GDPR and other laws (Lecture 7) Flashcards
List some laws relating to Information Security
Computer Misuse Act 1990
Obscene Publications Act 1964
Police And Criminal Evidence Act 1984
Network and Information Systems Regulations 2018
General Data Protection Regulations 2018
Data Protection Act 1998, 2018
The Computer Misuse Act 1990 relates to what offences?
Unauthorised access to computer material
Unauthorised access with intent to commit or facilitate a crime
Unauthorised modification of computer material
Making, supplying or obtaining anything which can be used in computer misuse offences
The Obscene Publications Act 1964 relates to what offences?
Act aims to strengthen law for preventing the publication for gain of obscene matter and the publication of things intended for the production of obscene matter
includes distribution, circulation, selling, letting, hiring
What is PACE 1984
Police And Criminal Evidence Act
Governs police powers of investigation involving arrest, detention, interrogation, entry and search of premises and personal searches
Code B outlines powers to enter and search premises and seize possessions.
What is Network and Information Systems Regulations 2018?
Applies to two groups of organisations: Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP’s)
NIS relates to any incident that has an impact on a service , where the impact produces a significant disruptive effect
IOC is the competent authority for RDSP’s and they can enforce NIS and issue fines of up to £17 million
What defines a Relevant Digital Service?
Provide one or more of the following:
Online search engine
Online marketplace
Cloud computing service
Have to have head office in UK or have nominated a UK representative
Have more than 50 staff and a turnover or balance sheet of more than €10 million
What is PECR 2003
Privacy and Electronic Communications Regulations 2003
Derived from EU law. Implement European Directive 2002/58/EC AKA e-privacy directive
Compliments the GDPR and sets out more specific privacy rights on electronic communications
Specific rules on marketing calls, emails, texts and faxes, cookies, keeping communications services secure, customer privacy with regards to traffic and location data and itemised billing
What is the Data Protection Act 1998, 2018
Designed to protect personal data stored on computers or in organised paper filing systems
What is the GDPR
General Data Protection Regulations 2018
designed to give people more control about how their data is used, shared and stored
Requires organisations to be more accountable and transparent about how they use someone’s data
Organisations must demonstrate compliance and prove they are being implemented
What can the ICO do using powers under DPA 2018
Serve information notices requiring organisations provide specified information within a certain time
Conduct onsite assessments, enter premises, access documents and interview people. Also issue enforcement notices and fines
What is a data controller?
A company that collects information about customers, suppliers, employees etc
In relation to personal data, means a person who determines the purposes for which and the manner in which any personal data are to be processed
What is a data processor?
An organisation which processes data for other entities but they do not determine the purpose for their processing, what is collected, how it is processed or how long it is retained.
In relation to personal data, means any person (other than an employee off the data controller) who processes the data on behalf of the data controller
What are your rights as a data subject? (8)
The right to be informed
The right of access
The right to rectification
The right to erasure (be forgotten)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
Explain the Right to Be Informed
Individuals have the right to be informed about the collection and use of their personal data. Key transparency requirement under GDPR
Must provide individuals with information including purposes for processing their personal data, your retention period and who it will be shared with (privacy information)
Must be provided at the time of data collection
Must be regularly reviewed and updated if necessary. Must bring any new uses of their data to their attention before processing is started
Explain Right of Access
Subject access
Gives individuals the right to access and obtain a copy of their personal data as well as other supplementary information
Can make verbal or written requests for the information and it should be disclosed securely
Explain Right to Rectification
Gives the right for individuals to have inaccurate personal data rectified or completed if it is incomplete
Can make request verbally or in writing
This right is closely linked to controllers obligations under the accuracy principle of GDPR
Explain the Right to Erasure (right to be forgotten)
The right to have personal data erased. Individuals can make requests verbally or in writing
Right is not absolute and only applies in certain circumstances
Explain the Right to Restrict Processing
Individuals have the right to request restriction or suppression of their personal data
Not an absolute right and only applies in certain circumstances
When processing is restricted you are permitted to store the personal data but not use it
Explain the Right to Data Portability
Allows individuals to obtain and reuse their personal data for their own purposes across different services
Allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
Enables individuals to take advantage of applications and services that can use this data to find them a better deal or help understand spending habits
Only applies to information an individual has provided to a controller
Explain the Right to Object
In certain circumstances individuals have the right to object to the processing of their personal information
Absolute right to stop data being used for direct marketing
Can continue processing if there is a compelling reason to do so
Must tell individuals about right to object
Explain Rights in Relation to Automated Decision Making and Profiling
Provides safeguards for individuals against the risk that a potentially damaging decision is taken by solely automated means (without human intervention)
Unless decision is required or authorised by law
A ‘qualifying significant decision’ is defined as a decision which significantly affects or produces an adverse legal affect on an individual and is authorised by law
Must ensure that the individuals are able to obtain human intervention, express their point if view and obtain an explanation of the decision and challenge it
List specific requirements Article 5 of GDPR sets out about how data controllers should collect, process and manage data
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary for the processing purposes
Accurate and where necessary kept up-to-date
Kept to permit identification of data subjects for no longer than is necessary for processing purposes
Processed in a manner that ensures appropriate security of the personal data
What is the 3 part test in GDPR?
Purpose test - is there a legitimate interest behind the processing?
Necessity test - is the processing necessary for that purpose
Balancing test - is the legitimate interest overridden by the individuals interests, rights or freedoms?