الأربعاء، 26 ديسمبر 2012



PRIVACY AND DATA PROTECTION 



Work group: 

Abeer Alblwi
Asma Mohammad
Taraji Aljabri
Suha Alqaidi
Salma Algumari
Fatema Aloufi 


Definition:

Information privacy, or data privacy is the relationship between collection and dissemination of data ,technology , the public expectation of privacy  , and the legal and political  issues surrounding them. 


Privacy concerns exist wherever personally identifiable information is collected and stored in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of sources, such as :

  • Healthcare records 
  • Criminal justice investigations and proceedings 
  • Financial institutions and transactions 
  • Biological traits, such as genetic material 
  • Residence and geographic records 
  • Ethnicity


The challenge in data privacy is to share data while protecting personally identifiable information. The fields of data security and information security design and utilize software, hardware and human resources to address this issue 


Personal Data :



    • Information relating to a living person who can be directly or 
    • Indirectly identified by the information
    • Affects privacy (whether personal, family or business life)
    • Focuses on the individual
    • Identifies by itself (or with other information)
    • Biographical





    BEWARE:
    This includes information including an expression
    of opinion about the individual or intentions of the data
    controller towards the individual e.g. internal memos
    The data controller must satisfy prescribed conditions
    before it can process personal data 



    (Scottish Police Services Authority)SPSA policy to protect data




    The objective of data protection is to ensure that the rights and freedoms of data
    subjects are considered in the collection and processing of personal data.

    The purpose of the policy is to ensure that personal data collected and 
    Processed by SPSA is managed in accordance with the Data Protection Act 1998.


    It is the policy of the organisation to ensure that:

    • Information will be collected and processed in accordance with the Act
    • Information will be protected against unauthorised access
    • Confidentiality of information will be assured
    • Integrity of information will be maintained
    • Regulatory and legislative requirements will be met
    • Business continuity plans will be produced, maintained and tested
    • Data protection training will be available to all staff
    • All breaches of data protection, actual or suspected, will be reported to,
    and investigated by the Information Assurance Officers




    All managers are directly responsible for implementing the policy with in their
    business areas, and for adherence by their staff.

    It is the responsibility of each employee of SPSA to adhere to the policy.

    Subject data rights





    What is the data subject?



    Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
    The Data Protection Act gives rights to individuals in respect of the personal data that organizations hold about them. The Act says that:
    Personal data shall be processed in accordance with the rights of data subjects under this Act. (This is the sixth data protection principle)



    The rights of individuals





    The rights of individuals that it refers to :

    1- A right of access to a copy of the information comprised in their personal data :

    This right, commonly referred to as subject access. It is most often used by individuals who want to see a copy of the information an organization holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be: told whether any personal data is being processed;given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organizations or people;

    given a copy of the information comprising the data;
    2- A right to object to processing that is likely to cause or is causing damage or distress :

    The Act refers to the “right to prevent processing”. Although this may give the impression that an individual can simply demand that an organization stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited. An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organization to stop (or not to begin) the processing in question.
    3- A right to prevent processing for direct marketing :
    Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give a written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if a notice received  it must comply within a reasonable period.

    4- A right to object to decisions being taken by automated means :

    The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. The Act complements this provision by including rights that relate to automated decision taking. Consequently:
    an individual can give written notice requiring  not to take any automated decisions using their personal data. even if they have not given notice, an individual should be informed when such a decision has been taken;. And an individual can asked to reconsider a decision taken by automated means.


    5- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed :

     the individual who has inaccurate data has a right to apply to rectify, block, erase or destroy the inaccurate information. In addition, where an individual has suffered damage in circumstances that would result in compensation being awarded and there is a substantial risk of another breach.

    6- A right to claim compensation for damages caused by a breach of the Act :

    If an individual suffers damage because having breached of the Act, they are entitled to claim compensation from the organization . This right can only be enforced through the courts. The Act allows the organization to defend a claim for compensation on the basis that he took all reasonable care in the circumstances to avoid the breach.


    Ten top tips for protecting sensitive data in your organization from theft or loss 



    1. Encrypt all confidential info. Keeping sensitive information inaccessible from prying eyes.
    2. Use hard-to-guess passwords. Enforcing good password usage is key to stopping hackers crack into your systems.
    3. Keep security software up to date. Updating your software automatically is key to defending against the latest threats and vulnerabilities.
    4. Danger USB! Unauthorized use of USB storage devices could lead to data being lost from your company. Control usage with security software.
    5. Knowledge is power. Find out what your local legislative requirements and review your security strategy to ensure you are compliant. 
    6. Prepare for disaster. Create a plan of action to follow if a severe data breach takes place. 
    7. Education is key. Find an engaging way to explain to staff the value of data and talk through the technologies, policies and best practice. 
    8. Encourage - rather than punish - employees who report potential data loss or breaches. The information can help you mitigate against costly risks.
    9. Don't lock it all down. Employees today need a lot of online freedom to be efficient and effective. Locking everything down will only encourage employees to find nefarious workarounds. Talk to them, find out what they want, and figure out a way to give it them in the safest way possible.
    10. Back seat bungles. It's all too easy to leave a laptop or smartphone, containing sensitive information in a taxi or a public place. Data should always be encrypted, but also use a remote wipe facility if devices are lost.

    Strategies for Data Protection Within Organizations: 






    When considering a plan for data protection you should analyze all of the data within the organization by type, age, creation and modifications, history of data growth, the largest files, and number of users, duplicate data, and other related information. Once you have analyzed all of the data you can proceed to do the following:



    1-Determine Critical Data: Determine the importance of data and divide it into categories which include very critical, critical, inactive, and duplicate data. Obviously very critical data has the highest priority and duplicate data the lowest priority. Very critical data will require frequent backups and replication in the event of data loss, critical data should be backed up on a daily basis, inactive data should be retained for different compliancy reasons, and duplicate data can be deleted.




    2-Data Access: Once the data is categorized and separated it is necessary to ensure that the end users have access to the data. Very critical and critical data is stored on a main server where inactive data goes into secondary storage. The end users should be able to access the very critical and critical data as well as the inactive data that has been archived in the event of compliancy requests and other regulations.


    3-Recovery Testing: Once you have a data recovery plan in place, it is important to test the recovery system on a periodic basis to ensure the organization can recover within a reasonable amount of time. When testing the recovery system, it is necessary to do a comprehensive test that reaches all the way to the application level. This is known as end-to-end testing which tests everything from client server and Web-based multi level applications to components that reside on more than one server. Since all of these components are related and dependent upon one another, the end-to-end testing decreases the likelihood of problems occurring.

    4-Data Management: Most organizations do what is called an SRM (Service Resource Module) audit which monitors data categorization and data retention policies that are implemented within the data infrastructure. The audits help an organization to determine if the existing policies help to improve server and storage performance or hinder it. It also helps to determine the rate of improvement of data recovery speeds and reduced backup needs while at the same time decreasing overall costs of maintaining data management.


    When does data protection law apply ?

    Data protection law applies whenever a data controller processes personal data . These words are given special meanings by the Act .

    Data Controllers

    A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer . 

    Personal Data

    Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.



    Processing

    The Act applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system. There are other types of system covered by the Act, but these are the most common .
    The term 'processing' covers virtually any use which can be made of personal data, from collecting the data, storing it and using it to destroying it .




    Data protection Act  , To be covered  :

    • there must be a set of information relating to individuals,
    • which is structured either by reference to individuals or by criteria relating to individuals,
    • in such a way that specific information relating to particular individuals is readily accessible. If your manual files fall within this definition, you will have to comply with the Act.

    Conclusion

    The increasing use of information technology and the internet ensures that data protection remains one of the most important and relevant laws that online businesses are required to comply with. The internet is all about the transfer of information. Not only is the internet used to disseminate information, but also to collect it. Organisations must look now at how they collect, store and use personal data and ask themselves whether they comply with the Act. This may involve amending employment and marketing practices in addition to internal training.

    References:

    • http://www.spamlaws.com/tips-and-strategies-data-protection.html
    • http://nakedsecurity.sophos.com/2010/07/19/ten-tips-for-protecting-sensitive-data-in-your-organisation/
    • http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_6.aspx
    • http://www.spsa.police.uk/documents/176/176.pdf
    • http://www.ethicspoint.com/article/data-privacy
    • http://www.out-law.com/page-413
    مرسلة بواسطة في ليست هناك تعليقات:
    الاشتراك في: الرسائل (Atom)