10
-
Data Protection
Definitions
DATA
- Information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose
PERSONAL DATA
- Information relating to a living individual who can be identified from that information or that and other information in the possession, or likely to come into the possession, of the Data Controller. It includes any expression of opinion about the individual and any indication of intention of the Data Controller or any other person in respect of that individual
Data Protection Act 1984 (Old)
- Main Issues
- Relevant to all personal data processed on a computer
- Personal data held and its use must be registered
- Data subject has right to request copy of data held and the right to have it corrected
- Illegal disclosure
Data Protection (1998) – 8 Principles
- Personal data shall be:
- 1. Processed fairly and lawfully
- 2. Obtained & processed for specified purposes
- 3. Adequate, relevant and not excessive
- 4. Accurate and up to date
- 5. Held no longer than necessary
- 6. Processed in accordance with the rights of the data subject
- 7. Kept secure
- 8. Transferred outside of the EEA only if adequate safeguards exist
How to keep data safe?
- IF Data gets lost, it needs to be able to be recovered. You also need to have a strategy in place for services
- Now by unplanned event, this could mean something like data corruption or loss, or maybe an application failure, or it could also mean something more extreme, like the loss of an entire site.
- Data protection describes many different technologies and techniques that allow you to bring things like data, services, or even complete servers back to an operational state after an unplanned event has occurred.
-
Recovery requirements
- before they develop a data protection strategy an organisation must first identify their recovery requirements to ensure that they will provide appropriate protection for critical resources.
Data Protection(1998) – 8 Principles
- Personal data shall be:
- 7. Kept secure
- Principle 7 is important because it makes it clear that security is an important aspect of data protection, and is perhaps the most important of all principles. It also means anything that travels over the internet.
- If you have good security then that’s a unique selling point and one benefit that could seal the deal.
3 general data protection areas
- A) data recovery: which allows for the recovery of lost or corrupted data, and this is the type of data protection and recovery that IT organizations perform most regularly.
- B) failure recovery: This allows the recovery of things like virtual machines and applications and services in the event of a hardware or a software failure.
- C) disaster protection: this allows the recovery of almost everything from servers, virtual machines, applications, services, data, etc..
Example of protecting in the event that they are lost because of a cause external to software and hardware failure.
- An entire server room is destroyed because of a major flood or maybe a fire. Although it is high impact but low probability, but still this may not happen nearly as often as simple data recovery, it's still an important component.
- People were often taking about doing backups in pain because they make mistake as they always kept the backup media in the same location as the servers that they were backing up.
- if we have a fire or a flood and we lose all our servers that way, but what about the actual site itself and functionality that takes place? If we lose an entire building that has a call centre, and that building goes up in flames, that's fine that we can rebuild all of the computers and everything else, but what about a place for our users, our employees, to go ahead and be able to continue providing the call centre functionality
- IF it happens in a lifetime disaster that destroys the site. So it's kind of related to the sites, this understanding that you want to have offsite backup strategies. The offsite backup could be more than just having backups that are stored offsite, it could be servers that are ready to go that are stored offsite, and could be even in another location that you can rent on demand and be able to conduct business normally.
-
Data protection strategy
- when it comes to enterprise data protection strategies you need to make sure that you have a data protection strategy, first of all, for recovering data. Data gets lost, it needs to be able to be recovered. You also need to have a strategy in place for services.
How to identify your data protection requirement?
- Step 1: You have to know what the critical resources need to be protected. And then you have to identify the risks associated.
- Step 2: you need to know what are the risks involved? E.g. the risk of a user accidentally deleting that data, or what about if we have a unhappy employee who intentionally deletes data? Or how about a hacker who figures out how to break in and destroys or corrupts your data? etc. These factors associate with your critical resources. So overall, when it comes to implementing a data protection strategy you need to first perform a risk assessment plan, which will help you to identify all of the risks associated with the availability of your critical resources.
- Step 3: you need to figure out how much time is needed to perform a recovery. And based upon a business's requirements an organization should decide how much time is acceptable for recovering a critical resource.
Non-functional requirement
- Service availability: this is defined as a percentage of the time per year that data and services will be available to users.
- 99.9% service availability this means on a per year basis that data and services will have unplanned downtime of not more than .1% per year, or if you do the math that comes to just a little bit under nine hours per year based on a 24 hour day, seven day a week
From business point of view
- We need business managers to work with us to determine which resources should be protected with a data protection plan and which resources might be protected with some form of mitigation and at what level, so it makes our data protection strategy more realistic.
Data protection strategy
- We need regularly plan on evaluating whether our data protection strategy still makes sense, and if it doesn't, make updates.
- Overall, having data protection in place is a crucial component to the integrity and the continuity of any enterprise business organisation.
-
Discussion question:
- To help counter criminals, UK has developed computer systems that track large numbers of their citizens and their actions. Clearly this has privacy implications. Discuss the ethics of working on the development of this type of system.
-
Key Terms
- Data: Information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
- Personal Data: Information relating to a living individual who can be identified from that information or that and other information in the possession, or likely to come into the possession, of the Data Controller. It includes any expression of opinion about the individual and any indication of intention of the Data Controller or any other person in respect of that individual
- Data protection strategy: When it comes to enterprise data protection strategies you need to make sure that you have a data protection strategy, first of all, for recovering data. Data gets lost, it needs to be able to be recovered. You also need to have a strategy in place for services.