CHAPTER 12 CONFIDENTIAL INFORMATION AND DATA PROTECTION

Question 1

The General Data Protection Regulation applies to

Answer 1

It applies to the controllers and processors

Question 2

Who is a controller

Answer 2

The one that says why and how personal data is processed

Question 3

Who is a processor

Answer 3

One that acts on the controller’s behalf

Question 4

What type of regulations does the General Data Protection Regulation place on the processor

Answer 4

It places specific legal obligation, like requiring them to keep records of personal data and processing activities.Firm faces more legal liability if its responsible for a breach

Question 5

Are controllers under the GDPR relieved of their obligation where processor is involved

Answer 5

No, they are not, the GDPR places further obligation on controllers to ensure their contracts with processors comply with the GDPR

Question 6

What information does the GDPR apply to

Answer 6

It applies to personal data, and reflects the changing technology and the way data is collected. Online information like IP address can also be personal data

Question 7

What type of data does the GDPR apply to

Answer 7

It applies to both automated personal data and manual filing system where personal data is accessible according to specific criteria

Question 8

How is the GDPR a wider version of the Data Protection Act 1988

Answer 8

It’s definition is wider and include chronologically ordered sets of manual records containing personal data. Also including personal data that has been anonymised fall within the GDPR scope

Question 9

What are the sensitive personal data of the GDPR

Answer 9

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• bio metrics
• health
• sex life
• sexual orientation

Question 10

Which is the most significant principle under the GDPR

Answer 10

Accountability Principle

Question 11

How does the Accountability principle work under the GDPR

Answer 11

It requires firms to show how they comply with the principles i.e. having records/documentation for the decision they take about processing activity

Question 12

Under the GDPR, data protection principles sets out

Answer 12

It sets out the main responsibilities for organisation

Question 13

What is required for processing to be lawful under the GDPR

Answer 13

Firms need to identify a lawful basis before they can process personal data and document it

Question 14

How does lawful basis have an effect on individual’s rights

Answer 14

Firm has to rely on someone’s consent

Question 15

How must consent under the GDPR be given

Answer 15

It must be freely given, specific, informed and unambiguous indication of the individual’s wishes

Question 16

Under the GDPR consent can’t be inferred from

Answer 16

It can’t be inferred from silence, pre-ticked boxes or inactivity

Question 17

Under GDPR consent is separate from

Answer 17

It is separate from other terms and conditions and be verifiable

Question 18

Under the GDPR, what are the new rights for individual and the existing ones under the DPA

Answer 18

• right to be informed
• right of access
• right to ratification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• right in relation to automated decision making and profiling

Question 19

What are more significant under the GDPR

Answer 19

Accountability and Transparency

Question 20

What are the good practice tools for accountability and governance used by firms

Answer 20

Privacy Impact assessments and privacy by design

Question 21

Under GDPR breach notifications should be reported to

Answer 21

It’s a duty on all organisation to report data breach to the relevant supervisory authority and in some cases individuals affected

Question 22

What restriction does the GDPR impose on transfer of data

Answer 22

It imposes restriction on the transfer of data outside the EU and to third world countries or international organisation

Question 23

Why does GDPR impose restriction on the different areas of transfer of data

Answer 23

This is done to ensure level of protection of individual afforded by the GDPR is not undermined

Question 24

The Data Protection act 2018 came into effect May 2018 so as to coincide with

Answer 24

The implementation of the GDPR and Law Enforcement Directive (LED)

Question 25

What is the aim of Data Protection ACT 2018

Answer 25

It aims to modernize data protection laws to ensure they are effective in the years to come

Question 26

The GDPR has direct effect across EU member states and organisations have to comply with, however what does it also allow

Answer 26

It allows member states limited opportunities to make provision for how it applies in their country, thus in the UK has been included as part of the data Protection Act 2018. It is important the GDPR and DPA 2018 to be read side by side

Question 27

What are the main elements of the Data Protection Act 2018

Answer 27

• General Data Processing

- Regulation and Enforcement

Question 28

For Regulations and Enforcement fines on controllers and processors for most serious data breaches are up to

Answer 28

Up to 17 million pounds or 4% of global turnover

Question 29

For Regulations and Enforcement for situations where a data controller or processor has altered records with intent to prevent disclosure following subject access request what should the punishment be

Answer 29

Criminal proceedings for offences

Question 30

When considering the storage and disposal of documents, insurance organisation must adhere the following basic principles

Answer 30

• Restricted Access
• File saving and Backup
• Source documentation retention
• Protection against theft
• Copyright
• Use of password
• File disposal

Question 31

For Restricted access, with physical paperwork, what should a firm ensure

Answer 31

Paperwork are locked in filing cabinet

Question 32

For Restricted access, with computers, what should a firm ensure

Answer 32

Have sophisticated access control for each user and additional restrictions on view only data or data that can be operated

Question 33

Why has the need of greater sophistication in restricting access to sensitive data increased

Answer 33

This is due to the tremendous growth in the use of mobile equipment, allowing more access points. And also an increase in illegal activities of people attacking companies’ system

Question 34

Why are more individuals attacking companies’ system

Answer 34

toe extract data for fraudulent aims, theft, ransom or simply disrupt the company as a means of protest

Question 35

Online back up is similar to

Answer 35

Cloud backup. it simply means backing up to a service provider’s site

Question 36

How do customers pay a service provider to handle backups

Answer 36

Pricing is based on capacity ,frequency and backup size, bandwidth and number of users

Question 37

Which companies are prime use cases for online back up

Answer 37

Companies with lower backup volume and smaller IT teams

Question 38

Online computer back up service provider must assure what in terms of security

Answer 38

They must assure firms that their data is safe and service providers processors comply with current legislation

Question 39

Most online backup product feature

Answer 39

Encryption and access control

Question 40

In order to maintain documentation retention, what shall a firm ensure

Answer 40

It must ensure that original source data is stored in a secure separate building.

Question 41

How can a firm import computer virus

Answer 41

By allowing unauthorized software to be imported onto a computer system

Question 42

What could an imported computer virus do

Answer 42

In its worst form they could jeopardize all of the data held on the computer/network.

Question 43

Apart from computer virus, what is another way that an insurers document can be attacked

Answer 43

When unauthorized person gains access,steal or corrupt data relating to individuals and corporation.

Question 44

What is Copyright

Answer 44

Computer data originated by an organisation is entitled to legal protection

Question 45

What happens if data is copied whilst protected by copyright

Answer 45

This means an infringement has occurred which is an illegal act, person doing/permitting this illegal act is liable to prosecution

Question 46

What are the usual failings of passwords

Answer 46

• use simple reference to close family
• use of dates of birth/family ages/telephone
• use of favorite animal names
• inadvertently allowing others to use your password
• leaving machine unattended without logging out
• not changing password regularly

Question 47

Even with a use of strong password how can malware enter a system

Answer 47

They can enter via an email account,where by user opens the email thinking its harmless.Then this malware will establish itself on the individual machine and spread to major section of the system

Question 48

What will help overcome password failings

Answer 48

Strict company rules and ongoing security awareness program within the b’ness

Question 49

Who is allowed to dispose of files

Answer 49

Only an authorized personnel

Question 50

Which information is kept for long time

Answer 50

Information of a policy that is in force and has a liability element, always a possibility of a claim arising

Question 51

Which information is kept for short time

Answer 51

Information in relation to quotation that was never given up by a proposer

Question 52

For a written or printed confidential information, what is used to dispose information

Answer 52

An authorized person uses paper shredder system

Question 53

What is another method of disposal of written or printed confidential information

Answer 53

Confidential waste is stored separately and disposed regularly by specialist confidential waste contractors. This expensive alternative is operated by banks and building societies

Question 54

Corporate data must be protected from

Answer 54

• malicious alteration
• deliberate destructive acts
• industrial espionage

Question 55

Personal data must be protected from

Answer 55

• being used for blackmail

- unauthorized disclosure

Question 56

Why is computer security becoming an ever key issue

Answer 56

Due to the rapid development of Local Area Networks(LAN) and widespread use of WI-FI

Question 57

Under the GDPR what are data controllers supposed to inform Information Commissioner

Answer 57

They must notify the office of the information commissioner with details of the data held and its purpose. And then the information commissioner maintains a register of this information

Question 58

What is the duty of the information commissioner

Answer 58

Too oversea the working of the data processing law

Question 59

When is a data controller said to commit an offence

Answer 59

When they fail to comply with data processing principles. If they process data without notifying the office of the information commissioner

Question 60

When can personal data be transferred to territories outside the EU

Answer 60

If the country/territory to be transferred ensures an adequate level of protection for rights and freedom of data subjects in relation to the processing of personal data

Question 61

Under the Money Laundering regulation, disclosure of data to the NCA is permitted

Answer 61

Where there is actual or suspected money laundering activities

Question 62

What is the Computer misuse Act 1990

Answer 62

This Act was passed to provide a deterrent against all kinds of unauthorized computer access

Question 63

What are the three new criminal offences created by the Computer Misuse Act 1990

Answer 63

• unauthorized access to computer
• unauthorized access to computer with intent to commit serious crime
• unauthorized modification of computer material

Question 64

What does the Computer misuse Act 1990 also set out

Answer 64

It sets out maximum penalties for the new criminal offences

Question 65

What are price comparison site/ aggregates

Answer 65

These are websites used for purchasing insurance, they enable a client to gain several quotes via electronic e-quote form

Question 66

How do the price comparison websites communicate with insurers

Answer 66

They conclude agreements with a number of insurers to provide comparative quote based on a pre-determined list of specific needs as disclosed by potential clients

Question 67

What do price comparison websites optimize

Answer 67

They optimize user experience,customer insights and search engine performance across a variety of mobile platforms

Question 68

What is the criticism for price comparison sites

Answer 68

They focus too much on price

Question 69

What does the internet of things involve

Answer 69

They involve communication and interaction between networked devices that relay information across the network

Question 70

The connected devices on the internet of things include

Answer 70

Sensors that can control temperature/sense smoke/detect escape of water from leaky pipes

Question 71

How do the internet of things devises help insurer

Answer 71

They help insurers more accurately underwrite polices and offer personalized cover, as they are a source of key for real-time data on customers

Question 72

For Internet of things, the collection and processing of detailed data gives rise to which challenges

Answer 72

• who will be allowed to collect the data
• how will the data be stored
• how will the data be used
• who will have access to the data

Question 73

What are telematics

Answer 73

This consists of high frequency motion sensors which capture how the car is driven

Question 74

Where have telematics been commonly used

Answer 74

Emergency services and formula one teams

Question 75

Telematics provide which type of information

Answer 75

• the time of day/night the car is driven
• the speed at which it was driven
• how smoothly it s driven
• whether breaks are taken on long journeys
• how many motorway miles are driven
• the total mileage
• the total number of journeys made

Question 76

Who will have access to the information provided by the telematics

Answer 76

The aggregator collecting the information, the insurer and software provider

Question 77

How is social media defined

Answer 77

Its defined as a collection of online media tools and channels that foster communication and conversation, not only delivering content but also allowing interaction and participation in the development of the content being discussed

Question 78

For insurers how is social media helpful

Answer 78

They can provide a continuous,interactive relationship with the customer, it offers multiple opportunities to listen and engage with individuals and communities in a highly personalized dialogue

Question 79

What are some of the advantages of social media to insurers

Answer 79

• They present a potential reputational risk, where by action is taken against an organisation if its considered to be unfair by the public,these detrimental comments can spread rapidly nationally or even internationally through social media campaign
• A lot of consumer information from communication with the insurer is stored and protected in the social media database also thus bringing additional risk

Question 80

How do insurers use Apps

Answer 80

They use apps for reporting and managing claims on motor and household policies. These apps also allow insured to take photos from their camera phone and upload them, and claim contact information is made available quickly to record the claim details

Question 81

The future of data gathering and storage within the insurance industry is shaped by

Answer 81

General Data Protection Regulation(GDPR)

Question 82

What are the Key areas which will be specifically affected by the GDPR data gathering and storage

Answer 82

-An underwriter is required to collect and review personal data of the applicants ranging from demographics to more sensitive special categories data, any misprocessing of these sensitive data will attract a higher fine under the two GDPR fine brackets( 4% of global annual turnover or 20 million pounds)
-More personal data obtained the more it will help in pricing of a risk, but in order to process such information on a large-scale, companies need to carry out formal data protection impact assessment
-Under the GDPR marketing(selling individual personal data to insurers e.t.c.) requires positive opt in by the individuals to state their consent and preference on whether they want to be contacted. This consent is given freely and individuals can easily withdraw their consent and be forgotten. The data subjects also have the right to receive their personal data held by controller or transmit them to another controller
-

Question 83

What does data protection impact assessment require

Answer 83

It requires for companies to carefully record the necessity and proportionality of processing, assess risks posed to the rights and freedoms of data subjects and document planned measures to address these risks

Question 84

When insurers use direct marketing methods, where do they collect data

Answer 84

• They collect data directly

- They also purchase data from third party providers

Question 85

What are insurance companies required to do to comply with all the GDPR new rights and other changes

Answer 85

They will have to review and make the appropriate changes to improve their IT infrastructure and revisit data retention and disposal policies

Question 86

Personal cyber protection insurance is marketed for which type of companies

Answer 86

It’s marketed for High Net Worth Individuals(HNWI)/ Commercial Companies

Question 87

How are the cyber products distributed

Answer 87

They are distributed through brokers as standalone cyber protection insurance or add- on product to home cover

Question 88

For cyber products being distributed as add on products to home cover what type of cover does it provide

Answer 88

The policy will cover everyone in the household against loss due to

• defamation
• cyber bullying
• loss of insured data
• online retail/banking fraud

Question 89

What is ransomware

Answer 89

This is when a cyber bully restrict access of the infected system until a ransom is paid

Question 90

Thus in summary what are the challenges facing the insurance industry

Answer 90

• Price Comparison sites
• Internet of things
• Telematics
• Social Media
• Mobile Technology
• GDPR and Data Protection
• Cyber Crime