Data Security

Storing & Protecting Data

Storing Data

Vast amounts, petabytes of data are kept. Retailers like Marks & Spencer’s, Tesco, Morrison’s keep huge customer databases, recording every customer's purchase. In fact anyone with a loyalty card, credit card, membership card or discount card will be the subject of a database record somewhere.

Search engines and online stores such as Google and Amazon record every site, page or item looked at, all with the aim of providing you with better results or with information you like.

Even individuals keep large amounts of data. Companies like Microsoft, Google, Drop Box etc provide individuals with Cloud storage services. These are popular, because despite the risk, users can access their data from any internet connect device from anywhere in the world

Here we have a problem. Although the user or the data subject might be in one country, the data is probably stored in another.

And if your data is stored in another country, then which laws apply that give you some legal protection against data loss, theft, misuse etc?

Protecting Data

Data depending on where its stored in the world is subject to different levels of legal protection. Some of this is due to different definitions of what the word 'data' means. Others because different laws apply or give a different priority to the privacy of individuals.

In the UK, the data belonging to individuals and companies are given considerable protection through the Data Protection Act 1988, but this only applies to data stored in the UK. Europe provides good protection, but again only protects those people within the EC and data stored in the EC.

Data is less well protected in America, partly because of all the different states have their own take on data and the degree to which it should be protected.

Data protection Act 1988 Revisited

The DPA 1988 is the main legal framework in the UK for managing personal information. It is overseen by the Information Commissioner’s Office (ICO). The ICO maintains a register of all organisations that use personal data and any organisation or individual that intends to use personal data must register with the ICO first. It's the ICO that takes action against those that breach the act and complaints about breaches of the act must be made with them.

Definitions: A Reminder

As always in law, definitions are important.

  • Information (Data) Commissioner: Data users have to register with the ICO identifying what they intend to do with the data.
  • Data Controller or User: The organisation or individual that stores and uses the data.
  • Data Subject: The person that the data is kept about.
  • Personal Data
    Placeholder image

    The DPA 1988 regulates the processing of personal data.

    Within the act, personal data is defined as:-
    • Information which relates to living individuals.
    • Information which could be used to identify an individual, either directly or indirectly.
    • Information which includes expressions of opinion about an individual or the intentions of anyone towards an individual.

    Within the school, this would cover all paper based and electronic files, including attendance records and assessment data of each student. It would also include all staff information, appraise and training records.

    Sensitive Personal Data
    Sensitive Data

    The Act also recognises a special category of information: sensitive personal data

    Sensitive personal data includes all data that relates to an individual's:-
    • Racial or ethnic origin.
    • Political opinions.
    • Religious beliefs.
    • Trade Union membership.
    • Physical or mental health.
    • Sexual orientation.
    • Criminal record.

    Any release of this information without permission from the data subject constitutes a breach of the Act.

    Rights & Exemptions
    DPA Rights

    The aim of the Data Protection Act 1988 is to ensure that organisations and individuals take steps to look after data about others securely, responsibly and not release to anyone without the subject's permission.

    As a result the Act gives data subject has certain rights

    • To complain to the Information Commissioner if they feel there's been a breach in the law.
    • To see the data held about them by the data controller, for which there might be a small charge.
    • To have the data corrected if there's a mistake.

    There are of-course certain data controller's who are exempt and can refuse to let subjects see the data held about them.

    • The police or authorities investigating crimes.
    • The Security Services.
    • The Tax Office.
    • Bodies responsible for the appointment of Judges and Government Ministers.

    Data Protection Principles

    The Act requires data controllers to store look after data according to eight principles. If data subjects feel that any of these principles have been broken with regards to their data, then they can complain to the Information Commissioner.

    Principle What it says What it means
    Principle 1 Personal data shall be processed fairly and lawfully. Data should be processed with consent and rights of privacy should be respected.
    Principle 2 Personal data shall only be processed for the purposes for which it was collected. Data collected for one purpose should not be used for another without fresh consent. For instance an email list of research study participants should not be used for commercial marketing.
    Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed. Only the information required to do the job should be collected and used.
    Principle 4 Personal data shall be accurate and, where necessary, kept up to date. Data quality should be maintained.
    Principle 5 Personal data shall not be kept for longer than necessary. When personal records are no longer required they should de deleted
    Principle 6 Personal data shall be processed in accordance with the rights of data subjects. Individuals’ personal rights to access their own data must be respected and data should not be shared without consent.
    Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. Personal information must be stored securely. Paper files should be lock be away and electronic records should be protected by passwords and encryption.
    Principle 8 Personal data shall not be transferred outside of the European Economic Area (EEA) unless an adequate level of protection can be ensured. Transfer beyond the EEA must be to a territory, partner or contractor who can assure us that their data handling will meet DPA standards.

    General Data Protection Regulation (GDPR

    GDPR logo

    some stuff

    Investigatory Powers Act 2016

    Tasks
    Content for Accordion Panel 1
    Placeholder image
    Content for Accordion Panel 2
    Content for Accordion Panel 3

    Can you now do?


    • Make the distinction between Data and Information.
    • Provide examples of where data becomes information.
    • Provide examples of personal data.

    If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

    Cyber Security

    • Security Fundamentals
    • Data Security
    • Digital Forensics
    • Ethical Hacking
    Supporting courses by the SQA Logo
    css badge
    html badgee