Data Protection

Accuracy principle

Personal data shall be accurate and, where necessary, kept up to date.

Data protection act

(DPA 1998) is an act of the United Kingdom (UK) Parliament defining the ways in which information about living people may be legally used and handled. The main intent is to protectindividuals against misuse or abuse of information about them.

who is behind data security breaches

1. 98% from external agents 2. 4% implicated internal employees 3. < 1% committed by business partners 4. 58% tied to activists groups

4 elements of a breach management plan

1. Containment and recovery 2. Assessment of ongoing risk 3. Notification of breach 4. Evaluation and response

how data breaches occur

1. form of hacking 2. incorporated malware 3. involved physical attacks 4. employed social tactics 5. resulted from privileged misuse

Best Practices in applying ethics in organisations

>Make data protection rules a disciplinary matter >Ensure organisation has a valid notification in register of data controllers relating to the processing of person(s) information on workers >Assess what information is in existence & who is responsible for it >Consult workers/representatives about developments & implementations of employment practices & procedures that involve the processing of personal info about workers >People processing information must understand their responsibilities for data protection compliance >identify people responsible for ensuring policies & procedures that comply with the act >elminate irrelevant or excessive information >Enusre sensitive data conditions are satisfied >All workers must be made aware they are criminally liable if knowingly or recklessly disclose personal/sensitive information

Information commissoner

Enforces DPA act, uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals"

Freedom of information act Scotland

Est. 2000. provides public access to information held by public authorities. It does this in two ways: public authorities are obliged to publish certain information about their activities; and. members of the public are entitled to request information from public authorities.

8 data protection principles

Fairly & Lawfully Purpose Adequacy Accuracy Retention Rights Security International

Adequacy principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Purpose principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Data Security Breach

An incident in which sensitive, protected or confident data has potentially been viewed, stolen or used by unauthorised person(s)

Security principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Laws that apply when storing & sharing personal & sensitive information

Data protection act (UK Law) European data protection act European convention on human rights Freedom of information Act (Scotland) International standards at ISO/IEC 17799

Containment and recovery

Data security breaches will require an initial response to investigate and contain the situation also a recovery plan including damage limitation This will often involve input from a specialist across the business such as IT, HR and legal In some cases external stakeholders and suppliers You should consider the following: Decide on who should take the lead on investigating the breach and ensure they have the appropriate resources Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise This could include isolating or closing compromised sections of the network Finding a lost piece of equipment Changing the access codes at the front door Establish whether there is anything you can do to recover any losses and limit the damage - this could be recovery from backups Where appropriate, inform the police

The rights of a data subjects

Has the right to prevent direct marketing Has the right to prevent automated decisions Has the right of complaint to the ICO Has the right of compensation Exemptions: National security doesn't have to follow these rules domestic purpose ie friends contact details etc. Partial exemptions: Police & Taxman don't have to disclose data on them Health records Exam results Records can be kept any length of time for statistical, historical & research purposes Journalists & academics are exempt sometimes employment references planning informations

Notification of breaches

Informing people and organisations that you have experienced a data security breach can be an important element in your breach management strategy Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions Answering the following questions will assist other types of organisations in deciding whether to notify: Are there any legal or contractual requirements? Can notification help you meet your security obligations Can notification help the individual? If a large number of people are affected, or they are very serious consequences, you should inform the ICO Consider how notification can be made appropriate for particular groups of individuals Have you considered the dangers of "Over Notifying". Not every incident will warrant notification and notifying a whole 2 million strong customer base of an issue affecting only 2000 customers may well cause disproportionate enquired and work. Who to notify You also need to consider who to notify, what you are going to tell them and how you are going to communicate the message Make sure you notify the appropriate regulatory body There are a number of different ways to notify those affected so consider using the most appropriate one Your notification should at the very least include a description of how and when the breach occurred and what data was involved When notifying individuals give specific and clear advice on the steps they can take to protect themselves and what you are willing to do to help them

European convention of human rights

Is an international treaty to protect human rights and fundamental freedoms in Europe. This provides a right to respect for one's 'private and family life, his home and his correspondence', subject to certain restrictions.

Evaluation and response

It is important not only to investigate the cause of the breach but also to evaluate the effectiveness of your response to it If the breach was caused, even in part, by systemic and ongoing problems, then simply containing the breach and continuing is not acceptable You may find that existing procedures could lead to another breach and you will need to identify where improvements can be made The following points will assist you: Make sure you know what personal data is held and where and how it is stored Establish where the biggest risks lie Risks will arise when sharing with or disclosing to others Identify weak points in your existing security measures such as the use of portable storage devices and access to public networks Monitor staff awareness of security issues and look to fill any gaps through training It is recommended that at the very least you identify a group of people responsible for reacting to reported breaches of security

personal information

Name Medical details Addresses banks details are types of?

P-R-O-T-E-C-T

P - Patch - patch software as soon as updates become available R - Review - regularly your privacy settings O - Ownership - take ownership of your online privacy. Understand what info a company will keep & share on you when signing up T - Two-factor authentication E - Email - be aware of phishing/spoof etc C - Change - your passwords regularly T - Tell Everyone

Retention principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

Fairly & Lawful principle

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met and in the case of sensitive personal data, at least one of the conditions set out in Schedule 3 or either of the two Statutory Instruments below is met.

Rights principle

Personal data shall be processed in accordance with the rights of data subjects under this Act.

International principle

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Sensitive information

Racial/ethnic origin healthy political opinions Sex life Member of trade union Criminal Activity Are types of?

Assessing the risks

Some data security breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job An example might be where a laptop is irreparably damage but its files where backed up and can be recovered While these types of incidents can still have significant consequences the risks are very different from those posed by Eg the theft of a customer database, the data on which may be used to commit identity fraud Before deciding on what steps are necessary further to immediate containment, assess the risks which may be associated with the breach Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen The following points are also likely to be helpful in making this assessment: What type of data is involved? How sensitive is it? If data has been lost or stolen, are there any protections in place such as encryption? What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate Regardless of what has happened to the data, what could the data tell a third party about the individual? How many individuals personal data are affected by the breach Who are the individuals whose data has been breached? What harm can come to those individuals? Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide? If individuals bank details have been list, consider contacting the banks themselves for advice on anything they can do to help you to prevent fraudulent use.

European data protection act

The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union directive adopted in 1995 which regulates the processing of personal data within theEuropean Union

Authentication

The process of verifying the identity of a user ie username & passwords

Data Protection Act (DPA)

To protect personal information stored on computers or a filing system

Registration with the information commissioner

To store information you must apply to them Data controllers must declare to them what information is stored & how its used each entry in the register contains; >Data controllers name & address >Description of information stored >What they are going to use the info for >Whether the data controller plans to pass the info on >Whether the data controller transfers the info outside the UK >Details of how the data controller will keep the info safe

hardware used to enhance data security

USB dongles - can be configured to lock/unlock computers Trusted platform modules (TPMs) - secures hardware by integrating cryptographic keys onto devices Computer case intrusion detection - Push button is triggered when a computer case is opened alerting the operator when its next booted up drive locks - software tools that encrypt hardware disable USB ports - prevents hackers from using USBs to hack Mobile-enabled access devices - uses mobile as a secure way to gain access ie NFC, biometrics, QR code etc. locking rooms etc Port security are all types of ..........

two-factor authentication

a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

Data controller

a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal dataare, or are to be, processed. Consent

software used to enhance data security

anti-virus firewalls encryption authentication two-factor authentication are types of

workplace rules

check windows & doors are locked/secure control access to the building; keys, ID badges, lock combinations, sign-ins etc. good security system; alerts police, codes only to authorised staff, CCTV secure car parks; security barriers, CCTV etc. sufficient lighting; deters criminals, easier to see cyber security, hardware/software, locks/clamps on devices staff trained/informed on security measures install key card access systems master keys & extra keys to be securely locked away important papers secured & locked in cabinets keep office neat and orderly security breach management plan update software regularly change admin username and passwords regularly use encryption limit access and authority on files/data

Encryption

converts data into unrecognizable or "encrypted" form

potential effects of a data security breach on an organisation

customer breach notification post-breach customer protection regularly compliance(fines) public relations/crises communication attorney fees litigation cybersecurity & improvements technical investigations insurance premium increase operational loss of value in customer relations increased raised debts

International standard at ISO/IEC 17799

establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

The basis of a cyber attack

hostile parties (threat actors) | Seek vulnerabilities (security gaps) | to exploit (take advantage of) | for financial or political gain

Data Subjects

individual who is the subject of personal data.

potential effects of data a security breach on individuals

loss or theft of valuables damage to intellectual property identity theft ruined reputation

Responsibilities of data controllers

must keep to the 8 principles they're the nominated person a company who applied to the data commissioner for permission to store and use personal data responsibilities of?

firewalls

network security device, monitors incoming/outgoing network traffic and decides which to block

Data protection act UK

originally passed. 1984. updated 1998. controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly and lawfully.

anti-virus

prevents, searches for and removes viruses & other malicious software

Real life contemporary data security breaches

security breaches such as Yahoo, Equifax etc are examples of?

common causes of a data security breach

theft or loss of data password hacked or revealed computer infected with malware/virus human error/improper configuration outdated software/malware/anti-virus weak or stolen credentials backdoors/application vulnerabilities social engineering too many permissions insider threats physical attacks