Week 9 Data Protection Flashcards
Personal information
Any information related to an identifiable natural subject
Identifiable natural subject
Someone who can be identified (directly or indirectly) by reference to an identifier such as name, ID number, location data, or any other factors specific to their identity
Processing of data which reveals racial/ethnic origin, religious beliefs, union membership, sexual orientation or biometrics for identification
Prohibited unless agreed to
Data protection law purpose
Give individuals the power to manage their information in the public domain
Power of data protection laws
Not absolute
Consenting, knowing, objecting and withdrawing/correcting
Control over what kind of processing and who can process it
Processing
Operation on data
Controllers
Entities who determine the purpose/means of processing of personal data
Major data protection laws
GDPR in the EU UK GDPR (Post-brexit) alongside the DPA 2018
Differences between the EU and UK data protection laws
UK lowers age of consent for children to give data from 16 to 13
Data protection must be
By design and by default
Considered right from the start and not as an after-thought
Privacy enhancing technologies are legally mandated
Potential penalty for non-compliance of GDPR
€20 million or 4% of global annual turnover
Privacy by policy
Implementation of notice/choice
Privacy by design/default
PETs, anonymisation, et al.
CIA triad
Confidentiality, Integrity and Availability
Must be embedded as far as possible into organisational processes and technical designs
GDPR Principles
Lawfulness fairness and transparency (Require consent, necessity, an obligation of interest to collect data)
Purpose limitation (Explicit purpose, no others)
Data minimisation (Only necessary information)
Accuracy (Keep data accuract, correct inaccurate)
Storage limitation (Keep data whilst necessary)
Integrity and confidentiality (Keep data safe)
Accountability (Demonstrate compliance with the other principles)
