6

I was completing a survey of the various regulations and standards that require Privacy or Security Awareness training, and have compiled the following list from various sources:

FEDERAL LAWS AND REGULATIONS

  • HIPAA
  • GLBA
  • FISMA
  • FTC Red Flags Rule

INDUSTRY CODES

  • PCI DSS

STANDARDS

  • NIST 800-53
  • ISO/IEC 27002

REGIONAL LAWS

  • US-EU Safe Harbor Arrangement
  • Canada’s PIPEDA
  • Texas Health Privacy Law
  • Massachusetts Data Security Law

But I am not seeing anything specific for the UK or EU. Are there regulations that apply?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • You are v. careful in including only business-environment regulations. It might be worth it to mention it explicitly. – Deer Hunter Oct 01 '15 at 19:30
  • @DeerHunter actually, I would be interested in *any* general regulation (not a local institution's internal policies) that stipulates that Awareness training is required. – schroeder Oct 01 '15 at 21:06
  • The only thing I can think of is Cyber Essentials (mandatory for all new contracts with UK government?) - from memory this includes security training/awareness questions, though I do not think they are critical to certification. – R15 Oct 02 '15 at 14:10
  • @R15 Cyber Essentials does not require Awareness, but it is part of the "10 Steps to Cyber Security" guidance. – schroeder Oct 02 '15 at 15:01
  • Would this be something located in Directive 95/46/EC? – pr- Oct 23 '15 at 15:28
  • @pr- nope - I checked. – schroeder Oct 23 '15 at 15:33

1 Answers1

1

I knew it had to be in DPA somewhere...while not an explicit reference to training/awareness, Data Protection Act 1998, Schedule 1, Part II, paragraph 10 states:

The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

By implication, for staff to perform their data protection obligations reliably they will need to be aware of what those obligations are and trained in how to meet them.

R15
  • 2,923
  • 1
  • 11
  • 21