GDPR and other laws (Lecture 7) Flashcards
List some laws relating to Information Security
Computer Misuse Act 1990
Obscene Publications Act 1964
Police And Criminal Evidence Act 1984
Network and Information Systems Regulations 2018
General Data Protection Regulations 2018
Data Protection Act 1998, 2018
The Computer Misuse Act 1990 relates to what offences?
Unauthorised access to computer material
Unauthorised access with intent to commit or facilitate a crime
Unauthorised modification of computer material
Making, supplying or obtaining anything which can be used in computer misuse offences
The Obscene Publications Act 1964 relates to what offences?
Act aims to strengthen law for preventing the publication for gain of obscene matter and the publication of things intended for the production of obscene matter
includes distribution, circulation, selling, letting, hiring
What is PACE 1984
Police And Criminal Evidence Act
Governs police powers of investigation involving arrest, detention, interrogation, entry and search of premises and personal searches
Code B outlines powers to enter and search premises and seize possessions.
What is Network and Information Systems Regulations 2018?
Applies to two groups of organisations: Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP’s)
NIS relates to any incident that has an impact on a service , where the impact produces a significant disruptive effect
IOC is the competent authority for RDSP’s and they can enforce NIS and issue fines of up to £17 million
What defines a Relevant Digital Service?
Provide one or more of the following:
Online search engine
Online marketplace
Cloud computing service
Have to have head office in UK or have nominated a UK representative
Have more than 50 staff and a turnover or balance sheet of more than €10 million
What is PECR 2003
Privacy and Electronic Communications Regulations 2003
Derived from EU law. Implement European Directive 2002/58/EC AKA e-privacy directive
Compliments the GDPR and sets out more specific privacy rights on electronic communications
Specific rules on marketing calls, emails, texts and faxes, cookies, keeping communications services secure, customer privacy with regards to traffic and location data and itemised billing
What is the Data Protection Act 1998, 2018
Designed to protect personal data stored on computers or in organised paper filing systems
What is the GDPR
General Data Protection Regulations 2018
designed to give people more control about how their data is used, shared and stored
Requires organisations to be more accountable and transparent about how they use someone’s data
Organisations must demonstrate compliance and prove they are being implemented
What can the ICO do using powers under DPA 2018
Serve information notices requiring organisations provide specified information within a certain time
Conduct onsite assessments, enter premises, access documents and interview people. Also issue enforcement notices and fines
What is a data controller?
A company that collects information about customers, suppliers, employees etc
In relation to personal data, means a person who determines the purposes for which and the manner in which any personal data are to be processed
What is a data processor?
An organisation which processes data for other entities but they do not determine the purpose for their processing, what is collected, how it is processed or how long it is retained.
In relation to personal data, means any person (other than an employee off the data controller) who processes the data on behalf of the data controller
What are your rights as a data subject? (8)
The right to be informed
The right of access
The right to rectification
The right to erasure (be forgotten)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
Explain the Right to Be Informed
Individuals have the right to be informed about the collection and use of their personal data. Key transparency requirement under GDPR
Must provide individuals with information including purposes for processing their personal data, your retention period and who it will be shared with (privacy information)
Must be provided at the time of data collection
Must be regularly reviewed and updated if necessary. Must bring any new uses of their data to their attention before processing is started
Explain Right of Access
Subject access
Gives individuals the right to access and obtain a copy of their personal data as well as other supplementary information
Can make verbal or written requests for the information and it should be disclosed securely