unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, personal data"  Common law duty of confidence to members BUT ALSO  Critical to ability to deliver other obligations  Costs of remedying failures can be astronomical  Reputational damage & loss of trust if it fails Huge Increase In Quantity & Sophistication of Attacks squirepattonboggs.com squirepattonboggs.com 3 3

  4. Fines/Monetary Penalties  Power given to ICO in 2010 - If  Serious breach of the Act  Controller knew or ought to know could cause serious detriment  Overwhelming majority of monetary penalties (and the highest) for data security breaches. Over 70% of those imposed on public sector bodies  Many fines on controllers  When their processors at fault  Immediate breach caused by third party criminal act  Current maximum fine £500,000 per breach  GDPR will increase maximum to higher of € 20m and 4% of global turnover squirepattonboggs.com squirepattonboggs.com 4 4

  5. ICO's Core Security Requirements  Protection in transit, at rest, in use  Encryption  Main hosting servers  Hard drive of laptop & smart-phones  Memory sticks  Check level of encryption  Weakest link – Bring Your Own Device  ICO Guidance on commonest IT security mistakes squirepattonboggs.com squirepattonboggs.com 5 5

  6. Some Key Risks/Risk Areas  Inadequate central systems, patching, maintenance or monitoring  Poor access control (physical and virtual) allowing unauthorised access  Failure to securely erase data from hardware before disposal  Uncontrolled use of new ‘cloud’ solutions e.g. cheap digital dashboards  Third party processors  Poor security  Poor training  Lack of appropriate instructions  Loss of unencrypted laptop or other device, such as a memory stick squirepattonboggs.com squirepattonboggs.com 6 6

  7. Some Key Risks/Risk Areas  Phishing – including spear phishing attacks  Forwarding papers to home account  insecure home routers/systems  use of gmail and other cloud hosted accounts  Sending email to wrong email address  Sending "cc" rather than "bcc" emails to members  Passwords  Not changing default passwords  Passwords linked to social media  Weak passwords squirepattonboggs.com squirepattonboggs.com 7 7

  8. Data Security – Using Secure Passwords Charac- Numbers only Upper case or Upper case and Numbers, Numbers, ters lower case letters lower case letters upper case and upper case, lower case letters lower case and symbols 4 Instantly Instantly Instantly Instantly Instantly 5 Instantly Instantly Instantly 3 seconds 10 seconds 6 Instantly Instantly 8 seconds 3 minutes 13 minutes 7 Instantly Instantly 5 minutes 3 hours 17 hours 8 Instantly 13 minutes 3 hours 10 days 57 days 9 4 seconds 6 hours 4 days 1 year 12 years 10 40 seconds 6 days 169 days 106 years 928 years 12 1 hour 12 years 600 years 108k years 5m years 14 4 days 8k years 778k years 1bn years 5bn years 16 1 year 512m years 1bn years 6tn years 193tn years 18 126 years 3bn years 1tn years 23qd years 1qt years squirepattonboggs.com squirepattonboggs.com 8 8

  9. Data Security – Using Secure Passwords  Password storage  Use robust hashing and salting  Complexity of password  At least ten digits  Numbers, letters (upper and lower case), and special symbols squirepattonboggs.com squirepattonboggs.com 9 9

  10. Data Security - Solutions  Properly implemented data security policy  Nominated individual with overall responsibility for data security  Technical security applied to data held electronically eg encryption, password protection, rules about downloading to mobile devices  Physical security to data in paper form and electronic devices on which data is stored  Vetting and training those who have access to personal data  Access limited to that which is necessary  Secure disposal of hard copy data  Secure deletion of electronic data  Appropriate due diligence before using service providers  Contracts with service providers squirepattonboggs.com squirepattonboggs.com 10 10

  11. Data Security – Data Processors When appointing processors – controllers are in breach of the Act unless:  Upfront and ongoing due diligence into processor's security measures  Security questionnaire  Written contract requiring  Only to process on controller's instructions  To comply with the Seventh Principle  General obligation not enough  Under GDPR, much more extensive contracts required squirepattonboggs.com squirepattonboggs.com 11 11

  12. Data security – Data Processors Other strongly advisable contractual clauses  Immediate notification of data security breach  Remedial actions on security breach  Audit rights  Sub-contractor approval  Responding to Data Subject Access Requests  Indemnities for losses  Restrictions on processing outside the EEA  Deletion of data on termination squirepattonboggs.com squirepattonboggs.com 12 12

  13. Managing a significant data breach  Need to move fast  Actions to minimise adverse effects  Notifying • members • the ICO • the police • the pensions regulator • insurers  Remedial actions  Best time to think about how to handle a major data loss/breach  Before the event  Policy on handling data breaches  Importance of co-operation of service providers squirepattonboggs.com squirepattonboggs.com 13 13

  14. Breach Notifications  To the ICO  No obligation under the Act  ICO guidance – notify if: • Potential detriment to affected individuals • Large amount of data • Particularly sensitive (even if small amount) • Significant damage or distress to individuals  Consequence of non-notification – higher penalty  Consequences of notification  ICO will investigate data protection compliance • Security measures • Contracts squirepattonboggs.com squirepattonboggs.com 14 14

  15. Breach Notifications  To individuals  If notification will help them protect themselves eg against identity theft  If notify individuals, notify ICO?  To the Pensions Regulator if s70 Pensions Act 2004 applies:  Breach of the law  Likely to be of material significance to the Pensions Regulator squirepattonboggs.com squirepattonboggs.com 15 15

  16. GDPR Changes most likely to affect LGPS Lawful processing (Articles 5 and 6)  Processed lawfully, fairly, in a transparent manner  Collected for specified, explicit and legitimate purposes, and not used in an incompatible way  Accurate and up to date  Every reasonable step to correct or erase without delay  Kept in form that permits identification no longer than necessary for purpose Clarity of providing notices crucial  Where information collected from individual (Article 14)  Where information not collected from individual (Article 14a) squirepattonboggs.com squirepattonboggs.com 16 16

  17. Changes most likely to affect LGPS Records of processing activities (Article 28)  Name and contact details of controller and DPO  Purpose  Categories of data and data subjects  Categories of recipients  Transfers to third countries, and documentation of safeguards  Where possible, time limits to erasure  Where possible, description of security measures  Make available to Supervisory Authority on request squirepattonboggs.com squirepattonboggs.com 17 17

  18. Changes most likely to affect LGPS Data Protection Officer (Article 35)  Mandatory because a public authority  Potentially could be one DPO for several authorities  Basis of appointment  Professional qualities  Expert knowledge of data protection law  Ability to perform required services (Article 37) squirepattonboggs.com squirepattonboggs.com 18 18

  19. Changes most likely to affect LGPS Privacy Impact Assessments? (Article 33)  Required where "high risk" to rights and freedoms of individuals, including:  Systematic and extensive evaluation based on automated processing, including profiling, that significantly affects individuals; or  Large scale processing of sensitive personal data squirepattonboggs.com squirepattonboggs.com 19 19

  20. Changes most likely to affect LGPS Data subject access and other requests  Response without undue delay, at latest one month from receipt of request  May be extended up to a further two months when necessary  Complexity of request  Number of requests  Provided free of charge  Where requests "manifestly unfounded or excessive, in particular because of their repetitive character"  Charge a reasonable fee for providing information/taking requested action; or  Refuse squirepattonboggs.com squirepattonboggs.com 20 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CIPFA Pensions Network Workshops Responsible Investment, Shareholder Rights & Pooling

CIPFA Pensions Network Workshops Responsible Investment, Shareholder Rights & Pooling

CIPFA Pensions Network Workshops Responsible Investment, Shareholder Rights & Pooling Introduction Presentation to CIPFA Pensions Network Workshops 6 th and 11 th October 2016, London and Manchester Presentation from: Alan MacDougall,

116 views • 7 slides
LGPS update CIPFA network Lorraine Bennett LGA Pensions Adviser October 2016

LGPS update CIPFA network Lorraine Bennett LGA Pensions Adviser October 2016

LGPS update CIPFA network Lorraine Bennett LGA Pensions Adviser October 2016 www.local.gov.uk What well cover Amendment regulations update Fair deal, freedom and choice Investment reform update ISS guidance and investment

423 views • 17 slides
Key challenges facing Local Authorities David Ellis Finance Advisor CIPFA FAN www.cipfa.org

Key challenges facing Local Authorities David Ellis Finance Advisor CIPFA FAN www.cipfa.org

Key challenges facing Local Authorities David Ellis Finance Advisor CIPFA FAN www.cipfa.org cipfa.org.uk Business Rates Retention Accounting arrangements The Changing Landscape Funding Implications What can Councils do?

771 views • 46 slides
Ethics - under pressure? CIPFA Accountancy Europe Professional Update Event Drew Cullen

Ethics - under pressure? CIPFA Accountancy Europe Professional Update Event Drew Cullen

cipfa.org Ethics - under pressure? CIPFA Accountancy Europe Professional Update Event Drew Cullen Director, Public Affairs cipfa.org Ethics survey 2018 Code cipfa.org What puts people under pressure? We must hit the numbers

239 views • 23 slides
Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

CIPFA Pensions Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit appointments & code Overview of other stakeholder activity The annual reports and accounts 2015-16 Audit issues arising

1.14k views • 50 slides
Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk

Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk

CIPFA Pensions Network Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk October 2012 Agenda What are the liabilities Analysing the risks Some tools to help this What about the unknowns Questions and

261 views • 22 slides
Pensions - A Network Perspective Mike Bedford On Behalf of ENA 9th November 2009 Mike Bedford

Pensions - A Network Perspective Mike Bedford On Behalf of ENA 9th November 2009 Mike Bedford

Pensions - A Network Perspective Mike Bedford On Behalf of ENA 9th November 2009 Mike Bedford 09.11.09 1 Pensions - Background ENA stated after the first Pensions consultation:- There now exists even stronger justification to

441 views • 10 slides
Integrated Thinking & Sustainable Development cipfa.org.uk Integrated reporting A more

Integrated Thinking & Sustainable Development cipfa.org.uk Integrated reporting A more

cipfa.org.uk Integrated Thinking & Sustainable Development cipfa.org.uk Integrated reporting A more integrated and concise form of reporting Linking strategy, performance, governance and economic, social and environmental context

309 views • 9 slides
Workplace Pensions Employers What is Pensions Auto Enrolment? Pensions Auto Enrolment will

Workplace Pensions Employers What is Pensions Auto Enrolment? Pensions Auto Enrolment will

Workplace Pensions Employers What is Pensions Auto Enrolment? Pensions Auto Enrolment will have an effect on any business in the UK that employs staff, whether its just 1 person or 1000. Started back in October 2012, and phased in

628 views • 16 slides
Pensions payable to the veterans of the struggle under the Special Pensions Act Adv. Lufuno

Pensions payable to the veterans of the struggle under the Special Pensions Act Adv. Lufuno

Pensions payable to the veterans of the struggle under the Special Pensions Act Adv. Lufuno Nevondwe, Board Member: Special Pensions Appeal Board INTRODUCTION South African Special Pensions is regulated by Special Pensions Act,69 of 1996 (the

335 views • 21 slides
PPI PENSIONS POLICY INSTITUTE What should be the balance between state and private pensions?

PPI PENSIONS POLICY INSTITUTE What should be the balance between state and private pensions?

PPI PENSIONS POLICY INSTITUTE What should be the balance between state and private pensions? Chris Curry Pensions Policy Institute Part of the Shaping a Stable Pensions Solution series of seminars 6 April 2005

548 views • 41 slides
ETHI ETHICS CS AND AND PENSIONS PENSIONS REGULATI REGULATION ON GRACE GUY THE PENSIONS

ETHI ETHICS CS AND AND PENSIONS PENSIONS REGULATI REGULATION ON GRACE GUY THE PENSIONS

ETHI ETHICS CS AND AND PENSIONS PENSIONS REGULATI REGULATION ON GRACE GUY THE PENSIONS AUTHORITY Focus Trusteeship Qualifications Governance Reporting obligations www.iapf.ie Wh What do do we we mea mean by by ethi ethics?

561 views • 16 slides
Worcestershire County Council Financial Resilience Review Sean Nolan on behalf of the CIPFA team

Worcestershire County Council Financial Resilience Review Sean Nolan on behalf of the CIPFA team

Worcestershire County Council Financial Resilience Review Sean Nolan on behalf of the CIPFA team June 2017 cipfa.org Terms of Reference Review Soundness of emerging MTFP Gap and savings strategy Requested by CFO due to his broader

253 views • 21 slides
PPI PENSIONS POLICY INSTITUTE Should earnings-related pensions be compulsory or voluntary?

PPI PENSIONS POLICY INSTITUTE Should earnings-related pensions be compulsory or voluntary?

PPI PENSIONS POLICY INSTITUTE Should earnings-related pensions be compulsory or voluntary? Chris Curry Pensions Policy Institute Part of the Shaping a Stable Pensions Solution series of seminars 22 September 2005

496 views • 7 slides
PPI PENSIONS POLICY INSTITUTE Comparison of the regulatory frameworks for DC pensions Melissa

PPI PENSIONS POLICY INSTITUTE Comparison of the regulatory frameworks for DC pensions Melissa

PPI PENSIONS POLICY INSTITUTE Comparison of the regulatory frameworks for DC pensions Melissa Echalier, Senior Policy Researcher Pensions Policy Institute Pewterers Hall 22 October 2015 www.pensionspolicyinstitute.org.uk PPI PENSIONS

514 views • 20 slides
CIPFA Statistics 2006 Analysis Results Strategy and Resources Committee 24 May 2007 Shropshire

CIPFA Statistics 2006 Analysis Results Strategy and Resources Committee 24 May 2007 Shropshire

CIPFA Statistics 2006 Analysis Results Strategy and Resources Committee 24 May 2007 Shropshire and Wrekin Fire Authority Strategy and Resources Committee 24 May 2007 Document tabled at Agenda Item 7 CIPFA Statistics Analysis Introduction

452 views • 42 slides
STATE OF THE NATION PENSION CHALLENGES AND OPPORTUNITIES IN 2017 This is for financial adviser

STATE OF THE NATION PENSION CHALLENGES AND OPPORTUNITIES IN 2017 This is for financial adviser

STATE OF THE NATION PENSION CHALLENGES AND OPPORTUNITIES IN 2017 This is for financial adviser use only and shouldnt be relied upon by any other person. STATE OF THE NATION AGENDA State pensions Pension freedoms Automatic

724 views • 37 slides
Opt Options ions for ta for taking king ac action tion on on Princ Principle iple 5 Why

Opt Options ions for ta for taking king ac action tion on on Princ Principle iple 5 Why

Opt Options ions for ta for taking king ac action tion on on Princ Principle iple 5 Why is Principle 5 important? Making finance flows consistent with a pathway towards low greenhouse gas emissions and climate-resilient development.

427 views • 15 slides
Toronto Civic Employees Pension Plan Surplus Sharing Proposal Overview of Presentation 1.

Toronto Civic Employees Pension Plan Surplus Sharing Proposal Overview of Presentation 1.

Toronto Civic Employees Pension Plan Surplus Sharing Proposal Overview of Presentation 1. Introduction and Purpose of Meeting 2. The Current Civic Plan 3. Pension Plan Mergers 4. Pension Surplus Withdrawals 5. Main Terms of the Proposal

484 views • 27 slides
Pension Plan Management A Regulators Perspective Presentation by Karen Badgerow-Croteau &

Pension Plan Management A Regulators Perspective Presentation by Karen Badgerow-Croteau &

Pension Plan Management A Regulators Perspective Presentation by Karen Badgerow-Croteau & Paul Rozon To Bell Pensioners Group October 23, 2006 Agenda 1. General overview of pensions 2. Defined Benefit vs. Defined Contribution 3.

570 views • 28 slides
Pension, Savings and Welfare Plans Best Practices to Avoid Liability for Underfunding, Plan

Pension, Savings and Welfare Plans Best Practices to Avoid Liability for Underfunding, Plan

Presenting a live 90-minute webinar with interactive Q&A Benefit Plans in M&A: Transitioning Pension, Savings and Welfare Plans Best Practices to Avoid Liability for Underfunding, Plan Defects and Unintended Benefits TUESDAY, MAY 16,

806 views • 79 slides
What happened last year? Chairs 2018 report Annual General Meeting Presenter: Mary Lee This

What happened last year? Chairs 2018 report Annual General Meeting Presenter: Mary Lee This

What happened last year? Chairs 2018 report Annual General Meeting Presenter: Mary Lee This presentation is not complete without the presenters commentary. 3 Continued Growth De Dec 2017 2017 Dec Dec - 2018 2018 Assets $8.15

530 views • 7 slides
SET FOR CONTINUED GROWTH CIRCLE PROPERTY PLC Annual Report and Accounts 31 March 2018 CIRCLE

SET FOR CONTINUED GROWTH CIRCLE PROPERTY PLC Annual Report and Accounts 31 March 2018 CIRCLE

SET FOR CONTINUED GROWTH CIRCLE PROPERTY PLC Annual Report and Accounts 31 March 2018 CIRCLE PROPERTY IS A DEVELOPER AND MANAGER OF OFFICES IN KEY LOCATIONS THROUGHOUT THE UK. STRATEGIC REPORT GOVERNANCE FINANCIALS 1-23 24-32 33-59

868 views • 65 slides
Client Information Session Accounting standards update Launceston 7 June 2018 Hobart 8 June

Client Information Session Accounting standards update Launceston 7 June 2018 Hobart 8 June

Client Information Session Accounting standards update Launceston 7 June 2018 Hobart 8 June 2018 Rod Whitehead, Ric De Santi, Jeff Tongs, Stephen Morrison Client Seminar Accounting standards update Welcome and opening comments Overview

1.29k views • 128 slides

More recommend