CHAPTER 12 CONFIDENTIAL INFORMATION AND DATA PROTECTION Flashcards
1
Q
The General Data Protection Regulation applies to
A
It applies to the controllers and processors
2
Q
Who is a controller
A
The one that says why and how personal data is processed
3
Q
Who is a processor
A
One that acts on the controller’s behalf
4
Q
What type of regulations does the General Data Protection Regulation place on the processor
A
It places specific legal obligation, like requiring them to keep records of personal data and processing activities.Firm faces more legal liability if its responsible for a breach
5
Q
Are controllers under the GDPR relieved of their obligation where processor is involved
A
No, they are not, the GDPR places further obligation on controllers to ensure their contracts with processors comply with the GDPR
6
Q
What information does the GDPR apply to
A
It applies to personal data, and reflects the changing technology and the way data is collected. Online information like IP address can also be personal data
7
Q
What type of data does the GDPR apply to
A
It applies to both automated personal data and manual filing system where personal data is accessible according to specific criteria
8
Q
How is the GDPR a wider version of the Data Protection Act 1988
A
It’s definition is wider and include chronologically ordered sets of manual records containing personal data. Also including personal data that has been anonymised fall within the GDPR scope
9
Q
What are the sensitive personal data of the GDPR
A
- race
- ethnic origin
- politics
- religion
- trade union membership
- genetics
- bio metrics
- health
- sex life
- sexual orientation
10
Q
Which is the most significant principle under the GDPR
A
Accountability Principle
11
Q
How does the Accountability principle work under the GDPR
A
It requires firms to show how they comply with the principles i.e. having records/documentation for the decision they take about processing activity
12
Q
Under the GDPR, data protection principles sets out
A
It sets out the main responsibilities for organisation
13
Q
What is required for processing to be lawful under the GDPR
A
Firms need to identify a lawful basis before they can process personal data and document it
14
Q
How does lawful basis have an effect on individual’s rights
A
Firm has to rely on someone’s consent
15
Q
How must consent under the GDPR be given
A
It must be freely given, specific, informed and unambiguous indication of the individual’s wishes
16
Q
Under the GDPR consent can’t be inferred from
A
It can’t be inferred from silence, pre-ticked boxes or inactivity
17
Q
Under GDPR consent is separate from
A
It is separate from other terms and conditions and be verifiable
18
Q
Under the GDPR, what are the new rights for individual and the existing ones under the DPA
A
- right to be informed
- right of access
- right to ratification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right in relation to automated decision making and profiling
19
Q
What are more significant under the GDPR
A
Accountability and Transparency
20
Q
What are the good practice tools for accountability and governance used by firms
A
Privacy Impact assessments and privacy by design
21
Q
Under GDPR breach notifications should be reported to
A
It’s a duty on all organisation to report data breach to the relevant supervisory authority and in some cases individuals affected
22
Q
What restriction does the GDPR impose on transfer of data
A
It imposes restriction on the transfer of data outside the EU and to third world countries or international organisation
23
Q
Why does GDPR impose restriction on the different areas of transfer of data
A
This is done to ensure level of protection of individual afforded by the GDPR is not undermined
24
Q
The Data Protection act 2018 came into effect May 2018 so as to coincide with
A
The implementation of the GDPR and Law Enforcement Directive (LED)
25
What is the aim of Data Protection ACT 2018
It aims to modernize data protection laws to ensure they are effective in the years to come
26
The GDPR has direct effect across EU member states and organisations have to comply with, however what does it also allow
It allows member states limited opportunities to make provision for how it applies in their country, thus in the UK has been included as part of the data Protection Act 2018. It is important the GDPR and DPA 2018 to be read side by side
27
What are the main elements of the Data Protection Act 2018
- General Data Processing
| - Regulation and Enforcement
28
For Regulations and Enforcement fines on controllers and processors for most serious data breaches are up to
Up to 17 million pounds or 4% of global turnover
29
For Regulations and Enforcement for situations where a data controller or processor has altered records with intent to prevent disclosure following subject access request what should the punishment be
Criminal proceedings for offences
30
When considering the storage and disposal of documents, insurance organisation must adhere the following basic principles
- Restricted Access
- File saving and Backup
- Source documentation retention
- Protection against theft
- Copyright
- Use of password
- File disposal
31
For Restricted access, with physical paperwork, what should a firm ensure
Paperwork are locked in filing cabinet
32
For Restricted access, with computers, what should a firm ensure
Have sophisticated access control for each user and additional restrictions on view only data or data that can be operated
33
Why has the need of greater sophistication in restricting access to sensitive data increased
This is due to the tremendous growth in the use of mobile equipment, allowing more access points. And also an increase in illegal activities of people attacking companies' system
34
Why are more individuals attacking companies' system
toe extract data for fraudulent aims, theft, ransom or simply disrupt the company as a means of protest
35
Online back up is similar to
Cloud backup. it simply means backing up to a service provider's site
36
How do customers pay a service provider to handle backups
Pricing is based on capacity ,frequency and backup size, bandwidth and number of users
37
Which companies are prime use cases for online back up
Companies with lower backup volume and smaller IT teams
38
Online computer back up service provider must assure what in terms of security
They must assure firms that their data is safe and service providers processors comply with current legislation
39
Most online backup product feature
Encryption and access control
40
In order to maintain documentation retention, what shall a firm ensure
It must ensure that original source data is stored in a secure separate building.
41
How can a firm import computer virus
By allowing unauthorized software to be imported onto a computer system
42
What could an imported computer virus do
In its worst form they could jeopardize all of the data held on the computer/network.
43
Apart from computer virus, what is another way that an insurers document can be attacked
When unauthorized person gains access,steal or corrupt data relating to individuals and corporation.
44
What is Copyright
Computer data originated by an organisation is entitled to legal protection
45
What happens if data is copied whilst protected by copyright
This means an infringement has occurred which is an illegal act, person doing/permitting this illegal act is liable to prosecution
46
What are the usual failings of passwords
- use simple reference to close family
- use of dates of birth/family ages/telephone
- use of favorite animal names
- inadvertently allowing others to use your password
- leaving machine unattended without logging out
- not changing password regularly
47
Even with a use of strong password how can malware enter a system
They can enter via an email account,where by user opens the email thinking its harmless.Then this malware will establish itself on the individual machine and spread to major section of the system
48
What will help overcome password failings
Strict company rules and ongoing security awareness program within the b'ness
49
Who is allowed to dispose of files
Only an authorized personnel
50
Which information is kept for long time
Information of a policy that is in force and has a liability element, always a possibility of a claim arising
51
Which information is kept for short time
Information in relation to quotation that was never given up by a proposer
52
For a written or printed confidential information, what is used to dispose information
An authorized person uses paper shredder system
53
What is another method of disposal of written or printed confidential information
Confidential waste is stored separately and disposed regularly by specialist confidential waste contractors. This expensive alternative is operated by banks and building societies
54
Corporate data must be protected from
- malicious alteration
- deliberate destructive acts
- industrial espionage
55
Personal data must be protected from
- being used for blackmail
| - unauthorized disclosure
56
Why is computer security becoming an ever key issue
Due to the rapid development of Local Area Networks(LAN) and widespread use of WI-FI
57
Under the GDPR what are data controllers supposed to inform Information Commissioner
They must notify the office of the information commissioner with details of the data held and its purpose. And then the information commissioner maintains a register of this information
58
What is the duty of the information commissioner
Too oversea the working of the data processing law
59
When is a data controller said to commit an offence
When they fail to comply with data processing principles. If they process data without notifying the office of the information commissioner
60
When can personal data be transferred to territories outside the EU
If the country/territory to be transferred ensures an adequate level of protection for rights and freedom of data subjects in relation to the processing of personal data
61
Under the Money Laundering regulation, disclosure of data to the NCA is permitted
Where there is actual or suspected money laundering activities
62
What is the Computer misuse Act 1990
This Act was passed to provide a deterrent against all kinds of unauthorized computer access
63
What are the three new criminal offences created by the Computer Misuse Act 1990
- unauthorized access to computer
- unauthorized access to computer with intent to commit serious crime
- unauthorized modification of computer material
64
What does the Computer misuse Act 1990 also set out
It sets out maximum penalties for the new criminal offences
65
What are price comparison site/ aggregates
These are websites used for purchasing insurance, they enable a client to gain several quotes via electronic e-quote form
66
How do the price comparison websites communicate with insurers
They conclude agreements with a number of insurers to provide comparative quote based on a pre-determined list of specific needs as disclosed by potential clients
67
What do price comparison websites optimize
They optimize user experience,customer insights and search engine performance across a variety of mobile platforms
68
What is the criticism for price comparison sites
They focus too much on price
69
What does the internet of things involve
They involve communication and interaction between networked devices that relay information across the network
70
The connected devices on the internet of things include
Sensors that can control temperature/sense smoke/detect escape of water from leaky pipes
71
How do the internet of things devises help insurer
They help insurers more accurately underwrite polices and offer personalized cover, as they are a source of key for real-time data on customers
72
For Internet of things, the collection and processing of detailed data gives rise to which challenges
- who will be allowed to collect the data
- how will the data be stored
- how will the data be used
- who will have access to the data
73
What are telematics
This consists of high frequency motion sensors which capture how the car is driven
74
Where have telematics been commonly used
Emergency services and formula one teams
75
Telematics provide which type of information
- the time of day/night the car is driven
- the speed at which it was driven
- how smoothly it s driven
- whether breaks are taken on long journeys
- how many motorway miles are driven
- the total mileage
- the total number of journeys made
76
Who will have access to the information provided by the telematics
The aggregator collecting the information, the insurer and software provider
77
How is social media defined
Its defined as a collection of online media tools and channels that foster communication and conversation, not only delivering content but also allowing interaction and participation in the development of the content being discussed
78
For insurers how is social media helpful
They can provide a continuous,interactive relationship with the customer, it offers multiple opportunities to listen and engage with individuals and communities in a highly personalized dialogue
79
What are some of the advantages of social media to insurers
- They present a potential reputational risk, where by action is taken against an organisation if its considered to be unfair by the public,these detrimental comments can spread rapidly nationally or even internationally through social media campaign
- A lot of consumer information from communication with the insurer is stored and protected in the social media database also thus bringing additional risk
80
How do insurers use Apps
They use apps for reporting and managing claims on motor and household policies. These apps also allow insured to take photos from their camera phone and upload them, and claim contact information is made available quickly to record the claim details
81
The future of data gathering and storage within the insurance industry is shaped by
General Data Protection Regulation(GDPR)
82
What are the Key areas which will be specifically affected by the GDPR data gathering and storage
-An underwriter is required to collect and review personal data of the applicants ranging from demographics to more sensitive special categories data, any misprocessing of these sensitive data will attract a higher fine under the two GDPR fine brackets( 4% of global annual turnover or 20 million pounds)
-More personal data obtained the more it will help in pricing of a risk, but in order to process such information on a large-scale, companies need to carry out formal data protection impact assessment
-Under the GDPR marketing(selling individual personal data to insurers e.t.c.) requires positive opt in by the individuals to state their consent and preference on whether they want to be contacted. This consent is given freely and individuals can easily withdraw their consent and be forgotten. The data subjects also have the right to receive their personal data held by controller or transmit them to another controller
-
83
What does data protection impact assessment require
It requires for companies to carefully record the necessity and proportionality of processing, assess risks posed to the rights and freedoms of data subjects and document planned measures to address these risks
84
When insurers use direct marketing methods, where do they collect data
- They collect data directly
| - They also purchase data from third party providers
85
What are insurance companies required to do to comply with all the GDPR new rights and other changes
They will have to review and make the appropriate changes to improve their IT infrastructure and revisit data retention and disposal policies
86
Personal cyber protection insurance is marketed for which type of companies
It's marketed for High Net Worth Individuals(HNWI)/ Commercial Companies
87
How are the cyber products distributed
They are distributed through brokers as standalone cyber protection insurance or add- on product to home cover
88
For cyber products being distributed as add on products to home cover what type of cover does it provide
The policy will cover everyone in the household against loss due to
- defamation
- cyber bullying
- loss of insured data
- online retail/banking fraud
89
What is ransomware
This is when a cyber bully restrict access of the infected system until a ransom is paid
90
Thus in summary what are the challenges facing the insurance industry
- Price Comparison sites
- Internet of things
- Telematics
- Social Media
- Mobile Technology
- GDPR and Data Protection
- Cyber Crime
