[Global_industry_committee] UK ICO Data Sharing Code of Practice

Colin Watson colin.watson at owasp.org
Tue May 10 13:21:17 EDT 2011

Participants from the UK OWASP Chapters (Leeds/North, London and
Scotland) and the Global Industry Committee submitted a brief response
to last year's consultation on the draft Data Sharing Code of Practice
by the UK Information Commissioner's Office (ICO).  "Data sharing" in
this context is the transfer of personal data (somewhat like PII)
within organisations and with third parties, to undertake information
processing.  It includes routine systematic data sharing as well as
one-off requests.  The final code of practice was launched today.

OWASP limited it comments to security issues:


1a. In "Technical security" OWASP said:

   ...add an item: "If personal data is collected or processed using a
web product (e.g. website, web application, mobile application), have
the most common security risks been identified, removed or mitigated?"

1b. The published statutory code of practice says:

   "Have you identified the most common security risks associated with
using a web-product - e.g. website, web application or mobile

2a.  In "Technical security" OWASP said:

   ...we believe "is your information encrypted" is too simplistic.
... a better question would be "How is encryption implemented and

2b.  The published statutory code of practice says:

   "How is encryption of personal data implemented and managed?"

3a.  In "Data standards" OWASP said:

   a new sentence "Ensure the data are correctly encoded and escaped
when output so they can safely be used by the receiving system.".

3b.  Nothing was added to the statutory code of practice.


No direct references or links to OWASP were added, but the document
doesn't contain any others like that either.  The consultation had
about 100 responses, so we can't know what effect our feedback had,
but there seems to be a good match in 1 and 2 above.

Thanks to everyone who helped.

   OWASP response (20th December 2010)

   Data Sharing Code of Practice (10th May 2011)
   Only published today - awaiting URL but should be listed at

FYI this week, ACS Law have just been fined by the ICO for the loss of
6,000 personal data records from their website (access control
'flaw'?).  The fine would have been £200,000 but since the company was
a sole trader that has ceased trading, the final figure paid will only
be a token amount.


Colin Watson
OWASP Global Industry Committee

More information about the Global_industry_committee mailing list