Data Protection and Security

Question 1

Why is ethical data management important?

Answer 1

• Technologies moves faster than legislation
• Understanding ethical concerns that form the basis of legislation ensures privacy, freedom and autonomy

Question 2

What are the ethical principles of data management?

Answer 2

• Transparency
• Fairness
• Privacy

Question 3

Who should be clear about what data is collected and why it is collected?

Answer 3

• Data Subject
• Data Handler

Question 4

What is a Data Subject?

Answer 4

The person whose data is stored or processed

Question 5

Policies should be…

Answer 5

• Clearly written
• Available

Question 6

Privacy policies should be set as….

Answer 6

Default

Question 7

What is needed to collect additional data?

Answer 7

Data Subject’s consent

Question 8

Should an organisation follow certification schemes for data protection?

Answer 8

Yes

Question 9

What do you need to make clear if you are using automated decision making?

Answer 9

The ethical aspects that have been considered in the decision to avoid discrimination

Question 10

What does fairness mean with respect to ethical principles?

Answer 10

Considering the impact of data handling on people and their interests

Question 11

Personal data use should be [BLANK] for all involved parties

Answer 11

Fair

Question 12

True or False: Misuse should be avoided

Answer 12

TRUE

Question 13

True or False: Impact of Failures does not need to be considered

Answer 13

FALSE

Question 14

What sensitive data is not allowed to be used in automated decision making?

Answer 14

• Race
• Religion
• Political preference
• Sexual Orientation
• Disability

Question 15

Data should only be used in the [BLANK] the user has consented to.

Answer 15

Context

Question 16

True or False: Users should be able to correct their data

Answer 16

TRUE

Question 17

What does respect mean with regards to ethical considerations?

Answer 17

The consideration for data subjects

Question 18

Which of the following should data managers prioritise:
* The interests of the data subject
* The benefits for the organisation deriving value from the data

Answer 18

The interests of the data subject

Question 19

What is unethical data handling?

Answer 19

• The rights of the individual are harmed
• The individual loses control of their data

Question 20

What should be collected from an individual for specific use of data

Answer 20

• Consent
• Authorisation

Question 21

Why is Big Data a concern for ethical data management?

Answer 21

• Data is aggregated from different sources
• Data is linked to provide enriched information

Question 22

What are concerns in Big Data?

Answer 22

• Inappropriate data sharing
• Idenfication of individuals

Question 23

What is inappropriate data sharing?

Answer 23

Sharing personal data with third parties without the consent of the data subject

Question 24

What is data anonymisation?

Answer 24

Applying privacy-preserving transformation to data

Question 25

Do any further measures need to be applied to anonymised data to comply with data protection rules?

Answer 25

No

Question 26

Is data anonymisation a foolproof solution?

Answer 26

No, the identity can still be inferred from other data characteristics

Question 27

How is the identification of individuals a concern in Big Data?

Answer 27

When used with data profiling

Question 28

What is profiling?

Answer 28

• Correlations in data that can be used to identify a data subject
• Identifying a data subject as a member of a group or category

Question 29

What data mining techniques does profiling use?

Answer 29

• Descriptive data mining
• Predictive data mining

Question 30

What is descriptive data mining?

Answer 30

Creating profiles from groupings discovered by the data

Question 31

What is the outcome from descriptive data mining?

Answer 31

Descriptions of characteristics and relationships for the discovered groups

Question 32

What is predictive data mining?

Answer 32

Using labelled data to learn relationships between characteristics and class membership

Question 33

What do predictive data mining models predict?

Answer 33

Membership of a group with a given certainty

Question 34

When might predictive profiling be used?

Answer 34

• Recommender systems
• Personalised services
• Anomaly detection systems

Question 35

What are the risks associated with profiling and data mining?

Answer 35

• Discrimination
• De-individualisation
• Information asymmetry
• Unfair treatment

Question 36

What is discrimination in profiling?

Answer 36

• Models trained with biased data
• Model exhibits discrimination
• Results used in a discriminate way

Question 37

What is de-individualisation?

Answer 37

Applying all group characteristics to an individual

Question 38

What is information asymmetry?

Answer 38

• Upsetting the balance of power between government and citizens or businesses and customers
• May lead to denying service due to a profile-based decision (e.g denying credit)

Question 39

What is unfair treatment with relation to profiling?

Answer 39

• May stigmatise indivuals / negatively affect social ties
• Individuals may not share all group characteristics and should not be treated as though they do

Question 40

True or False: Decisions made by profiling algorithms may not be explainable

Answer 40

TRUE

Question 41

What should profiling data models exclude to avoid disccrimination

Answer 41

Sensitive data such as gender, race or political beliefs

Question 42

What are risks associated with revealing Personal Identification Information online?

Answer 42

• Social engineering
• Phishing
• Identity theft

Question 43

What is the most common platform that people reveal Personal Identification Information on?

Answer 43

Social media

Question 44

What are the risks of revealing location information?

Answer 44

• Stalking
• Demographic re-identification

Question 45

What is demographic re-identification?

Answer 45

• Sharing information such as location, gender and date of birth which leads to narrow identification

Question 46

Why do data aggregation companies threaten privacy?

Answer 46

• Collect data available online or on social profiles
• Sell this onto third parties such as insurance or rating companies

Question 47

What is public surveillance?

Answer 47

Government agents using online information, video or or data to surveil individials

Question 48

What rights does public surveillance harm?

Answer 48

• Right to privacy
• Autonomy

Question 49

Where do IoT devices face more cybersecurity threats?

Answer 49

When they are out in the open rather than under physical control of system administrators

Question 50

What are the risks associated with limited access to technology?

Answer 50

• Underrepresentation of certain groups
• Partial, incorrect or non-representative data

Question 51

What is discrimination by algorithm?

Answer 51

Automated decisions resulting in unfair treatment on an individual based on a protected characteristic

Question 52

Why might discrimination by algorithm occur?

Answer 52

Bias or predjudice is present in the training data, which is then replicated by the trained model

Question 53

True or False: Real world data is likely biased as information on the internet comes from external sources

Answer 53

TRUE

Question 54

What are methods of best practice for avoiding discrimination by algorithm?

Answer 54

• Using unbiased training data
• Paying attention to class balance
• Using adequate feature selection for minority groups

Question 55

Why do we have data protection principles?

Answer 55

Protect personal data from collection and processing by third parties

Question 56

What are the origins of data protection principles?

Answer 56

Universal human rights

Question 57

What are examples of regional data protection laws?

Answer 57

• Singapore Personal Data Protection Act
• Indian Data Protection Act
• Privacy Framework of the Asia-Pacific Economic Cooperation (APEC)
• General Data Protection Regulation (GDPR)

Question 58

When did GDPR first come into effect?

Answer 58

May-18

Question 59

What is GDPR?

Answer 59

A framework for the protection and privacy of data during data collection, storage and processing

Question 60

What does GDPR apply to?

Answer 60

Any information relating to an individual or identifable individual

Question 61

What are the roles defined by GDPR?

Answer 61

• Data Subject
• Data Controller
• Data Processor

Question 62

What does a data controller do?

Answer 62

• Holds collected data
• Defines how data is collected and processed

Question 63

What does a data processor do?

Answer 63

Collects and processes data on behalf of data controllers

Question 64

How many principles are in GDPR?

Answer 64

Seven

Question 65

What are the seven GDPR principles?

Answer 65

• Lawfulness
• Data Minimisation
• Confidentiality
• Accuracy
• Accountability
• Storage Limitations
• Purpose Limitations

Question 66

What else does Lawfulness encompass in GDPR?

Answer 66

• Fairness
• Transparency

Question 67

What are accepted legal grounds for collecting data?

Answer 67

• Consent
• Public interest
• Legitimate interest

Question 68

What is needed when sensitive data is collected?

Answer 68

Explicit consent from the data subject

Question 69

What is legitimate interest?

Answer 69

Collecting data for legal purposes or to fulfil admin obligations

Question 70

What does handling data with fairness mean?

Answer 70

Data should be handled in a fair and reasonable fashion from the perspective of the data subject

Question 71

What does Purpose Limitation mean in GDPR?

Answer 71

• Data is only stored and processed in line with legitimate and clearly specified purposes
  *Other storage and process must not be carried out

Question 72

What is Data Minimisation in GDPR?

Answer 72

Data should be:
* Appropriate
* Relevant
* Limited
* Indispensible

for meeting the purposes of collection

Question 73

What should be defined before the data collection process begins?

Answer 73

The minimum amount of data required

Question 74

What does Accuracy mean according to GDPR?

Answer 74

Ensuring information is accurate and up to date

Question 75

According to GPDR, who is responsible for ensuring data is accurate?

Answer 75

• Data Controller
• Data Handler

Question 76

What does GDPR obligate an organisation to do if a data subject says their information is outdated?

Answer 76

Rectify the data

Question 77

What is Storage Limitation according to GDPR?

Answer 77

• Keeping data for only as long as is necessary
• Ideally automating any deletion or anonymisation processes

Question 78

According to GDPR, what should a Storage Limitation policy define?

Answer 78

• How long data is kept for
• When data is deleted or anonymised

Question 79

What does the Confidentiality principle of GDPR cover?

Answer 79

• Requirements for data controllers and data processors to maintain data security
• All information must be treated as sensitive
• Data integrity must be protected

Question 80

What must data controllers and processors protect against?

Answer 80

Unauthorised or unlawful:
* Access
* Processing
* Loss
* Destruction
* Damage

Question 81

What does Accountability mean in GDPR?

Answer 81

The responsibility of the data controller to comply with GDPR

Question 82

When can exceptions be made to GDPR?

Answer 82

• Where set out in union or member state law
• When justified in the public interest (eg for public health or safety)
• When based on legitimate interest

Question 83

What is the “Right of information”?

Answer 83

Knowledge of which personal data are collected and processed

Question 84

What is the “Right to know the source of personal data”?

Answer 84

Data controllers must tell data subjects about which data processors are collecting and processing their data and if a third party is involved.

Question 85

What is the “Right of access”?

Answer 85

Data subjects can ask for a copy of their personal data

Question 86

What is the “Right to rectification”?

Answer 86

Data subjects can request corrections to data

Question 87

What is the “Right to erasure”?

Answer 87

• Also known as the “right to be forgotten”
• Individuals can request deletion of personal data

Question 88

What is the “Right to object processing”?

Answer 88

• Individuals can object to processing
• This means the data controller needs to stop processing the data

Question 89

What is the “Right to restrict processing”?

Answer 89

• Refers to processing constraints
  *If there is a claim about the correctness of data, the data can request restriction of data processing while the claim is resolved

Question 90

What is the “Right to be notified”?

Answer 90

Data subjects must be notified of:
* Further data processing
* Deletion of data
* Breaches or unauthorised data access

Question 91

What is the “Right to data portability”?

Answer 91

• Enables free flow of data
• Individuals can request their data in a portable format (where feasible)

Question 92

What is the “Right to not be subject to profiling”?

Answer 92

• Before automated decision making processes are put into place, data controllers must carry out a Data Impact Assessment to asses privacy-related risks
• Automated decisions require explicit consent from the individual (except where required by law, eg tax fraud detection)
  *Data subjects have the right to receive information about the logic of the automated decision making process

Question 93

What should data systems be designed to do?

Answer 93

Minimise risk in the event of a data breach

Question 94

How might a data system minimise risk in the event of a data breach?

Answer 94

• Anonymise data
• Restict collected data to only absolutely necessary data

Question 95

What two principles does GDPR define in relation to data security?

Answer 95

• Data protection by design
• Data protection by default

Question 96

What is data protection by design?

Answer 96

Implementing data protection principles into the system from the first stage of development

Question 97

What is data protection by default?

Answer 97

The highest possible data security settings should be the default setting for the whole system

Question 98

What does a data controller need to ensure that a processing system has?

Answer 98

• Confidentiality
• Integrity
• Availability
• Resilience

Question 99

What measures might be implemented within a data system to enqure security and reliability?

Answer 99

• Strong access controls
• Effective restoring mechanism in the event of technical incidents
• Protecting servers against external threats
• Closed systems for data processing

Question 100

What techniques should data controllers implement to secure data?

Answer 100

• Anonymisation
• Pseudonymisation
• Encryption

Question 101

What is anonymisation?

Answer 101

• A technique to remove Personal Identification Information (PII)
• Aims to remove personal data so that it is extremely unlikely that individuals can be re-identified

Question 102

What situations is anonymisation used for?

Answer 102

• Data sharing
• Data analysis of sensitive data
• Using data for other purposes

Question 103

What are the four categories of attributes that need to be treated differently in relation to anonymisation?

Answer 103

• Explicit identifiers
• Quasi-identifiers
• Sensitive information
• Non-sensitive information

Question 104

What are explicit-identifiers?

Answer 104

• attributes that directly identify an individual
• such as full name, email address

Question 105

What are quasi-identifiers?

Answer 105

• Attributes that do not individually identify an individual but might if used in combination
• such as postcode, gender, data of birth

Question 106

What is sensitive information?

Answer 106

• Private information that must not be revealed
• such as health or financial information, political beliefs, sexual orientation

Question 107

What is non-sensitive information?

Answer 107

• Information with no link to an individual
• such as climate data

Question 108

What is re-identification?

Answer 108

Reconstructing sensitive data from anonymised data

Question 109

What models are available to anonymise data?

Answer 109

• K-Anonymity
• Differential privacy
• T-Closeness
• L-Diversity

Question 110

What methods are available to anonymise data?

Answer 110

• Suppression of attributes
• Generalisation of attributes
• Permutation of attributes
• Preturbation of attributes

Question 111

What is the effect of the information and utility loss of data caused by anonymisation?

Answer 111

Minor to negligible impact on the results, depending on context.

Question 112

What is pseudonymisation?

Answer 112

The process of replacing Personal Identification Information with random identifiers

Question 113

What does pseudonymisation use to track the substitution of data with random identifiers?

Answer 113

A linkage table

Question 114

Why is pseudonomysed data able to be used for data analysis?

Answer 114

It does not contain any Personal Identification Information

Question 115

How can reidentification be carried out on pseudonomysed data?

Answer 115

By using the linkage table to retrieve the individual’s identity

Question 116

What are the key considerations when using data in scientific research?

Answer 116

• Data integrity and confidentiality (large amounts of sensitive data)
• Data quality (critical for achieving reliable research results)

Question 117

What are the two approaches to comply with GDPR in scientific research

Answer 117

• Obtain broad consent (difficult to specify future use cases)
• Anonymise personal information in the data (complete anonymisation impossible due to links to other genomic information)

Question 118

How does GDPR describe anonymity?

Answer 118

• A technique to prevent identification by reasonable or “appropriate” means
• Appropriate is never clearly defined so open to interpretation

Question 119

What protection does encryption provide?

Answer 119

• Protects confidentiality
• Protects data integrity

Question 120

How does encryption protect data?

Answer 120

Converts data into ciphertext which is unreadable for unauthorised users

Question 121

How is ciphertext decipherd?

Answer 121

Using a password or secret key held by authorised users

Question 122

What is encryption at rest?

Answer 122

Encryption applied to archived datasets

Question 123

What is encryption in transit?

Answer 123

Encryption applied to data being transferred over a network

Question 124

What are the different types of encryption techniques?

Answer 124

• Symmetric encryption
• Asymmetric Encryption
• Quantum Encryption
• Homophoric Encryption

Question 125

What is symmetric encryption?

Answer 125

Uses the same key for encryption and decryption

Question 126

What are examples of symmetric encryption algorithms?

Answer 126

• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• Blowfish

Question 127

What is Asymmetric encryption?

Answer 127

• Uses a pair of public and private keys
• Referred to as “public key cryptography”

Question 128

How are public keys and private keys used in asymmetric encryption?

Answer 128

• Public key - encryption
• Private key - decryption

Question 129

What are examples of asymmetric encryption algorithms?

Answer 129

*RSA (Rivest, Shamir & Adleman)
* Diffie - Hellman

Question 130

What is Elliptic Curve Cryptography?

Answer 130

A public-key cryptography approach based on the algebra of elliptic curves

Question 131

How do Hash Functions work?

Answer 131

Create a unique, fixed-length digital fingerprint of the data that can be used to verify the integrity of the data

Question 132

What are examples of cryptography hash functions?

Answer 132

• SHA-256
• MD-5

Question 133

What makes a hash function more secure?

Answer 133

• The length of the key
• This relates to the different possible combinations available

Question 134

Besides security implications, what else is important in choosing the encryption method?

Answer 134

• The type of data being encrypted
• Performance needs

Question 135

What are the most commonly used encryption algorithms?

Answer 135

• AES
• RSA

Question 136

What are key stores?

Answer 136

Secure storage and management solutions for cryptographic keys

Question 137

What are the two different types of key stores?

Answer 137

• Hardware Security Modules
• Cloud-based key stores

Question 138

What are hardware security modules?

Answer 138

• Physical devices
• Range from personal cryptographic chipsets through to hardware modules deigned for massive cryptographic operations

Question 139

What are cloud-based key stores?

Answer 139

• Provde centralised key management and secure key storage

Question 140

What are examples of cloud-based key storage solutions?

Answer 140

*Amazon Key Management Services
* Azure Key Vault

Question 141

How does application encryption work?

Answer 141

• Data is encrypted during transmission over the network
• Uses SSL (Secure Socket Layer) or TLS (Transport Layer Security)

Question 142

Why is application encryption described as having a transparent approach?

Answer 142

• Key management is performed automatically by the server
• The user does not handle keys of encryption

Question 143

How does database encryption work?

Answer 143

• Sensitive information is encrypted with a symmetric encryption algorithm such as AES
• Keys are stored securely and seperately from encrypted data

Question 144

What are the different types of database encryption available?

Answer 144

• Transparent Data Encryption (TDE)
• Column-level Encryption
• File-level Encryption
• Application-level Encryption

Question 145

How does Transparent Data Encryption work?

Answer 145

• Encrypts data at rest and in transit
  *Attaches a data encryption module which is handled by the RDBMS

Question 146

How does Column-level encryption work?

Answer 146

• Encryption is only used as needed, which improves performance
• Encrypts specific columns holding sensitive data

Question 147

How does File-level encryption work?

Answer 147

Encrypts individual database files on the disk such as data files, index files and backups

Question 148

Where is file-level encryption used?

Answer 148

• Portable devices (eg laptops)
• Cloud database

Question 149

How does application-level encryption work?

Answer 149

• Used for highly sensitive information
• Encrpyts data within the application before storing it in a database
• Manages the keys and encryption process

Question 150

What is data at rest?

Answer 150

Data in tables, logs, tablespaces and backups

Question 151

What is data in transit?

Answer 151

Data retrievals over the network

Question 152

How does MongoDB encrypt data?

Answer 152

• Encrypts data at rest
• Supports 256-bit AES encryption
• Uses internal encryption and external key management systems

Question 153

How does Oracle SQL Database encrypt data?

Answer 153

• Uses Transparent Data Encryption and Advanced Security Options (ASO)
• Uses secure key stores for network encryption and advanced authorisation

Question 154

How does MySQL encrypt data?

Answer 154

• Encrypts data at rest
• Uses encrypted storage engines or Keyring-file plugin

Question 155

How does AWS S3 encrypt data?

Answer 155

Uses server side encryption with Amazon S3-Managed Keys or AWS Key Management Service

Question 156

How does Microsoft Azure encrypt data?

Answer 156

• Encrypts data at rest with Azure Storage Service Encryption
• Encrypts data in transit with Transport Layer Security

Question 157

What open source data encryption solutions are available?

Answer 157

• VeraCrypt
• GnuGP
• Dm-Crypt
• LUKS
• AxCrypt
• Bitlocker
• FileVault
• Boxcryptor

Question 158

How does data masking work?

Answer 158

• Substitutes original data with randomised values

Question 159

Why is data masking used?

Answer 159

• Ensure only necessary data is exposed
• Obfuscated data can be used without compromising privacy

Question 160

What is the difference between data encryption and data masking?

Answer 160

Data masking ensures that algorithms or other methods can’t be used to reverse engineer the data

Question 161

What are the techniques used in data masking?

Answer 161

• Shuffling
• Scrambling
• Substitution
• Data aging
• Varience
• Nullifying
• Character masking

Question 162

What is shuffling in data masking?

Answer 162

Randomly reorders the values of a column

Question 163

What is scrambling in data masking?

Answer 163

Reorders the aphanumeric characters in a data value to change the value

Question 164

What is substitution in data masking?

Answer 164

Replaces the original sensitive content with other valid values

Question 165

What is important to do when data masking using substitution?

Answer 165

The replaced values must preserve the originial characteristics of the data

Question 166

What is data aging in data masking?

Answer 166

• Modifies numerical values
• Adds or rests a random offset

Question 167

What is data variance in data masking?

Answer 167

• Modifies numberical values
• Adds noise according to the data distribution

Question 168

What is nullifying in data masking?

Answer 168

Substitutes original values with null values

Question 169

What is character masking in data masking?

Answer 169

• Substitutes part of the original value with a given character (such as asterisks)
• Only part of the originial value remains

Question 170

What is static data masking?

Answer 170

• A copy of the original data is made, with sensitive fields obfuscated
• Easier to implement
• Less flexible

Question 171

What is dynamic data masking?

Answer 171

• Obfuscates information based on role based policies or permission settings
• Flexibility in allowing data access

Question 172

Where is dynamic data masking used?

Answer 172

Production systems

Question 173

What are challenges of data masking?

Answer 173

• Complicated process in large systems
• High resource use leading to performance drops
• Obfuscated data requires maintenance
• Potential loss of data integrity
• Potential sensitive data leakage if masking techniques are insufficient

Question 174

What are some solutions available for data masking?

Answer 174

• Microsoft SQL server uses Redgate SQL data-masker
• Oracle SQL Server uses Oracle data masking and subsetting utility
• Commercial standalone solutions: Delphix Dynamic Platform, Information MDM, IBM Infosphere Data Privacy
• Open source standalone solution: Talend Data Masking

Question 175

What are cloud solutions available for data masking?

Answer 175

• AWS uses Amazon S3 Inventory, Amazon Macie, Amazon RedShift Data Management
• Microsoft Azure uses Azure Security Centre

Question 176

Why do we have data security principles?

Answer 176

Protect sensitive data from unauthorised access, use, disclosure, modification or destruction

Question 177

What are the data security principles?

Answer 177

• Integrity
• Availability
• Confidentiality
• Authenticity
• Non-Repudiation
• Access Control
• Encryption
• Disaster Recovery

Question 178

What does the data security principle of integrity involve?

Answer 178

• Ensuring data can’t be modified by unauthorised means
• Checksums/Digital signatures used by databases to verify data integrity

Question 179

What does the data security principle of availability involve?

Answer 179

• Authorised users have data access when needed
• Data must be replicated and backups scheduled
• Plans are made to account for network interruptions or data loss

Question 180

What does the data security principle of confidentiality involve?

Answer 180

• Data is kept secure
• Access is only by authorised users
• Refers to data at rest and in transit
• Uses encruption techniques, data masking, access control techniques

Question 181

What does the data security principle of authenticity involve?

Answer 181

• Authenticate users to prevent unauthorised access to sensitive data
• Includes passwords, encryption keys, biometric/multi-factor authorisation and methods for intrusion detection/prevention

Question 182

What does the data security principle of non-repudiation involve?

Answer 182

• Registering users and applications accessing sensitive data to create an audit trail
• Traceability
• Uses digital signatures or time stamps to track evolution of information

Question 183

What does the data security principle of access control involve?

Answer 183

• Restics data access to authorised users
• Often role based to establish different access levels and who has read/write/update/delete permissions
• When used in RDBMS can complement firewalls in blocking unauthorised access

Question 184

What does the data security principle of encryption involve?

Answer 184

Protecting data by encipohering data during transmission or storage

Question 185

What does the data security principle of disaster recovery involve?

Answer 185

• Ability to recover and restore data
• Creation of a disaster recovery plan with details of backup creation, secure backup storage and backup restoration

Question 186

What is risk management?

Answer 186

• Identifying, assessing and prioritising risks
• Setting out risk countermeasures

Question 187

What is the first step of the risk management process?

Answer 187

Carrying out a risk analysis to identify potential risks and threats

Question 188

What is the second step of the risk management process?

Answer 188

Estimating the probability of each threat and it’s potential impact. This identifies the most relevent security threats.

Question 189

What is the third step of the risk management process?

Answer 189

Developing mitigation strategies to address critical security risks

Question 190

What is the fourth step of the risk management process?

Answer 190

Monitoring the effectiveness of mitigation strategies and adapting them as needed

Question 191

What is the final step of the risk management process?

Answer 191

• Clearly documenting the risk management plan and mitigation procedures
• Evidencing security risks are well addressed and compliant with security regulations