Data Security

3. Storing & Protecting Data

Storing Data

Vast amounts, petabytes of data are kept. Retailers like Marks & Spencer’s, Tesco, Morrison’s keep huge customer databases, recording every customer's purchase. In fact anyone with a loyalty card, credit card, membership card or discount card will be the subject of a database record somewhere.

Search engines and online stores such as Google and Amazon record every site, page or item looked at, all with the aim of providing you with better results or with information you like.

Even individuals keep large amounts of data. Companies like Microsoft, Google, Drop Box etc provide individuals with Cloud storage services. These are popular, because despite the risk, users can access their data from any internet connect device from anywhere in the world

Here we have a problem. Although the user or the data subject might be in one country, the data is probably stored in another.

And if your data is stored in another country, then which laws apply that give you some legal protection against data loss, theft, misuse etc?

Protecting Data

Data depending on where its stored in the world is subject to different levels of legal protection. Some of this is due to different definitions of what the word 'data' means. Others because different laws apply or give a different priority to the privacy of individuals.

In the UK, the data belonging to individuals and companies are given considerable protection through the Data Protection Act 1988, but this only applies to data stored in the UK. Europe provides good protection, but again only protects those people within the EC and data stored in the EC.

Data is less well protected in America, partly because of all the different states have their own take on data and the degree to which it should be protected.

Data protection Act 1988 Revisited

The DPA 1988 is the main legal framework in the UK for managing personal information. It is overseen by the Information Commissioner’s Office (ICO). The ICO maintains a register of all organisations that use personal data and any organisation or individual that intends to use personal data must register with the ICO first. It's the ICO that takes action against those that breach the act and complaints about breaches of the act must be made with them.

Definitions: A Reminder

As always in law, definitions are important.

  • Information (Data) Commissioner: Data users have to register with the ICO identifying what they intend to do with the data.
  • Data Controller or User: The organisation or individual that stores and uses the data.
  • Data Subject: The person that the data is kept about.
  • Personal Data
    Placeholder image

    The DPA 1988 regulates the processing of personal data.

    Within the act, personal data is defined as:-
    • Information which relates to living individuals.
    • Information which could be used to identify an individual, either directly or indirectly.
    • Information which includes expressions of opinion about an individual or the intentions of anyone towards an individual.

    Within the school, this would cover all paper based and electronic files, including attendance records and assessment data of each student. It would also include all staff information, appraise and training records.

    Sensitive Personal Data
    Sensitive Data

    The Act also recognises a special category of information: sensitive personal data

    Sensitive personal data includes all data that relates to an individual's:-
    • Racial or ethnic origin.
    • Political opinions.
    • Religious beliefs.
    • Trade Union membership.
    • Physical or mental health.
    • Sexual orientation.
    • Criminal record.

    Any release of this information without permission from the data subject constitutes a breach of the Act.

    Rights & Exemptions
    DPA Rights

    The aim of the Data Protection Act 1988 is to ensure that organisations and individuals take steps to look after data about others securely, responsibly and not release to anyone without the subject's permission.

    As a result the Act gives data subject has certain rights

    • To complain to the Information Commissioner if they feel there's been a breach in the law.
    • To see the data held about them by the data controller, for which there might be a small charge.
    • To have the data corrected if there's a mistake.

    There are of-course certain data controller's who are exempt and can refuse to let subjects see the data held about them.

    • The police or authorities investigating crimes.
    • The Security Services.
    • The Tax Office.
    • Bodies responsible for the appointment of Judges and Government Ministers.

    Data Protection Principles

    The Act requires data controllers to store look after data according to eight principles. If data subjects feel that any of these principles have been broken with regards to their data, then they can complain to the Information Commissioner.

    Principle What it says What it means
    Principle 1 Personal data shall be processed fairly and lawfully. Data should be processed with consent and rights of privacy should be respected.
    Principle 2 Personal data shall only be processed for the purposes for which it was collected. Data collected for one purpose should not be used for another without fresh consent. For instance an email list of research study participants should not be used for commercial marketing.
    Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed. Only the information required to do the job should be collected and used.
    Principle 4 Personal data shall be accurate and, where necessary, kept up to date. Data quality should be maintained.
    Principle 5 Personal data shall not be kept for longer than necessary. When personal records are no longer required they should de deleted
    Principle 6 Personal data shall be processed in accordance with the rights of data subjects. Individuals’ personal rights to access their own data must be respected and data should not be shared without consent.
    Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. Personal information must be stored securely. Paper files should be locked away and electronic records should be protected by passwords and encryption.
    Principle 8 Personal data shall not be transferred outside of the European Economic Area (EEA) unless an adequate level of protection can be ensured. Transfer beyond the EEA must be to a territory, partner or contractor who can assure us that their data handling will meet DPA standards.

    General Data Protection Regulation (GDPR)

    GDPR logo

    Business is now international and the European Community is due to pass into law the GDPR in 2018 to provide additional legal protection to individuals.

    In many ways its very similar to the DPA 1988, but the GDPR recognises that special situation for international companies, who gather data in one country, store it in another and process it in a third resulting in data being passed around the world and subject multiple laws. It is common for example for British Companies to sub-contract their payroll operations to India. Others, like BT have contracted out their customer services, tech support and billing operations again to India.

    Find out more at the Information Commissioner's Office GDPR Principles

    Investigatory Powers Act 2016


    This act has been introduced in response to international terrorism and crime. It gives security services the right to essentially hack your devices and snoop on your communications. They would also have the right to install 'malware' without your knowledge on your devices. The act also compels internet companies to retain your browser history for a year, so wherever you go, whatever you did is subject to recall.

    Find out more by reading the link What is the Investigatory Powers Bill and what does it mean for my privacy?


    Begin by adding a new page to your data storage section.. Title it Storing & Protecting Data

    Copy each of the situations below in turn and after reading the page give your opinion with reasons.

    1. You are an active member of the Socialist Workers party on the left. A membership list of the British Nationalist Party falls into your hands. You decide to publish it on the internet. Would you be committing a crime?
    2. You hear from fiends that your name has been given to the police as witness to a crime. Concerned you go to the Police Station to find out more. They refuse to tell you. Are they right?
    3. A friend tells you in confidence, that they are gay. You accidentally let it slip in a post to your friends private group on Facebook. Have you committed a crime?
    4. You discover that your friend is being two timed by their so called 'boy friend'. You go on-line and tell the world what a 'rat' he is. And although you didn't use your friends name, she later complains that she is getting trolled by the other 'girl friend'. On what grounds has a crime been committed?
    5. A newspaper publishes a story about teenage anxiety. Mistakenly they name you and use a picture of you standing with your sister as someone suffering from mental illness. What can you do about this?
    Paper Forms

    Below are a series of situations relating to the storage of data. Copy each into your notebook and identify the relevant principal(s) that applies in each case, saying whether the law has been broken or not. Give your reasons..

    At the end check your answers with your partner.

    1. You apply to join your local gym. On their application form, they ask about your parents, their birth-dates, where they were born, what their jobs are, your grandparents names and their occupations. Are they allowed to do this? If not, why not?
    2. You go to see the Doctor, where your friends mum works as a receptionist. Later your friend expresses sympathy and hopes that you get better soon. Has a law been broken?
    3. After signing on at the gym, you suddenly start getting email from companies trying to sell you high protein drinks and steroids to boost muscle growth. What do think has happened and was it legal?
    4. On one your visits to the gym, you notice all the membership details are kept in an open cabinet, which anyone behind the desk can go into. Is this right?
    5. You keep getting junk mail from a power supply company addressed to the previous owner. Despite your parents best efforts to correct the power company's mistake, they keep sending mail. What is the power company doing wrong?

    Data security and protection is one of the areas where European Law supersedes National Laws like the DPA 1988.

    1. Is legal for companies in the UK to pass data to partner companies India for processing?
    2. UK is to leave the European Community. Do you think, with regards to data security and protection, that the situation will change much. Give reasons for your answer.
    3. Some people believe the Investigatory Powers Act is necessary to keep people safe. Others think its an infringement on Civil Liberties and all a bit like Big Brother. Wite down what you think?
    Global Data Transfer

    Can you now do?

    • Distinguish the difference between 'Personal Data' and 'Sensitive Personal Data'.
    • Explain the difference between the data subject, the data user and the data controller.
    • Explain that data may be stored in a different country to where the data subject lives and can be governed by laws different to ours.
    • Describe the main legal framework governing the storage and use of data.
    • Be able to give at least five principals and describe what each principal means.

    If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

    Cyber Security

    • Security Fundamentals
    • Data Security
    • Digital Forensics
    • Ethical Hacking
    Supporting courses by the SQA Logo
    css badge
    html badgee