C18 Data(1) : Data security and risks

Question 1

Define personal data

Answer 1

Personal data relates to
1. Information iro an individual where the individual can be identified,
2. Data combined with other information could allow the individual to be identified.

Question 2

Explain why the use of data is an increasingly significant issue for organisations

Answer 2

• Organizations collect large amount of information on individuals as part of their operation.
• Technology has made is possible to collect, store and use large amount of information on an individuals in diverse ways
• Organizations have ethical responsibility to deal responsibly with personal data.
• Balance between the privacy of individuals with the need of the organizations to make fair and responsible use of personal data in their operations

Question 3

Explain the purpose of data protection legislation

Answer 3

Aim/purpose of data protection legislation
1. Safeguard the rights of the individual with regard to how organisations can store and process personal data.
2. Regulations vary by jurisdication/countries

Question 4

List 8 principles of UK’s data protection act that relate to processing personal data

Answer 4

Personal data must: PAF-TIANS
1. be obtained and processed for specified purpose
2. be adequate, relevant, and not excessive for the purposes concerned
3. be processed fairly and lawfully
4. not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection
5. be processed in accordance with the individual’s rights under the Act
6. be accurate and, where necessary, kept up to date
7. not be kept longer than necessary for the purposes concerned
8. be processed securely

Question 5

Give 3 examples of possible consequences of non-compliance with the data protection legislation when processing personal data.

Answer 5

Consequences of non-compliance with the data protection legislation when processing personal data can be significant
1. Individuals who commit criminal offenses may be prosecuted
2. Organisations might be fined for serious breaches
3. Lead to adverse publicity, which can lead to significant reputational damage to the organisation

Question 6

Explain the relevance of anonymity to the definition of personal data

Answer 6

• Ability to identify the individual to whom the information relates is crucial to the definition of personal data.
• Obligations of an organisation are considerable less for anonymous data
• Anonymous data may not constitute personal data

Question 7

List 7 examples of information that can constitute sensitive personal data

Answer 7

Sensitive personal data can include information related to :
ERPP SMC
1. Ethnic or racial origin
2. Religious or similar belief
3. Political opinions
4. Physical or mental health condition
5. Sexual life
6. Membership of trade unions
7. Convictions, proceedings and criminal acts.

Question 8

Conditions for processing sensitive personal data

Answer 8

1. The data subject has given explicit consent
2. It is required by law for employment purposes
3. Needed in connection with the administration of justice or legal proceedings
4. Needed to protect the vital interest of the individual or another person e.g. disclose medical condition in case of an accident at work

Question 9

Explain what is meant by ‘big data’, including its key characteristics

Answer 9

‘Big data’ : The increasing use of technology has now made it possible for the public and private sector to collect and analyse very large data sets of information

Big data can be characterised by:
1. very large data sets
2. Data brought together from different sources
3. Data which can be analysed very quickly, such as in real time

Question 10

Describe the main data protection considerations for organisations using bug data (TBD)

Answer 10

Conflict with personal data

Question 11

Define data governance

Answer 11

Data governance is a term used to describe overall management of the : (A SIU)
Availability,
Security of the data employed in an organisation.
Integrity, and
usability

Question 12

Describe the purpose and typical content of the data governance policy

Answer 12

A data governance policy is a documented set of guidelines for ensuring the proper management of an organization’s data.
1. Specific rules and responsibilities of the individuals
2. how to capture, analyse and process data
3. Data security and privacy
4. Controls on data standards
5. Monitoring of adequacy of controls
6. Mechanism to meet legal and regulatory requirements

Question 13

State risks to organisations if the do not have adequate data governance procedures

Answer 13

Organisations that do not have adequate data governance procedures can be exposed to risks related to:

1. Legal and regulatory non-compliance
2. Inability to rely on data for decision making
3. Reputational issues
4. Incurring additional costs (fine and legal costs)

Question 14

Describe the key data issues when businesses are combined by merger or takeover

Answer 14

Where businesses are combined by merger or takeover, one of the key issues is whether the data for the two businesses should combined onto one system and , if so, which

+ Saving in overhead costs
- High conversion costs
- Risk in aggregating data sourced from different systems

Question 15

4 risks that arise when using data, that relate to volume and quality of data

Answer 15

1. Errors and omissions => Erroneous results or conclusions
2. Insufficient data to produce credible results
3. Insufficient data to produce credible results in adverse circumstances
4. Other sources of data : Not a good proxy.

Question 16

List 8 reasons why historical data may not be a good reflection of future experience

Answer 16

Further data risks in using historical data.
Historical data may not be a good reflection of future experience due to: CC HOPART

1. Changes in the way in which the past data was recorded
2. Changes in the balance of any homogeneous groups underlying the data
3. Heterogeneity with the group to which the assumptions are to relate
4. Other changes e.g. medical advancements, social changes, economic changes
5. Past data may not be up to date
6. Past abnormal events
7. Significant random fluctuations
8. Future trends not being reflected sufficiently in the past data

Question 17

Risks in attempting to group data into broadly homogeneous groups

Answer 17

Risks in attempting to group data into broadly homogeneous groups
1. The resultant individual groups may be too small for a credible analysis
2. Merging data groups may lead to a data groups that is not sufficiently homogeneous

Question 18

3 other risks that are associated with the use of data

Answer 18

Further data risks (DLF)
1. Data may have been collected for a purpose=> not appropriate for a different purpose
2. Lack of confidence in the available data=> low confidence in conclusions
3. Format of data is not appropriate for the purpose required