Data Security

Question 1

Is data valuable?

Answer 1

Yes

There’s a lot of data and it’s easy to get due to high digitalisation of information and increasing bandwidth

Declining costs of digital communication

More portable computers and communication equipment - can access the internet anywhere, anytime and in lots of different way

Can make a lot of money by selling data - can be used to target ads and manipulate views

Question 2

Define anonymity

Answer 2

The absence of identity

Question 3

What are the two types of anonymity?

Answer 3

Pseudo - give people fake IDs, nothing that would tell you who they really were. To find out, you’d have to link all the information between systems yourself

Untraceable - not anonymous, but they’ve given a false name. Eg when you sign up to an email, don’t have to give name

Question 4

Does GDPR apply to anonymous data

Answer 4

only if it’s truly anonymous

Question 5

What are the advantages of anonymity on the internet?

Answer 5

Allows for whistle blowing

Protection against personal abuse

Question 6

What are the disadvantages of anonymity on the internet?

Answer 6

People can post malicious information without being traced

Hard to resolve disputes if you can’t check facts

Question 7

What does GDPR stand for?

Answer 7

General Data Protection Regulation

Question 8

What is a data controller and how does the GDPR effect them?

Answer 8

They determine how and why data should be processed

GDPR places obligations on them to ensure contracts with processors comply with GDPR

Question 9

What is a data processor and how does GDPR effect them?

Answer 9

They are responsible for processing the data on behalf of the controller

GDPR holds them legally liable for any breaches

Question 10

In terms of GRiST, who is the data controller and who is the data processor

Answer 10

The mental health trusts are the data controller, as they define what data should be collected and how. Data is held with the mental health trust as they hold the medical data, they are responsible for protecting the information they collect

The GRiST team are the data processors as they process the data and provide the software and functionality. GRIST store anonymous data, they need to find a way to process and store and give to data controller (eg if they need to access previous records). If they lose the data, people will be seriously affected

Question 11

What does GDPR apply to?

Answer 11

Organisations that operate within the EU, or offer goods or services to the EU. If data on EU citizens is stored, it applies

Question 12

What does GDPR not apply to?

Answer 12

Processing covered by the law enforcement directive
Processing for national security
Processing by an individual for personal/household activities

Question 13

Define personal data

Answer 13

Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier

Question 14

Give examples of personal data

Answer 14

Name, postcode, location, ip address, mac address, etc

Question 15

What is sensitive personal data?

Answer 15

Where processed to uniquely identify an individual: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Question 16

GDPR says personal data must be:

Answer 16

Processed lawfully, fairly and in a transparent manner in relation to individuals

Collected for specific, explicit and legitimate purposes

Adequate, relevant and limited to what necessary

Accurate, and, when necessary, kept up to date

Kept in a form that permits identification for no longer than necessary

Processes in a manner that ensures appropriate security of the personal data

Question 17

Name the Lawful Basis for Processing Data

Answer 17

1. Consent - the individual has given clear consent for you to process your personal data for a specific purpose. Will need this if they give their details for the 3rd parties for things like ads
2. Contract - the processing is necessary for a contract you have with an individual or because they have asked you to take specific steps when entering into a contract
3. Legal Obligation - the processing is necessary for you to comply the law (not including contractual obligations)
4. Vital Interests - the processing is necessary to protect someone’s life
5. Public Task - the processing is necessary for you to perform a task in the public’s interest or for your official functions, and the task or function has a clear basis in the law
6. Legitimate interests - the processing is necessary for your legit interests or of a 3rd party’s, unless there is good reason to protect the individual’s data which overrides those individual interests. This cannot apply if you are a public authority processing data to perform your official tasks

Question 18

When is processing necessary

Answer 18

Must be targeted and proportionate way of achieving the purpose

Lawful basis will not apply if you can reasonably achieve the purpose by some other, less intrusive, means

It links to the stated purpose of your business

• processing is not necessary if that purpose can be achieved without it
• is there a choice about whether you can or not process the data

Question 19

What is the process for choosing legal purposes?

Answer 19

Must be done before you start processing
- not easy to change retrospectively without being unfair to the individual

Important to get right first time

Easy if you are processing for legal obligation, contract, vital interests, or public task purposes

• if not, the appropriate lawful basis might not be so careful
• in many cases, have to chose between legit interests and consent