CHAPTER 12 CONFIDENTIAL INFORMATION AND DATA PROTECTION Flashcards
The General Data Protection Regulation applies to
It applies to the controllers and processors
Who is a controller
The one that says why and how personal data is processed
Who is a processor
One that acts on the controller’s behalf
What type of regulations does the General Data Protection Regulation place on the processor
It places specific legal obligation, like requiring them to keep records of personal data and processing activities.Firm faces more legal liability if its responsible for a breach
Are controllers under the GDPR relieved of their obligation where processor is involved
No, they are not, the GDPR places further obligation on controllers to ensure their contracts with processors comply with the GDPR
What information does the GDPR apply to
It applies to personal data, and reflects the changing technology and the way data is collected. Online information like IP address can also be personal data
What type of data does the GDPR apply to
It applies to both automated personal data and manual filing system where personal data is accessible according to specific criteria
How is the GDPR a wider version of the Data Protection Act 1988
It’s definition is wider and include chronologically ordered sets of manual records containing personal data. Also including personal data that has been anonymised fall within the GDPR scope
What are the sensitive personal data of the GDPR
- race
- ethnic origin
- politics
- religion
- trade union membership
- genetics
- bio metrics
- health
- sex life
- sexual orientation
Which is the most significant principle under the GDPR
Accountability Principle
How does the Accountability principle work under the GDPR
It requires firms to show how they comply with the principles i.e. having records/documentation for the decision they take about processing activity
Under the GDPR, data protection principles sets out
It sets out the main responsibilities for organisation
What is required for processing to be lawful under the GDPR
Firms need to identify a lawful basis before they can process personal data and document it
How does lawful basis have an effect on individual’s rights
Firm has to rely on someone’s consent
How must consent under the GDPR be given
It must be freely given, specific, informed and unambiguous indication of the individual’s wishes
Under the GDPR consent can’t be inferred from
It can’t be inferred from silence, pre-ticked boxes or inactivity
Under GDPR consent is separate from
It is separate from other terms and conditions and be verifiable
Under the GDPR, what are the new rights for individual and the existing ones under the DPA
- right to be informed
- right of access
- right to ratification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right in relation to automated decision making and profiling
What are more significant under the GDPR
Accountability and Transparency
What are the good practice tools for accountability and governance used by firms
Privacy Impact assessments and privacy by design
Under GDPR breach notifications should be reported to
It’s a duty on all organisation to report data breach to the relevant supervisory authority and in some cases individuals affected
What restriction does the GDPR impose on transfer of data
It imposes restriction on the transfer of data outside the EU and to third world countries or international organisation
Why does GDPR impose restriction on the different areas of transfer of data
This is done to ensure level of protection of individual afforded by the GDPR is not undermined
The Data Protection act 2018 came into effect May 2018 so as to coincide with
The implementation of the GDPR and Law Enforcement Directive (LED)
What is the aim of Data Protection ACT 2018
It aims to modernize data protection laws to ensure they are effective in the years to come
The GDPR has direct effect across EU member states and organisations have to comply with, however what does it also allow
It allows member states limited opportunities to make provision for how it applies in their country, thus in the UK has been included as part of the data Protection Act 2018. It is important the GDPR and DPA 2018 to be read side by side
What are the main elements of the Data Protection Act 2018
- General Data Processing
- Regulation and Enforcement
For Regulations and Enforcement fines on controllers and processors for most serious data breaches are up to
Up to 17 million pounds or 4% of global turnover
For Regulations and Enforcement for situations where a data controller or processor has altered records with intent to prevent disclosure following subject access request what should the punishment be
Criminal proceedings for offences
When considering the storage and disposal of documents, insurance organisation must adhere the following basic principles
- Restricted Access
- File saving and Backup
- Source documentation retention
- Protection against theft
- Copyright
- Use of password
- File disposal
For Restricted access, with physical paperwork, what should a firm ensure
Paperwork are locked in filing cabinet
For Restricted access, with computers, what should a firm ensure
Have sophisticated access control for each user and additional restrictions on view only data or data that can be operated
Why has the need of greater sophistication in restricting access to sensitive data increased
This is due to the tremendous growth in the use of mobile equipment, allowing more access points. And also an increase in illegal activities of people attacking companies’ system
Why are more individuals attacking companies’ system
toe extract data for fraudulent aims, theft, ransom or simply disrupt the company as a means of protest
Online back up is similar to
Cloud backup. it simply means backing up to a service provider’s site
How do customers pay a service provider to handle backups
Pricing is based on capacity ,frequency and backup size, bandwidth and number of users
Which companies are prime use cases for online back up
Companies with lower backup volume and smaller IT teams
Online computer back up service provider must assure what in terms of security
They must assure firms that their data is safe and service providers processors comply with current legislation
Most online backup product feature
Encryption and access control
In order to maintain documentation retention, what shall a firm ensure
It must ensure that original source data is stored in a secure separate building.
How can a firm import computer virus
By allowing unauthorized software to be imported onto a computer system
What could an imported computer virus do
In its worst form they could jeopardize all of the data held on the computer/network.
Apart from computer virus, what is another way that an insurers document can be attacked
When unauthorized person gains access,steal or corrupt data relating to individuals and corporation.
What is Copyright
Computer data originated by an organisation is entitled to legal protection
What happens if data is copied whilst protected by copyright
This means an infringement has occurred which is an illegal act, person doing/permitting this illegal act is liable to prosecution
What are the usual failings of passwords
- use simple reference to close family
- use of dates of birth/family ages/telephone
- use of favorite animal names
- inadvertently allowing others to use your password
- leaving machine unattended without logging out
- not changing password regularly
Even with a use of strong password how can malware enter a system
They can enter via an email account,where by user opens the email thinking its harmless.Then this malware will establish itself on the individual machine and spread to major section of the system
What will help overcome password failings
Strict company rules and ongoing security awareness program within the b’ness
Who is allowed to dispose of files
Only an authorized personnel
Which information is kept for long time
Information of a policy that is in force and has a liability element, always a possibility of a claim arising
Which information is kept for short time
Information in relation to quotation that was never given up by a proposer
For a written or printed confidential information, what is used to dispose information
An authorized person uses paper shredder system
What is another method of disposal of written or printed confidential information
Confidential waste is stored separately and disposed regularly by specialist confidential waste contractors. This expensive alternative is operated by banks and building societies
Corporate data must be protected from
- malicious alteration
- deliberate destructive acts
- industrial espionage
Personal data must be protected from
- being used for blackmail
- unauthorized disclosure
Why is computer security becoming an ever key issue
Due to the rapid development of Local Area Networks(LAN) and widespread use of WI-FI
Under the GDPR what are data controllers supposed to inform Information Commissioner
They must notify the office of the information commissioner with details of the data held and its purpose. And then the information commissioner maintains a register of this information
What is the duty of the information commissioner
Too oversea the working of the data processing law
When is a data controller said to commit an offence
When they fail to comply with data processing principles. If they process data without notifying the office of the information commissioner
When can personal data be transferred to territories outside the EU
If the country/territory to be transferred ensures an adequate level of protection for rights and freedom of data subjects in relation to the processing of personal data
Under the Money Laundering regulation, disclosure of data to the NCA is permitted
Where there is actual or suspected money laundering activities
What is the Computer misuse Act 1990
This Act was passed to provide a deterrent against all kinds of unauthorized computer access
What are the three new criminal offences created by the Computer Misuse Act 1990
- unauthorized access to computer
- unauthorized access to computer with intent to commit serious crime
- unauthorized modification of computer material
What does the Computer misuse Act 1990 also set out
It sets out maximum penalties for the new criminal offences
What are price comparison site/ aggregates
These are websites used for purchasing insurance, they enable a client to gain several quotes via electronic e-quote form
How do the price comparison websites communicate with insurers
They conclude agreements with a number of insurers to provide comparative quote based on a pre-determined list of specific needs as disclosed by potential clients
What do price comparison websites optimize
They optimize user experience,customer insights and search engine performance across a variety of mobile platforms
What is the criticism for price comparison sites
They focus too much on price
What does the internet of things involve
They involve communication and interaction between networked devices that relay information across the network
The connected devices on the internet of things include
Sensors that can control temperature/sense smoke/detect escape of water from leaky pipes
How do the internet of things devises help insurer
They help insurers more accurately underwrite polices and offer personalized cover, as they are a source of key for real-time data on customers
For Internet of things, the collection and processing of detailed data gives rise to which challenges
- who will be allowed to collect the data
- how will the data be stored
- how will the data be used
- who will have access to the data
What are telematics
This consists of high frequency motion sensors which capture how the car is driven
Where have telematics been commonly used
Emergency services and formula one teams
Telematics provide which type of information
- the time of day/night the car is driven
- the speed at which it was driven
- how smoothly it s driven
- whether breaks are taken on long journeys
- how many motorway miles are driven
- the total mileage
- the total number of journeys made
Who will have access to the information provided by the telematics
The aggregator collecting the information, the insurer and software provider
How is social media defined
Its defined as a collection of online media tools and channels that foster communication and conversation, not only delivering content but also allowing interaction and participation in the development of the content being discussed
For insurers how is social media helpful
They can provide a continuous,interactive relationship with the customer, it offers multiple opportunities to listen and engage with individuals and communities in a highly personalized dialogue
What are some of the advantages of social media to insurers
- They present a potential reputational risk, where by action is taken against an organisation if its considered to be unfair by the public,these detrimental comments can spread rapidly nationally or even internationally through social media campaign
- A lot of consumer information from communication with the insurer is stored and protected in the social media database also thus bringing additional risk
How do insurers use Apps
They use apps for reporting and managing claims on motor and household policies. These apps also allow insured to take photos from their camera phone and upload them, and claim contact information is made available quickly to record the claim details
The future of data gathering and storage within the insurance industry is shaped by
General Data Protection Regulation(GDPR)
What are the Key areas which will be specifically affected by the GDPR data gathering and storage
-An underwriter is required to collect and review personal data of the applicants ranging from demographics to more sensitive special categories data, any misprocessing of these sensitive data will attract a higher fine under the two GDPR fine brackets( 4% of global annual turnover or 20 million pounds)
-More personal data obtained the more it will help in pricing of a risk, but in order to process such information on a large-scale, companies need to carry out formal data protection impact assessment
-Under the GDPR marketing(selling individual personal data to insurers e.t.c.) requires positive opt in by the individuals to state their consent and preference on whether they want to be contacted. This consent is given freely and individuals can easily withdraw their consent and be forgotten. The data subjects also have the right to receive their personal data held by controller or transmit them to another controller
-
What does data protection impact assessment require
It requires for companies to carefully record the necessity and proportionality of processing, assess risks posed to the rights and freedoms of data subjects and document planned measures to address these risks
When insurers use direct marketing methods, where do they collect data
- They collect data directly
- They also purchase data from third party providers
What are insurance companies required to do to comply with all the GDPR new rights and other changes
They will have to review and make the appropriate changes to improve their IT infrastructure and revisit data retention and disposal policies
Personal cyber protection insurance is marketed for which type of companies
It’s marketed for High Net Worth Individuals(HNWI)/ Commercial Companies
How are the cyber products distributed
They are distributed through brokers as standalone cyber protection insurance or add- on product to home cover
For cyber products being distributed as add on products to home cover what type of cover does it provide
The policy will cover everyone in the household against loss due to
- defamation
- cyber bullying
- loss of insured data
- online retail/banking fraud
What is ransomware
This is when a cyber bully restrict access of the infected system until a ransom is paid
Thus in summary what are the challenges facing the insurance industry
- Price Comparison sites
- Internet of things
- Telematics
- Social Media
- Mobile Technology
- GDPR and Data Protection
- Cyber Crime