Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity > Week 4 > Flashcards

Week 4 Flashcards

1
Q

Ethics and information systems

A
  • Collecting and processing infromation invovles a responsibility
  • Designing a system involves dilemmas and trade-offs
    • Privacy versus secuirty
    • Efficiency versus autonomy of workers
    • NB. Trade-offs may be false
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Terminology in Ethics and Data Protection

A

Responsibility
Accountability
Liability
Due process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Legal Domains

A

‘Privacy law’ and ‘Data Protection law’

  • Public law - The Right to Privacy and Private Life
  • GDPR
  • ePrivacy Directive
  • Competition Law, Consumer law, etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the GDPR?

A

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

Governs (inter alia) how, when and why ‘Data Controllers’ and Processors process ‘Personal Data’
•Both public and private entities, but not law enforcement agencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EU GDPR

A

Some principles

  • increased sanctions and authority for regulators
  • increased responsibility for organizations to be accountable
  • introduces obligations to perform Data Protection Impact Assessments and to appoint ‘data protection officer’, and to report breaches
  • strengthen idea of ‘privacy by design’ and ‘privacy by default’
  • uphold ‘right to be forgotten’
  • strengthen rules against profiling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When does the GDPR apply? pt 1

A

Art. 2, Material Scope

1.This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

  1. This Regulation does not apply to the processing of personal data
    c) by a natural person in the course of a purely personal or household activity;
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When does GDPR apply? part 2

A

Art. 3: Territorial Scope1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

  1. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Personal Data according to GDPR?

A
  • Art. 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…
  • Art. 10: Data relating to criminal convictions and offences
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Special categories GDPR

A
  • Art. 9: ‘Processing of Special categories of personal data’
  • …personal data revealing:
  • Racial or ethnic origin
  • Political opinions, religious or philosophical beliefs
  • Trade union membership
  • Genetic and/or biometric data processed for the purpose of identifying a person
  • Health, sexual life or sexual orientation
  • … shall be prohibited, unless (article 9.2)
  • (a) explicit consent, (b) necessary for employment or social security by law, (c) vital interest of subject and subject incapable of giving consent, (d) legitimate activities of a foundation, association or any other not-for-profit body regarding its own members (e) data made public by subject, (f) necessary for legal process, (g) necessary for public interest, by law, (h) necessary for health care, under professional secrecy, (i) necessary for public health, (j) necessary for archiving or scientific or historic interest.Special categories15•Art. 9: ‘Processing of Special categories of personal data’•…personal data revealing:•Racial or ethnic origin•Political opinions, religious or philosophical beliefs•Trade union membership•Genetic and/or biometric data processed for the purpose of identifying a person•Health, sexual life or sexual orientation•… shall be prohibited, unless (article 9.2)
  • (a) explicit consent, (b) necessary for employment or social security by law, (c) vital interest of subject and subject incapable of giving consent, (d) legitimate activities of a foundation, association or any other not-for-profit body regarding its own members (e) data made public by subject, (f) necessary for legal process, (g) necessary for public interest, by law, (h) necessary for health care, under professional secrecy, (i) necessary for public health, (j) necessary for archiving or scientific or historic interest.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data processing roles

A

Actors:

  • Data subject: natural person, about whom data is processed
  • Controller: determines purposes and means of processing of personal data
  • Processor: processes personal data on behalf of the controller

A triangle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Processing of Personal Data; Profiling

A
  • Art. 4 (2): ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means…
  • Art. 4(4): ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key Principles relating to processing of personal data

A
  • Article 5 sets out the principles governing the processing of personal data:
  • Principle 1: Lawfulness, Fairness and Transparency
  • Principle 2: Purpose limitation
  • Principle 3: Data minimization
  • Principle 4: Data accuracy
  • Principle 5: Storage limitation
  • Principle 6: Integrity and confidentiality
  • Principle 7: Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

‘Consent’

A
  • Art. 4(11): “‘consent’ of the data subject means
  • any freely given,
  • specific,
  • informed and
  • unambiguous indication
  • of the data subject’s wishes by which he or she,
  • by a statement or by a clear affirmative action,
  • signifies agreement to the processing of personal data relating to him or her;”
  • Art. 7(1): “… controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data Protection Officers

A
  • Section 4, Art. 37-39
  • ‘expert knowledge of data protection law and practices’
  • Mandatorily required when (Art. 37(1)):
  • “The processing is carried out by a public authority or body, excepts for Courts acting in judicial capacity
  • The core activities of the controller or processor… require regular and systematic monitoring of data subjects on a large scale
  • The core activities of the controller or processor consist of processing large scale of special categories of data… or data relating to criminal convictions…”
  • Tasks of the DPO: Art. 39
  • To inform and advise, particularly on DPIA, to monitor, to cooperate with DPAs, and to liaison.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data Breach Notification

A
  • Personal Data Breach: defined in Art. 4(12)
  • Art. 33: Notification to the Supervisory Authority
  • “In case of a [PDB] the controller shall without undue delay and, where feasible,
  • not later than 72 hours
  • after having become aware of it,
  • notify the personal data breach to the supervisory authority competent in accordance with Article 55,
  • unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons…”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Specific issues with GDPR

A
  • Data protection by design and by default (Art. 25)
    • Data protection is opt-out, not opt-in.
    • e.g. privacy enhancing technologies (PET): indirection; encryption
  • Right to erasure/Right to be forgotten: individuals want to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past” (Mantalero 2013; p 231)
  • Consent
17
Q

Problems with the GDPR

A
  • Informed consent: no real choice (Schermer et al 2014)
  • Social spheres: preferences differ between social spheres (family, work, sports club), but systems do not recognize such context (Nissenbaum)
  • Limited supervision capacity: AP and other DPAs lack manpower to handle cases

•Proposal: provide end-users with more control over what their data is used for (usage rules), and ways of monitoring

18
Q

US vs Europe?

A
  • Why bother about the US? In the cloud, data could be anywhere …
  • Opt-in:in EU, users must agree before data may be processed, and must explicitly agree before sensitive data may be processed
  • Opt out:in US, users may explicitly refuse that their data be used
  • CIA; FBI; NSA …: Usually, allowed by bilateral agreements of governments to share intelligence. (Check Anderson on Snowden)

Cybersecurity (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions