Lesson 16 Data Privacy and Documentation Flashcards
Information Life Cycle
Creation/Control
- data needs to be classified and tagged
Distribution/Use
- data is available to authorized and authenticated users including 3rd parties
Retention
- data is archived past the date when it is still used for regulatory reasons
Disposal
- data no longer needed, media storing data asset must be SANITIZED to remove any remnants
PHI
Personal Health Information or protected health information
refers to medical and insurance records, as well as associated hospital and lab tests
extremely sensitive
PII
Personally Identifiable Information
info that can identify, contact or locate an individual
can depend on context
data owner
Manager/Senior role with the ultimately responsible for confidentiality, integrity, and availability (CIA) of the information asset
Responsibilities:
- labeling the asset
- who should have access to the data
- determine the criticality and sensitivity of data
- ensures data is protected with correct controls
Selects a steward and custodian of the data, directing their actions
sets the budget and resource allocation for controls
data steward
Appointed by the data owner
Responsibilities:
- ensures data quality
- labels/classifies the data
- data has appropriate metadata
- ensures data is collected and stored in accordance with applicable laws and regs
data custodian
Appointed by the Data Owner
Responsibilities:
- manages the system on which the data assets are stored
- enforces access control, encryption, and backup/recovery measures
DPO
data privacy officer
Responsibilities:
- oversees any PII assets managed by the company
- ensures processing, disclosure, and retention of PII complies with legal and regulatory frameworks
data controller
Institutional role
Responsibilities:
- determines why and how data is stored, collected and used
- ensures these purposes and methods are lawful
- responsible for privacy breach which can not transfer
data processor
Institutional role
Assistant to the Data Controller and follows the instructions of a data controller with regard to collection or processing data
Responsibilities:
-assist with the technical collection, storage, and analysis tasks
Data Classification based degree of confidentiality
Schema based on confidentiality required by the data
Public/unclassified - no restrictions on viewing
Confidential/secret - highly sensitive for viewing, possible NDA for 3rd parties
Critical/top secret - viewing is severely restricted
Data Classification based on kind of info
Proprietary or intellectual property (IP) - company owned about their products or how it is made
Private/personal data - individual identification data
Sensitive - usually used in the context of personal data which could harm the person if made public or create prejudice against them
Privacy Notices
must use informed consent to use the data collected
purpose must be clearly stated to the user
Purpose limitation will restrict ability to transfer the data to a 3rd party
Data Protection Impact Assessment
A process designed to
- identify the risks of collecting and processing personal data in the context of a business workflow or project
- identify the mechanisms to mitigate these risks
Data Retention
with regard to business policy or regulations this controls the length of time data can be retained
- may impact data archives and backups if PII is included
- may impact financial data and security logs
Data Sovereignty
a jurisdiction preventing or restricting processing and storage from taking place on systems do not physically reside with in that jurisdiction
- may demand using location specific storage facilities in a cloud service
- for employees in different geographical locations needing data may need to validate their location prior to gaining access to the data