Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
DADA/Articles/st20_gdpr_what_it_means.md
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
146 lines (95 sloc)
6.43 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Data for Good and Evil | |
| Before considering the legal aspects of data collection and processing, consider the *power* of data. Below are two cases where data has had a large impact on society. They are just examples and we could easily find many more. | |
| ## Saving Lives | |
| "A clinical trial looked at the potential for a new type of bowel screening to save lives. Following 170,432 people for an average of 11 years, the trial showed that this one off screening could save thousands of lives, through early diagnosis and prevention, and led to it being adopted by the NHS in England. Patient data was used to identify appropriate people for the trial and then to monitor what happened to them after screening." | |
| https://understandingpatientdata.org.uk/case-study/screening-bowel-cancer | |
| ## Subverting Democracy | |
| "We have found evidence of formally organized social media manipulation campaigns in 48 countries, up from 28 countries last year. In each country there is at least one political party or government agency using social media to manipulate public opinion domestically." | |
| http://comprop.oii.ox.ac.uk/research/cybertroops2018/ | |
| # General Data Protection Regulation (GDPR) | |
| The GDPR is a Europe-wide regulation. | |
| The GDPR deals with the security and confidentiality of personal | |
| information. In short, it demands that anyone who collects, stores or | |
| processes personal information does so securely. | |
| The regulations state that data is required to be ‘processed in a | |
| manner that ensures appropriate security of the personal data, | |
| including protection against unauthorised or unlawful processing and | |
| against accidental loss, destruction or damage, using appropriate | |
| technical or organisational measures’ | |
| Rather than just expect "best efforts", GDPR demands that at the | |
| design stage and during execution, any data collection or processing | |
| will be combined with appropriate technical and procedural controls | |
| that ensure that personal data is secure. This is known as "data | |
| protection by design". | |
| In the UK, the GDPR is implemented as the Data Protection Act 2018. | |
| ## Requirements | |
| GDPR requires: | |
| - That no more personal data is collected than necessary | |
| - Access to personal data is managed and minimised | |
| - Confidentiality, Integrity and Availability (known as the CIA triangle) of the data are protected | |
| - Resilience and usable back-ups in case of incident | |
| - Regular testing of the effectiveness of measures implemented | |
| ## Rights | |
| The GDP gives the public a set of rights concerning their data: | |
| ### The Right to be Informed | |
| Simply put, when data is collected about an individual, they should be informed clearly. | |
| ### The Right of Access | |
| Individuals about whom data is collected have the right to access that data. | |
| ### The Right to Rectification | |
| Individuals have the right to have their data corrected if it is inaccurate or incomplete. | |
| ### The Right to Erasure | |
| Individuals have the right to request that their data is removed from a system. The request may be denied if it is required for valid and legal reasons. | |
| ### The Right to Restrict Processing | |
| Individuals have the right to request that rocessing of their personal | |
| data is halted if they believe their it is inaccurate and not have it | |
| resume until the issue is resolved. | |
| ### The Right to Data Portability | |
| For electronic records, users of a system can request their data to be made available in a portable format. For example, you should be able to request all of your e-mails from your e-mail provider in a format that you can then import into another e-mail service. | |
| ### The Right to Object | |
| Individuals have the right to object to their data being used in some circumstances. This includes automated decision making and profiling, which an individual might feel will result in detrimental outcomes if there is not a human making the decision. | |
| ### Exemptions | |
| These rights can sometimes be restricted. For example, in legal | |
| investigations, journalism, confidentiality of references, and so on, | |
| there are legitimate reasons to restrict the rights of individuals for | |
| a greater good. | |
| # GDPR and Security | |
| GDPR requires that whoever is responsible for data collection, the Data Controller, is accountable for the security of that data and appropriate technical and organisational measures are in place to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the regulations. | |
| ## Four Aims | |
| The data security aspects of the GDPR are intended to lead to an organisation being capable of the following: | |
| 1. Manage security risk | |
| 2. Protect personal data against cyber attack | |
| 3. Detect security events | |
| 4. Minimise the impact | |
| The specifics of each depend on the type and volume of data collected and the scale of the organisation. That is, all controls should be "appropriate", based on: | |
| - the state of the art of the technology | |
| - cost of implementation | |
| - the nature, scope, context and purpose of processing’, and | |
| - the severity and likelihood of the risk being realised. | |
| The National Cyber Security Centre (NCSC) give some examples of security measures: | |
| - Tracking and recording of all assets that process personal data, | |
| including end user devices and removable media. | |
| - Minimising the opportunity for attack by configuring technology | |
| appropriately, minimising available services and controlling | |
| connectivity. | |
| - Actively managing software vulnerabilities, including using | |
| in-support software and the application of software update policies | |
| (patching) and taking other mitigating steps, where patches can’t | |
| be applied. | |
| - Managing end user devices (laptops and smartphones etc) so that you | |
| can apply organisational controls over software or applications | |
| that interact with or access personal data. | |
| - Encrypting personal data at rest on devices (laptops, smartphones, | |
| and removable media) that are not subject to strong physical | |
| controls. | |
| - Encrypting personal data when transmitted electronically. | |
| - Ensuring that web services are protected from common security | |
| vulnerabilities such as SQL injection and others described in | |
| widely-used publications such as the OWASP Top 10. | |
| - Ensuring your processing environment remains secure throughout its | |
| lifecycle. | |
| ## Impact | |
| In the particular case of minimising impact, you should consider: | |
| - minimising the impact of a personal data breach | |
| - capability to restore systems and services (backups, backup sites, backup schedules) | |
| - how to manage the incident appropriately | |
| - ensuring you have enough information to learn lessons for the future | |