PRIVACY, DATA PROTECTION AND SECURITY ARE CENTRAL TO CUSTOMER TRUST AND THE HEALTH OF YOUR BUSINESS. KEEP UPDATED HERE AND COME BACK SOON.

Law & Policy

HMG cyber security policies and frameworks for the UK The UK’s first National Cyber Security Strategy was published by the Labour Government in June 2009…. Read More

HMG cyber security policies and frameworks for the UK

The UK’s first National Cyber Security Strategy was published by the Labour Government in June 2009. The Coalition Government’s Strategy was published in 2011, building upon the National Security Strategy 2010 and the Strategic Defence and Security Review 2010. The 2011 UK National Cyber Security Strategy launched and supported many initiatives. Key policy and framework documents are below. Additionally, the websites for CISP, CERT-UK, The Cyber Security Challenge UK (of which I am one of the founding directors), Cyber Streetwise should be considered, as they form part of the National Strategy. Organisations that support the National Strategy include GovCertUK (part of CESG) and CPNI.

The National Security Strategy of the UK. Security for the Next Generation, June 2009 (this has been superseded by the 2010 Strategy, immediately below)

The National Security Strategy of the UK. A Strong Britain in an Age of Uncertainty, October 2010

The Strategic Defence Review. Securing Britain in an Age of Uncertainty, October 2010

The Strategic Defence Review. Securing Britain in an Age of Uncertainty, Fact Sheet 18, Cyber Security, October 2010

The UK Cyber Security Strategy. Safety, security and resilience in cyber space, June 2009 (this has been superseded by the 2011 Strategy, immediately below)

The UK Cyber Security Strategy, protecting and promoting the UK in a digital world, November 2011

The UK Cyber Security Strategy, progress report, December 2013

The UK Cyber Security Strategy, forward plans, December 2013

10 Steps to Cyber Security, Executive Companion, September 2012

10 Steps to Cyber Security, Advice Sheets

Cyber Risk Management – A Board Level Responsibility

Cyber Security Organisational Standards, a call for evidence, March 2013

Cyber Security Organisational Standards, Guidance, April 2013

Call for evidence on a preferred standards in cyber security, Government Response, November 2013

UK Cyber Security Standards Research Report, November 2013

Small businesses. What you need to know about cyber security, April 2013

UK’s approach to exports, May 2013

Competitive analysis of the UK cyber security sector, July 2013

FTSE 350 Cyber Governance Health Check Tracker Report, November 2013

Guiding Principles on Cyber Security. Guidance for Internet Service Providers and Government, December 2013

Huawei Cyber Security Evaluation Centre, Review by the National Security Adviser, December 2013

Cyber Streetwise launched, January 2014

Communique from the ‘Strengthening the cyber security of our essential services’ event, February 2014

Cyber Security Information Sharing Partnership (CISP) launched, February 2014

Developing our capability in cyber security. Academic Centres of Excellence in Cyber Security Research, February 2014

Cyber Security Skills, Business perspectives and Government’s next steps, March 2014

Cyber Security Skills, Business perspectives and Government’s next steps, supporting evidence, March 2014

Cyber Security Skills, a guide for business, March 2014

Cyber Security Supplier to Government Scheme, Guidance for applicants, March 2014

CERT-UK launched, March 2014

Using behavioural insights to improve the public’s use of cyber security best practices, May 2014

Cyber Essentials Scheme, Summary, June 2014

Cyber Essentials Scheme, Requirements for basic technical protection from cyber attacks

Cyber Essentials Scheme, Assurance Framework

 

Cyber security for the corporate finance sector in the UK

ICAEW & HMG ‘Cyber Security in Corporate Finance’ Report, January 2014 (Copyright ICAEW. Visit ICAEW website for further information about the work that is being done on cyber security in corporate finance.)

 

Bank of England cyber security policies and frameworks for financial services in the UK

Waking Shark II Desktop Cyber Exercise, Report to Participants, November 2013

CBEST – An introduction to CBEST, June 2014

CBEST Implementation Guide

 

HMG Information Assurance policies and frameworks for the UK 

‘Information Assurance’ is the second focus area of the Office of Cyber Security and Information Assurance within the Cabinet Office. Information Assurance is concerned with the confidentiality, integrity and availability of information, including personal data. The topic of IA rose to the top of the UK government’s agenda in 2007, after HM Revenue and Customs (HMRC) lost two disks containing copies of the Child Benefit database. Due to the rise to prominence of cyber security, IA has slipped from the headlines, but it is still of utmost importance nonetheless, not least because the policy framework for IA built out after HMRC has continuing legal effect. For example, the Information Commissioner’s ability to impose fines on data controllers for security breaches results from the IA policy framework.

‘Data Handling Procedures in Government: Interim Progress Report’, December 2007

‘Data Handling Procedures in Government: Cross Government Mandatory Minimum Measures’, December 2007

‘Data Handling Procedures in Government: Final Report’, June 2008

‘Data Handling in Government: The Scottish Government’, June 2008

‘Protecting Information in Government’, January 2010

‘Government Security Classifications April 2014′, October 2013

‘HMG Security Policy Framework’, April 2014

 

Information Commissioner’s data protection policies and frameworks for security and enforcement in the UK

The documents here are a combination of statutory codes of practice, regulatory policies statements and guidance published by the Information Commissioner, the regulator for data protection and privacy and electronic communications in the UK. Copyright in these documents belongs to either the Commissioner, or the Crown. My intention is to build a chronological record of the publications that are relevant to either data security under the Data Protection Act and the Privacy and Electronic Communications Regulations, or to the enforcement of the law. Note that I have added version history where it appears on the face of the document. You will work out that some documents have been updated over time and that I will be including some that are no longer current.

‘CCTV code of practice revised edition 2008′, January 2008

‘Data Protection Regulatory Action Policy, v.1′, March 2010

‘Personal information online code of practice’, July 2010

‘Communicating enforcement activities, v.5′, November 2010

‘Framework for determining the appropriate amount of a Monetary Penalty’, January 2011

‘Enforcing the revised Privacy and Electronic Communications Regulations (PECR), v.1′, May 2011

‘Standard Operating Procedures Monetary Penalties, v.0.1′, July 2011

‘The employment practices code’, November 2011

‘Promoting openness by public bodies and data privacy for individuals. An information rights strategy for the Information Commissioner, v.2.2′, December 2011

‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C(1) of the Data Protection Act 1998′, January 2012

‘Guidance on data security breach management, v.2.1′, 2012

‘Notification of data security breaches to the Information Commissioner’s Office, v.1′, 2012

‘IT asset disposal for organisations, v.1′, January 2012

‘Guidance on the use of cloud computing, v1.1′, 2012

‘Bring your own device (BYOD)’ , 2012

‘A practical guide to IT security, ideal for the small business’, April 2012

‘Notification of PECR security breaches, v.2.1′, 2013

‘ICO Prosecution Policy Statement’, March 2013

‘Framework used to guide ICO staff in determining the appropriate amount of a monetary penalty’, April 2013

‘Data Protection Regulatory Action Policy, v.2′, August 2013

‘Privacy in mobile apps. Guidance for app developers, v.1′, December 2013

‘Audit: a guide to ICO privacy and electronic communications regulations audits, v.2′, May 2014

 

European Court of Human Rights decisions on surveillance

Klass v. Germany (1978)

Malone v. UK (1984)

Kruslin v. France (1990)

Peck v. UK (2003)

Hewitson v. UK (2003)

Von Hannover v. Germany (2004)

Weber v. Germany (2006)

Copland v. UK (2007)

Liberty v. UK (2008)

Marper v. UK (2008)

Kennedy v. UK (2010)

 

EU Court of Justice decisions on surveillance

European Parliament v. Council & Commission (2006)

Digital Rights Ireland v. Minister for Communications etc. (2014)