Data Security Flashcards
Is data valuable?
Yes
There’s a lot of data and it’s easy to get due to high digitalisation of information and increasing bandwidth
Declining costs of digital communication
More portable computers and communication equipment - can access the internet anywhere, anytime and in lots of different way
Can make a lot of money by selling data - can be used to target ads and manipulate views
Define anonymity
The absence of identity
What are the two types of anonymity?
Pseudo - give people fake IDs, nothing that would tell you who they really were. To find out, you’d have to link all the information between systems yourself
Untraceable - not anonymous, but they’ve given a false name. Eg when you sign up to an email, don’t have to give name
Does GDPR apply to anonymous data
only if it’s truly anonymous
What are the advantages of anonymity on the internet?
Allows for whistle blowing
Protection against personal abuse
What are the disadvantages of anonymity on the internet?
People can post malicious information without being traced
Hard to resolve disputes if you can’t check facts
What does GDPR stand for?
General Data Protection Regulation
What is a data controller and how does the GDPR effect them?
They determine how and why data should be processed
GDPR places obligations on them to ensure contracts with processors comply with GDPR
What is a data processor and how does GDPR effect them?
They are responsible for processing the data on behalf of the controller
GDPR holds them legally liable for any breaches
In terms of GRiST, who is the data controller and who is the data processor
The mental health trusts are the data controller, as they define what data should be collected and how. Data is held with the mental health trust as they hold the medical data, they are responsible for protecting the information they collect
The GRiST team are the data processors as they process the data and provide the software and functionality. GRIST store anonymous data, they need to find a way to process and store and give to data controller (eg if they need to access previous records). If they lose the data, people will be seriously affected
What does GDPR apply to?
Organisations that operate within the EU, or offer goods or services to the EU. If data on EU citizens is stored, it applies
What does GDPR not apply to?
Processing covered by the law enforcement directive
Processing for national security
Processing by an individual for personal/household activities
Define personal data
Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier
Give examples of personal data
Name, postcode, location, ip address, mac address, etc
What is sensitive personal data?
Where processed to uniquely identify an individual: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
GDPR says personal data must be:
Processed lawfully, fairly and in a transparent manner in relation to individuals
Collected for specific, explicit and legitimate purposes
Adequate, relevant and limited to what necessary
Accurate, and, when necessary, kept up to date
Kept in a form that permits identification for no longer than necessary
Processes in a manner that ensures appropriate security of the personal data
Name the Lawful Basis for Processing Data
- Consent - the individual has given clear consent for you to process your personal data for a specific purpose. Will need this if they give their details for the 3rd parties for things like ads
- Contract - the processing is necessary for a contract you have with an individual or because they have asked you to take specific steps when entering into a contract
- Legal Obligation - the processing is necessary for you to comply the law (not including contractual obligations)
- Vital Interests - the processing is necessary to protect someone’s life
- Public Task - the processing is necessary for you to perform a task in the public’s interest or for your official functions, and the task or function has a clear basis in the law
- Legitimate interests - the processing is necessary for your legit interests or of a 3rd party’s, unless there is good reason to protect the individual’s data which overrides those individual interests. This cannot apply if you are a public authority processing data to perform your official tasks
When is processing necessary
Must be targeted and proportionate way of achieving the purpose
Lawful basis will not apply if you can reasonably achieve the purpose by some other, less intrusive, means
It links to the stated purpose of your business
- processing is not necessary if that purpose can be achieved without it
- is there a choice about whether you can or not process the data
What is the process for choosing legal purposes?
Must be done before you start processing
- not easy to change retrospectively without being unfair to the individual
Important to get right first time
Easy if you are processing for legal obligation, contract, vital interests, or public task purposes
- if not, the appropriate lawful basis might not be so careful
- in many cases, have to chose between legit interests and consent
