Data Protection

• Data Protection

https://store.theartofservice.com/the-data-protection-toolkit.html

Data Protection Directive

1 On 25 January 2012, the European Commission unveiled a draft

European General Data Protection Regulation that will supersede the

Data Protection Directive.


Data Protection Directive Context

1 The right to privacy is a highly developed area of law in Europe. All the member states

of the European Union (EU) are also signatories of the European Convention on

Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private

and family life, his home and his correspondence," subject to certain

restrictions. The European Court of Human Rights has given this article a very broad

interpretation in its jurisprudence.



1 In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development

(OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border

Flows of Personal Data.” The seven principles governing the OECD’s

recommendations for protection of personal data were:



1 Notice—data subjects should be given notice when their data is being collected;



1 Consent—data should not be disclosed without

the data subject’s consent;



1 Security—collected data should be kept secure

from any potential abuses;



1 Disclosure—data subjects should be informed as to who is collecting their data;



1 Access—data subjects should be allowed to access their data and

make corrections to any inaccurate data; and



1 Accountability—data subjects should have a method available to them to hold data collectors accountable for

following the above principles.



1 The OECD Guidelines, however, were nonbinding, and data privacy laws

still varied widely across Europe. The US, meanwhile, while endorsing the

OECD’s recommendations, did nothing to implement them within

the United States. However, all seven principles were incorporated into the

EU Directive.



1 In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal

Data was negotiated within the Council of Europe. This convention

obliges the signatories to enact legislation concerning the automatic processing of personal data, which

many duly did.



1 The European Commission realised that diverging data protection

legislation amongst EU member states impeded the free flow of data

within the EU and accordingly proposed the Data Protection

Directive.


Data Protection Directive Content

1 The directive regulates the processing of personal data regardless of whether such

processing is automated or not.


Data Protection Directive Scope

1 Personal data are defined as "any information relating to an identified or

identifiable natural person ("data subject"); an identifiable person is one

who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more

factors specific to his physical, physiological, mental, economic, cultural

or social identity;" (art. 2 a)



1 This definition is meant to be very broad. Data are "personal data" when someone is able to link the

information to a person, even if the person holding the data cannot make this link. Some examples of "personal

data" are: address, credit card number, bank statements, criminal

record, etc.



1 The notion processing means "any operation or set of operations which is

performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation

or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or

otherwise making available, alignment or combination, blocking, erasure or

destruction;" (art. 2 b)



1 The responsibility for compliance rests on the shoulders of the

"controller", meaning the natural or artificial person, public authority, agency or any other body which

alone or jointly with others determines the purposes and means of the processing of personal data;

(art. 2 d)



1 As a consequence, the website operator would have to comply with the European data

protection rules



1 The proposed new European Union Data Protection Regulation (a draft for which was unveiled in January 2012) extends the scope of the EU data protection law to all foreign

companies processing data of European Union residents.


Data Protection Directive Principles

1 Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: , legitimate

purpose, and proportionality.


Data Protection Directive Transparency

1 The data subject has the right to be informed when his personal data is

being processed. The controller must provide his name and address, the

purpose of processing, the recipients of the data and all other information required to ensure the processing is

fair. (art. 10 and 11)



1 Data may be processed only under the following

circumstances (art. 7):



1 when the data subject has given his consent



1 when processing is necessary in order to protect the vital interests of the data subject



1 processing is necessary for the performance of a task carried out in the public interest or in the exercise

of official authority vested in the controller or in a third party to whom

the data are disclosed



1 The data subject even has the right to demand the rectification, deletion

or blocking of data that is incomplete, inaccurate or isn't being

processed in compliance with the data protection rules


Data Protection Directive Legitimate purpose

1 Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with

those purposes. (art. 6 b)


Data Protection Directive Proportionality

1 Personal data may be processed only insofar as it is adequate, relevant

and not excessive in relation to the purposes for which they are collected

and/or further processed



1 When sensitive personal data (can be: religious beliefs, political

opinions, health, sexual orientation, race, membership of past

organisations) are being processed, extra restrictions apply. (art. 8)



1 The data subject may object at any time to the processing of personal

data for the purpose of direct marketing. (art. 14)



1 A decision which produces legal effects or significantly affects the

data subject may not be based solely on automated processing of data.

(art. 15) A form of appeal should be provided when automatic decision

making processes are used.


Data Protection Directive Supervisory authority and the public register of processing operations

1 Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in

that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge

complaints about violations to the supervisory authority or in a court of law.



1 The controller must notify the supervisory authority before he

starts to process data. The notification contains at least the following information (art. 19):



1 a description of the category or categories of data subject and of the data or categories of data relating to

them;



1 proposed transfers of data to third

countries;



1 a general description of the measures taken to ensure security of processing.



1 This information is kept in a public register.


Data Protection Directive Transfer of personal data to third countries

1 Third countries is the term used in legislation to designate countries

outside the European Union. Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided,

for instance when the controller himself can guarantee that the

recipient will comply with the data protection rules.



1 The Directive's Article 29 created the "Working party on the Protection of

Individuals with regard to the Processing of Personal Data,"

commonly known as the "Article 29 Working Party". The Working Party

gives advice about the level of protection in the European Union and

third countries.



1 The Working Party negotiated with U.S. representatives about the

protection of personal data, the Safe Harbor Principles were the result.

According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because they contain fewer

obligations for the controller and allow the contractual waiver of

certain rights.https://store.theartofservice.com/the-data-protection-toolkit.html


1 In July 2007, a new, controversial, Passenger Name Record agreement

between the US and the EU was undersigned.



1 The tensions between Washington and Brussels are mainly caused by the lower level of data protection in

the US, especially since foreigners do not benefit from the US Privacy Act of

1974


Data Protection Directive Implementation by the member states

1 EU directives are addressed to the member states, and aren't legally

binding for citizens in principle. The member states must transpose the directive into internal law. Directive

95/46/EC on the protection of personal data had to be transposed

by the end of 1998. All member states have enacted their own data

protection legislation.https://store.theartofservice.com/the-data-protection-toolkit.html

Data Protection Directive Comparison with US data protection law

1 To date, the US has no single data protection law comparable to the EU's Data Protection

Directive



1 The reasoning behind this approach probably has as much to do with

American laissez-faire economics as with different social perspectives.

The First Amendment of the United States Constitution guarantees the

right to free speech. While free speech is an explicit right

guaranteed by the United States Constitution, privacy is an implicit

right guaranteed by the Constitution as interpreted by the United States Supreme Court, although it is often

an explicit right in many state constitutions.



1 Germany and France, in particular, set forth comprehensive data protection laws



1 Phil Zimmermann has called the EU's requirement of data retention worse

for the individual than the ad-hoc policies of the USA.


Advertising Standards Authority (United Kingdom) - Data protection

1 These details are never disclosed without the complainant's

permission, in accordance with the Data Protection Act 1998


Advertising Standards Authority (United Kingdom) - Data protection

1 If the complaint comes from a competitor or someone with a trade or vested interest with the advertiser

about which they are complaining, the ASA requires the company to

agree to be named. This, according to the ASA, limits the number of

petty or retaliatory complaints. The ASA proceeds only with the express permission of the complainant for their organisation to be named.


Internet privacy - Data protection regulation

1 The two major issues the CDT addresses in this analysis of the Data

Protection Regulation are the inflexible rules against profiling users

based on their Internet usage and the parental consent policy in

regards to controlling the online information of children


Criticism of Facebook - Investigation by the Irish Data Protection Commissioner 2011/2012

1 Under European law Facebook Ireland is the data controller for

facebook.com, and therefore, facebook.com is governed by European data protection laws



1 The group [http://www.europe-v-facebook.org/EN/en.html europe-v-

facebook.org] made access requests at Facebook Ireland and received up to 1.222 pages of data per person in

57 data categories that Facebook was holding about them, including

data that was previously removed by the users.http://www.europe-v-

facebook.org/removed_content.pdf Despite the amount of information

given, the group claimed that Facebook did not give them all of its

data



1 The first 16 complaints target different problems, from undeleted

old pokes all the way to the question if sharing and new functions on

Facebook should be opt-in or opt-out. The second waive of 6 more

complaints was targeting more issues including one against the Like button. The most severe could be a

complaint that claims that the privacy policy, and the consent to

the privacy policy is void under European laws.



1 In an interview with the Irish Independent a spokesperson said

that the DPC will go and audit Facebook, go into the premises and

go through in great detail every aspect of security


Directive 95/46/EC on the protection of personal data - Comparison with US data protection law

1 President Bill Clinton and former Vice-President Al Gore explicitly

recommended in their Framework for Global Electronic Commerce that the

private sector should lead, and companies should implement self-

regulation in reaction to issues brought on by Internet

technology.Clinton Gore, supra To date, the US has no single data

protection law comparable to the EU's Data Protection Directive.See

Julia M



1 The reasoning behind this approach probably has as much to do with

American laissez-faire economics as with different social perspectives



1 391, 441 (2002) Germany and France, in particular, set forth comprehensive data

protection laws.Id



1 Phil Zimmermann has called the EU's requirement of data retention worse

for the individual than the ad-hoc policies of the

USA.[http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-

privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/3/ E-

mail's Big Privacy Problem: QA With Silent Circle Co-Founder Phil

Zimmermann.]https://store.theartofservice.com/the-data-protection-toolkit.html

Information Commissioner's Office - Data Protection Act 1998

1 Under the provisions of Directive 95/46/EC on the protection of

personal data|EC Directive 95/46 (introduced in the UK as the Data

Protection Act 1998, rather than as an Statutory Instrument|SI under the

European Communities Act 1972 (UK)|European Communities Act 1972) the name of the post was

changed to Data Protection Commissioner and later to Information Commissioner.


Information Commissioner's Office - Data Protection Act 1998

1 The register of data controllers is publicly available and searchable at

the [http://www.ico.gov.uk/ESDWebPages

/search.asp website of the ICO], which also gives links to the ICO's

counterparts around Europe.


Data Protection Act 1998

1 The Act defines eight 'data protection principles'


Data Protection Act 1998 - History

1 At the same time it aimed to implement the European Data Protection Directive


Data Protection Act 1998 - History

1 The Data Protection (Jersey) Law 2005|Jersey data protection law was

modelled on the UK law. [http://www.mondaq.com/article.asp?

articleid=63832 Jersey: Data Protection In Jersey And Other

Offshore Jurisdictions] 23 July 2008 Article by Wendy Benjamin,

mondaq.com, retr 2012 Sep 14


Data Protection Act 1998 - Personal data

1 The Act covers any data about a living and

identifiable individual



1 In some cases even a paper address book can be classified as a 'relevant filing system', for example diaries

used to support commercial activities such as a salesperson's diary.



1 The Freedom of Information Act 2000 modified the act for public bodies

and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.


Data Protection Act 1998 - Subject rights

1 The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data. The person who has their data

processed has the right to: [http://www.ico.gov.uk/what_we_cove

r/data_protection/your_rights.aspx Your rights], ICO, accessed 6

September 2007https://store.theartofservice.com/the-data-protection-toolkit.html


1 * View the data an organisation holds on them. A 'subject access request' can be obtained for a nominal feeAs of 2006, the maximum fee is £10 per

individual, [http://www.ico.gov.uk/Global/faqs/data_protection_for_the_public.aspx#f5

EED57A6-1B5C-4032-A7A3-22ECBBF66D3D FAQs], ICO



1 * Request that incorrect information be corrected. If the company ignores

the request, a court can order the data to be corrected or destroyed,

and in some cases Damages|compensation can be awarded.



1 * Require that data is not used in any way that may potentially cause

damage or distress.Data Protection Act 1998,

[http://www.legislation.gov.uk/ukpga/1998/29/section/10 Part II (Rights of data subjects and others), Section

10], Office of Public Sector Information, accessed 6 September

2007https://store.theartofservice.com/the-data-protection-toolkit.html


1 * Require that their data is not used for direct marketing.Data Protection

Act 1998, [http://www.legislation.gov.uk/ukpga/1998/29/section/11 Part II (Rights of data subjects and others), Section

11], Office of Public Sector Information, accessed 6 September

2007


Data Protection Act 1998 - Data protection principles

1 # Personal data shall be processed fairly and lawfully and, in particular,

shall not be processed unless-



1 ## at least one of the conditions in Schedule 2 is

met, and



1 ## in the case of sensitive personal data, at least one of the conditions in

Schedule 3 is also met.



1 # Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or

those purposes.



1 # Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which

they are processed.



1 # Personal data processed for any purpose or purposes shall not be

kept for longer than is necessary for that purpose or those purposes.



1 # About the rights of individuals e.g.The rights of individuals (Principle

6), [http://www.ico.gov.uk/for_organisati

ons/data_protection/the_guide/principle_6.aspx ICO.gov.uk],

accessed 14 April 2011 personal data shall be processed in accordance with the rights of data subjects

(individuals).https://store.theartofservice.com/the-data-protection-toolkit.html


1 # Appropriate technical and organisational measures shall be

taken against unauthorised or unlawful processing of personal data

and against accidental loss or destruction of, or damage to,

personal data.



1 # Personal data shall not be transferred to a country or territory

outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and

freedoms of data subjects in relation to the processing of personal data.


Data Protection Act 1998 - Conditions relevant to the first principle

1 Personal data should only be processed fairly and lawfully. In order

for data to be classed as 'fairly processed', at least one of these six

conditions must be applicable to that data (Schedule 2).



1 # The data subject (the person whose data is stored) has consented

(given their permission) to the processing;



1 # Processing is required under a legal obligation (other than one stated in the

contract);



1 # Processing is necessary to protect the vital interests of the data subject;



1 # Processing is necessary to carry out any public functions;



1 # Processing is necessary in order to pursue the legitimate interests of the

data controller or third parties (unless it could unjustifiably

prejudice the interests of the data subject).[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_10#sch2 OPSI.gov.uk] Data Protection

Act 1998 Schedule 2


Data Protection Act 1998 - Consent

1 The Data Protection Directive|European Data Protection Directive

defines consent as “…any freely given specific and informed

indication of his wishes by which the data subject signifies his agreement

to personal data relating to him being processed”, meaning the

individual may signify agreement other than in writing



1 Additionally, consent should be appropriate to the age and capacity

of the individual and other circumstances of the case



1 The Data Protection Act also specifies that sensitive personal data must be processed according to a stricter set

of conditions, in particular any consent must be explicit.


Data Protection Act 1998 - Exceptions

1 The Act is structured such that all processing of personal data is

covered by the act, while providing a number of exceptions in Part IV.

Notable exceptions are:



1 * Section 28 - National security. Any processing for the purpose of

safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification),

Part V (enforcement), and Section 55 (Unlawful obtaining of personal

data).



1 * Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension

or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection

principle.



1 * Section 36 - Domestic purposes. Processing by an individual only for

the purposes of that individual's personal, family or household affairs

is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III

(notification).


Data Protection Act 1998 - Offences

1 The Act details a number of civil and criminal offences for which data

controllers may be liable if a data controller has failed to gain

appropriate consent from a data subject. However 'consent' is not

specifically defined in the Act; consent is therefore a common law

matter.



1 * Sub-section 21(1) - This sub-section makes it an offence to process

personal information without Register of data controllers|registration.Data

Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_4#pt3-l1g21

Part III (Notification by Data Controllers), Section 21], Office of

Public Sector Informationhttps://store.theartofservice.com/the-data-protection-toolkit.html


1 * Sub-section 21(2) - This sub-section makes it an offence to fail to comply

with the [http://www.legislation.gov.uk/uksi/20

00/188/made notification regulations] made by the Secretary

of State (proposed by the Information Commissioner's Office|Information Commissioner under section 25 of the ActData Protection Act 1998,

[http://www.legislation.gov.uk/ukpga/1998/29/section/25 Part III

(Notification by Data Controllers), Section 25]).



1 * Section 55 - Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain

unauthorised access to the personal data.Data Protection Act 1998,

[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb2-

l1g55 Part VI (Miscellaneous and General), Section 55], Office of Public

Sector Information, accessed 14 September 2007



1 * Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to Police caution|cautions

or convictions for the purposes of recruitment, continued employment, or the provision of

services.Data Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19

980029_en_7#pt6-pb3-l1g56 Part VI (Miscellaneous and General), Section 56], Office

of Public Sector Information, accessed 14 September 2007 This was brought into effect by

the Data Protection Act 1998 (Commencement No


Data Protection Act 1998 - Complexity

1 Some hide behind the Act and refuse to provide even very basic, publicly

available material quoting the Act as a

restriction.[http://www.ico.gov.uk/upload/documents/library/data_protectio

n/introductory/data_protection_myths_and_realities.

pdf Data Protection myths and realities], Information

Commissioner's Office, accessed 30 August 2008 The act also impacts on

the way in which organisations conduct business in terms of who can be contacted for marketing purposes,

not only by telephone and direct mail, but also electronically and has

led to the development of permission based marketing strategies.


Data Protection Act 1998 - Definition of personal data

1 The definition of personal data is data which relates to a living individual who can be

identified


Data Protection Act 1998 - Definition of personal data

1 Sensitive personal data concerns the subject's race, ethnicity, politics,

religion, trade union status, health, sex life or criminal record.


Data Protection Act 1998 - Subject access

1 Personal data which is normally held for under 40 days may be

legitimately denied in subject access requests under the Act


Data Protection Act 1998 - Regulation

1 Compliance with the Act is regulated and enforced by an independent authority, the Information Commissioner's Office, which

maintains guidance relating to the Act. Full details can be found at

http://www.ico.gov.ukGuidance - The Data Protection Act,

[http://www.ico.gov.uk/what_we_cover/data_protection/guidance.aspx Page of Assorted

Guidance], Information Commissioner's Office, accessed 20 October 2007


Data protection

1 'Information privacy', or 'data privacy (or data protection)', is the

relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues

surrounding them.


Data protection

1 Privacy concerns exist wherever personally identifiable information is collected and stored – in digital form

or otherwise. Improper or non-existent disclosure control can be the

root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of

sources, such as:


Data protection

1 * Criminal justice investigations and proceedings


Data protection

1 * Biological traits, such as genetic

material


Data protection

1 * house|Residence and geographic records


Data protection

1 The challenge in data privacy is to share data while protecting

personally identifiable information. The fields of data security and

information security design and utilize software, hardware and

human resources to address this issue. As the laws and regulations

related to Data Protection are constantly changing,it is important to keep abreast of any changes in the law and continually reassess your


Data protection

1 compliance with data privacy and security regulations.Robert Hasty, Dr Trevor W. Nagel and Mariam Subjally,

Data Protection Law in the USA. (Advocates for International

Development, August 2013.)http://a4id.org/sites/default/file

s/user/Data%20Protection%20Law%20in%20the%20USA_0.pdf


Data protection - Information types

1 Various types of personal information often come under

privacy concerns.


Data protection - Cable television

1 The ability to control what information one reveals about

oneself over cable television, and who can access that information


Data protection - Financial

1 Information about a person's financial transactions, including the amount of assets, positions held in stocks or funds, outstanding debts,

and purchases can be sensitive


Data protection - Locational

1 As location tracking capabilities of mobile devices are increasing

(Location-based service), problems related to user privacy arise


Data protection - Political

1 Political privacy has been a concern since voting systems emerged in

ancient times. The secret ballot is the simplest and most widespread measure to ensure that political

views are not known to anyone other than the voter themself—it is nearly universal in modern democracy, and

considered to be a basic right of citizenship. In fact even where other

rights of privacy do not exist, this type of privacy very often does.


Data protection - Educational

1 In the United Kingdom, in 2012 the Education Secretary Michael Gove

described the National Pupil Database as a rich dataset whose

value could be maximised by making it more openly accessible, including

to private companies


Data protection - Legality

1 The legal protection of the right to privacy in general - and of data

privacy in particular - varies greatly around the world.


Data protection - Legality

1 There is a significant challenge for organizations that hold sensitive data to achieve and maintain Regulatory

compliance|compliance with so many regulations that have relevance to

information privacy.


Orange (UK) - Data protection

1 In 2007 Orange was found to be in breach of the Data Protection Act

1998 by the Information Commissioner's Office (ICO) after

complaints from customers about the use of their personal information

Orange has since agreed to reinforce the requirements of the Act


R1Soft Continuous Data Protection

1 Continuous Data Protection can restore previously captured disk

images to another disk effectively replicating the structure and

contents to a new disk


R1Soft Continuous Data Protection - Supported File Systems

1 File systems supported by software:http://www.r1soft.com/linux-cdp/cdp-

enterprise-edition/sys-req/


R1Soft Continuous Data Protection - Supported File Systems

1 * Virtual memory|Linux Swap


R1Soft Continuous Data Protection - Limitations

1 R1Soft CDP Enterprise Edition 3.0 can only store up to 64 Terabyte|TBs of backup data per protected disk or volume.http://www.r1soft.com/windo

ws-cdp/cdp-30-enterprise-edition/features/industrial-strength-storage/


Continuous data protection

1 'Continuous data protection' (CDP), also called 'continuous backup' or

'real-time backup', refers to backup of computer data by automatically

saving a copy of every change made to that data, essentially capturing every version of the data that the

user saves


Continuous data protection

1 CDP runs as a service that captures changes to data to a separate

storage location. There are multiple methods for capturing the

continuous changes involving different technologies that serve

different needs. CDP-based solutions can provide fine granularities of restorable objects ranging from

crash-consistent images to logical objects such as files, mail boxes,

messages, and database files and logs.


Continuous data protection - Differences from traditional backup

1 Continuous data protection has no backup schedules


Continuous data protection - Continuous vs near continuous

1 Such schemes are not universally recognized as true continuous data protection, as they do not provide

the ability to restore to any point in time


Continuous data protection - Differences from RAID, replication or mirroring

1 Continuous data protection differs from Redundant array of

independent disks|RAID, replication (computer science)|replication, or

disk mirroring|mirroring in that these technologies only protect one copy of

the data (the most recent). If data becomes corrupted in a way that is

not immediately detected, these technologies simply protect the

corrupted data.https://store.theartofservice.com/the-data-protection-toolkit.html

Continuous data protection - Differences from RAID, replication or mirroring

1 Continuous data protection protects against some effects of data

corruption by allowing restoration of a previous, uncorrupted version of

the data. Transactions that took place between the corrupting event and the restoration is lost, however.

They could be recovered through other means, such as journaling.


Continuous data protection - Backup disk size

1 In some situations, continuous data protection requires less space on backup

media (usually disk) than traditional backup. Most continuous data protection

solutions save byte or block-level differences rather than file-level differences. This means that if you change one byte of a 100 GB file, only the changed byte or block is backed up. Traditional incremental and differential backups make copies of entire

files.https://store.theartofservice.com/the-data-protection-toolkit.html

Continuous data protection - Risks and disadvantages

1 The protection afforded by continuous data protection is often

heralded without consideration of the disadvantages and challenges that it

can present


Biometric passport - Data protection

1 Biometric passports are equipped with protection mechanisms to avoid and/or detect

attacks:



1 * Non-traceable chip characteristics. Random chip identifiers reply to each request with a different chip number.

This prevents tracing of passport chips. Using random identification

numbers is optional.



1 * Basic Access Control (BAC). BAC protects the communication channel between the chip and the reader by encrypting transmitted information. Before data can be read from a chip,

the reader needs to provide a key which is derived from the Machine-

readable passport|Machine Readable Zone: the date of birth, the date of expiry and the document number. If

BAC is used, an attacker cannot (easily) eavesdrop transferred

information without knowing the correct key. Using BAC is optional.



1 * Passive Authentication (PA)



1 * Active Authentication (AA). AA prevents cloning of passport chips. The chip contains a private key that

cannot be read or copied, but its existence can easily be proven. Using

AA is optional.



1 * Extended Access Control (EAC). EAC adds functionality to check the authenticity of both the chip (chip

authentication) and the reader (terminal authentication).

Furthermore it uses stronger encryption than BAC. EAC is typically used to protect fingerprints and iris scans. Using EAC is optional. In the EU, using EAC is mandatory for all documents issued starting 28 June

2009.



1 * Shielding the chip. This prevents unauthorized reading. Some

countries – including at least the US – have integrated a very thin metal

mesh into the passport's cover to act as a Faraday cage|shield when the passport cover is closed. The use of

shielding is optional.


Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present

1 Two months after its June 2011 acquisition of Pancetera Software, Quantum announced a new

product line called vmPRO, software and appliances for protecting virtual machine (VM)

data.[http://phx.corporate-ir.net/phoenix.zhtml?c=69905p=irol-

newsArticleID=1600998highlight= Press release announcing vmPRO] vmPRO software works

with DXi appliances and users' existing backup applications to integrate VM backup and

recovery into their existing data protection processes



1 vmPRO appliances are complete solutions that include both backup

software and storage to retain months of data. A high-speed backup utility writes data directly to disk and leverages deduplication for long-term

retention. The appliances also include a capacity-on-demand

feature – pre-loaded capacity that can be activated with a licensing key.



1 The Quantum vmPRO 4000 won the “Backup Hardware Product of the

Year” award in the Storage magazine/SearchStorage.com 2011

Products of the Year competition.[http://searchstorage.techtarget.com/feature/Quantum-Corp-vmPRO-4000-appliance SearchStorage Article] It

was also named “Storage Virtualisation Product of the Year” at the 2011 Storage, Virtualisation and

Cloud Computing (SVC) Awards.[http://searchstorage.techtarget.com/feature/Quantum-Corp-vmPRO-4000-appliance 2012 SVC Award Winners]



1 In March 2012, Quantum announced that its vmPRO technology and DXi V1000 virtual appliance had been

selected by Xerox as a key component of the company's a key component of Xerox's cloud backup and disaster recovery (DR) services.

[http://www.eweek.com/c/a/Data-Storage/Quantum-Releases-DXi-

V1000-Virtual-Deduplication-Appliance-846394/ eWeek Article]



1 In August 2012, Quantum announced Q-Cloud, its own branded cloud-based data protection service, which is also based on

vmPRO and DXi technology. Q-Cloud provides backup of both physical and virtual infrastructures for capacities ranging from 1

TB up to 1 PB of protected data.[http://www.eweek.com/c/a/Data-Storage/Quantum-Releases-DXi-V1000-

Virtual-Deduplication-Appliance-846394/ Computer Technology Article]


Data Protection API

1 In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary

use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a

user or system secret as a significant contribution of entropy.


Data Protection API

1 For nearly all cryptosystems, one of the most difficult challenges is key

management - in part, how to securely store the decryption key


Data Protection API

1 The DPAPI keys used for encrypting the user's RSA keys are stored under

%APPDATA%\Microsoft\Protect\, where is the security identifier of

that user. The DPAPI key is stored in the same file as the master key that

protects the users private keys. It usually is 64 bytes of random data.


Data Protection API

1 Though the DPAPI internals are largely undocumented by Microsoft, Elie Bursztein and Jean-Michel Picod presented an analysis of the protocol titled Reversing DPAPI and Stealing

Windows Secrets Offline at [http://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html Black Hat DC 2010]. In addition to their

briefing, Bursztein and Picod released [http://www.dpapick.com DPAPIck] which allows offline decryption of

data encrypted with DPAPI.


Data Protection API - Security properties

1 DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns

ciphertext (or vice-versa).



1 DPAPI security relies upon the Windows Operating System's ability to protect the Master Key and RSA (algorithm)|RSA private keys from compromise, which in most attack scenarios is most highly reliant on

the security of the end user's credentials



1 Delegated access can be given to keys through the use of a COM+

object. This enables Internet Information Services|IIS web servers

to use DPAPI.


Data Protection API - Use of DPAPI by Microsoft software

1 While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive

version of Windows



1 * Internet Information Services for Transport Layer Security|

SSL/TLS



1 * Windows 2000 and later for Extensible Authentication

Protocol#EAP-TLS|EAP/TLS (VPN authentication) and 802.1x (WiFi

authentication)



1 * Windows XP and later for [http://technet.microsoft.com/en-us/li

brary/bb457059.aspx Stored User Names and Passwords] (aka

Credential Manager)



1 * .NET Framework 2.0 and later for [http://msdn2.microsoft.com/en-us/library/system.security.cryptography.pr

otecteddata.aspx System.Security.Cryptography.Protect

edData]


Data Protection Act 1984

1 The Act defines eight 'data protection principles'



1 * View the data an organisation holds on them. A 'subject access request'

can be obtained for a nominal fee. As of January 2014, the maximum fee is

£2 for requests to credit reference agencies, £50 for health and

educational request, and £10 per individual otherwise,



1 Additionally, consent should be appropriate to the age and capacity

of the individual and other circumstances of the case



1 * Section 28 – National security. Any processing for the purpose of

safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification),

Part V (enforcement), and Section 55 (Unlawful obtaining of personal

data).



1 * Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension

or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection

principle.



1 * Section 36 – Domestic purposes. Processing by an individual only for

the purposes of that individual's personal, family or household affairs

is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III

(notification).



1 * Sub-section 21(1) – This sub-section makes it an offence to process

personal information without Register of data controllers|registration.Data

Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_4#pt3-l1g21

Part III (Notification by Data Controllers), Section 21], Office of

Public Sector Informationhttps://store.theartofservice.com/the-data-protection-toolkit.html


1 * Sub-section 21(2) – This sub-section makes it an offence to fail to comply

with the [http://www.legislation.gov.uk/uksi/20

00/188/made notification regulations] made by the Secretary

of State (proposed by the Information Commissioner's Office|Information Commissioner under section 25 of the ActData Protection Act 1998,

[http://www.legislation.gov.uk/ukpga/1998/29/section/25 Part III

(Notification by Data Controllers), Section 25]).



1 * Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain

unauthorised access to the personal data.Data Protection Act 1998,

[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb2-

l1g55 Part VI (Miscellaneous and General), Section 55], Office of Public

Sector Information, accessed 14 September 2007



1 * Section 56 – This section makes it a criminal offence to require an individual to make a Subject Access Request relating to Police caution|cautions

or convictions for the purposes of recruitment, continued employment, or the provision of

services.Data Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19

980029_en_7#pt6-pb3-l1g56 Part VI (Miscellaneous and General), Section 56], Office

of Public Sector Information, accessed 14 September 2007 This was brought into effect by

the Data Protection Act 1998 (Commencement No


Data Protection Act 1984 - Subject access

1 Personal data which is normally held for under 40 days may be

legitimately denied in subject access requests under the Act


System Center Data Protection Manager

1 'System Center Data Protection Manager (DPM)' is a software product from

Microsoft that provides near-continuous data protection and data recovery in a

Microsoft Windows environment. It is part of the Microsoft System Center family of products and is Microsoft's first entry into

the near-continuous backup and data recovery. It uses Shadow Copy

technology for continuous backups.


System Center Data Protection Manager - Overview

1 Data Protection Manager delivers centralized backup of branch offices and within the data center, by near-

continuously protecting changed files at the byte-level to a secondary disk, which can then be backed up to tape. This also enables rapid and reliable recovery from an easily accessible

disk instead of waiting to locate and mount tapes.


System Center Data Protection Manager - Overview

1 Data Protection Manager 2006 was released on September 27, 2005 at Storage Decisions in New York. The

current version, Data Protection Manager 2012, supports protection of Windows file servers, Exchange

Server, Microsoft SQL Server, SharePoint and Microsoft Virtual

Server. It features bare-metal restore.


System Center Data Protection Manager - Supported systems

1 Following versions of the servers are supported:


General Data Protection Regulation

1 It was welcomed by the Danish Minister of Justice in his capacity as

sitting president of the EU Justice and Home Affairs

Council.[http://eu2012.dk/en/NewsList/Januar/week-4/data-protection

Statement on the European Commission’s proposals for new EU

Data Protection rules]


General Data Protection Regulation - Summary

1 [http://www.mlawgroup.de/news/publications/detail.php?

we_objectID=227 New draft European data protection regime]


General Data Protection Regulation - Summary

1 Note: The current version contains increased fines up to 5 %.

[http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-

inofficial-consolidated-LIBE.pdf Inofficial consolidated version GDPR].

Rapporteur Jan Philipp Albrecht. Retrieved 9 December 2013.


General Data Protection Regulation - Content

1 The proposal for the European Data Protection Regulation contains the

following key changes:[http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf Proposal for

the EU General Data Protection Regulation]. European Commission.

25 January 2012. Retrieved 3 January 2013.https://store.theartofservice.com/the-data-protection-toolkit.html

General Data Protection Regulation - Scope

1 [http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en

European Commission’s press release announcing the proposed

comprehensive reform of data protection rules]


General Data Protection Regulation - Single Set of Rules

1 One single set of rules applies to all EU member states and there will be one 'Single Data Protection Authority (DPA)' responsible for each company depending on where the Company is

based or which DPA it chooses. A European Data Protection Board will

coordinate the DPAs.


General Data Protection Regulation - Single Set of Rules

1 There is an exception for employee data that still might be subject to

individual country regulations.


General Data Protection Regulation - Responsibility Accountability

1 The notice requirements remain and are expanded. They must include the retention time for personal data and

contact information for data controller and data protection officer

has to be provided.



1 'Privacy by Design' and by Default (Article 23) require that data

protection is designed into the development of business processes

for products and services.



1 'Data Protection Impact Assessments' (Article 33) have to be conducted when specific risks

occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the DPA for high risks. 'Data Protection Officers' (Articles

35-37) are to ensure compliance within organizations. They have to be appointed for

all public authorities and for companies processing more than 5000 data subjects

within 12 months.


General Data Protection Regulation - Consent

1 Data controllers must be able to prove consent (opt-in) and consent

may be withdrawn.[https://www.privacyassoc

iation.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf How

the Proposed EU Data Protection Regulation Is Creating a Ripple Effect

Worldwide]


General Data Protection Regulation - Data breaches

1 The data controller has to notify the DPA without undue delay and, where feasible, not later than 72 hours after

having become aware of the data breach (Article 31). Individuals have

to be notified if adverse impact is determined (Article 32).


General Data Protection Regulation - Sanctions

1 * regular periodic data protection audits


General Data Protection Regulation - Sanctions

1 * a fine up to 100 000 000 EUR or up to 5% of the annual worldwide

turnover in case of an enterprise, whichever is greater


General Data Protection Regulation - Right to be Forgotten

1 Personal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)


General Data Protection Regulation - Data Portability

1 A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to

another processing system.


General Data Protection Regulation - Timeline

1 The preliminary schedule is [http://www.janalbrecht.eu/themen/d

atenschutz-und-netzpolitik/alles-wichtige-zur-datenschutzreform.html Important facts regarding the GDPR

(German Language)]. Jan Philipp Albrecht. Retrieved 23 July 2013



1 * 21 October 2013: European Parliament Committee on Civil

Liberties, Justice and Home Affairs (LIBE) had its orientation vote.



1 * Ongoing negotiations between European Parliament, Council and Commission

(Trilogue)


General Data Protection Regulation - Discussion Challenges

1 The proposal for the new regulation is not final yet and discussions are controversial. Amendments have

been proposed.[http://lobbyplag.eu/map

Overview of amendments]. LobbyPlag. Retrieved 23 July 2013.



1 The single set of rules and the removal of administrative

requirements are supposed to save money. But critics point out some

issues



1 * The requirement to have a Data Protection Officer (DPO) is new for

many EU countries and criticized by some for its administrative burden.



1 * The GDPR was developed with a focus on social networks and cloud

providers, but did not consider requirements for handling employee

data sufficiently.



1 * Data Portability is not seen as a key aspect for data protection, but more a functional requirement for social

networks and cloud providers.



1 * Language and staffing challenges for the Data Protection Authorities (DPA):



1 ** Non-European companies might prefer the UK / Irish DPA because of

the English language. This will require extensive resources in those

countries.



1 ** EU citizens no longer have a single DPA to contact for their concerns, but

have to deal with the DPA the company chose. Communication

problems due to foreign languages have to be expected.



1 * The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments).

Companies in such countries should not be acceptable for processing EU

personal data anymore.



1 ** The European Commission and DPAs have to provide sufficient

resources and power to enforce the implementation and a unique level of

data protection has to be agreed upon by all European DPAs since a

different interpretation of the regulation might still lead to different

levels of privacy.



1 ** The implementation of the EU GDPR will require comprehensive changes of business practices for

companies that did not implement a comparable level of privacy until now (especially non-European companies

handling EU personal data).



1 ** There is already a lack of privacy experts and knowledge as of today

and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor for the success of the

GDPR.


General Data Protection Regulation - Change Management

1 # The proposed changes to the European Data Protection Regulation will affect you if

you have



1 #* European employees, partners, offices, etc.



1 # Take your time to go through the changes of the GDPR and identify new requirements



1 # Determine what risks to privacy need

real protection considering your



1 #* Business situation (like reputation, customer

satisfaction)


News site - Online newspapers are much like hard-copy newspapers and have the same legal boundaries, such as laws regarding libel, privacy and

copyright,[http://www.copyrightservice.co.uk/copyright/p01_uk_copyright_law UK Copyright Law] info. website also apply to online publications in most countries, like in the UK. Also in the UK the Data

Protection Act applies to online newspapers and news pages,[http://www.legislation.gov.uk/ukpga/1998/29 Data Protection Act 1998] as well as the Press

Complaints Commission|PCC rules in the UK. But the distinction was not very clear to the public in the UK as to what was a blog or forum site and what was an online newspaper. In 2007, a ruling was passed

to formally regulate UK based online newspapers, news audio, and news video websites covering the responsibilities expected of them and to clear up what is, and what isn't, an online publication.See

[http://www.journalism.co.uk/news/story3152.shtml Journalism Mag.] and also the PCC [http://www.pcc.org.uk/news/index.html?articleNDMyMQ1 website] AOP (UK Association

of Online Publishers)


Orange UK - Data protection

1 In 2007 Orange was found to be in breach of the Data Protection Act

1998 by the Information Commissioner's Office (ICO) after

complaints from customers about the use of their personal information


Off-site data protection

1 In computing, 'off-site data protection', or 'vaulting', is the

strategy of sending critical data out of the main location (off the main site) as part of a disaster recovery

plan


Off-site data protection

1 Although some organizations manage and store their own off-site backups, many choose to have their

backups managed and stored by third parties who specialize in the commercial protection of off-site

data.


Off-site data protection - Data vaults

1 The storage of off-site data is also known as vaulting, as backups are

stored in purpose built vaults. There are no generally recognized

standards for the type of structure which constitutes a vault. That said, commercial vaults typically fit into

three categories:



1 * Underground vaults - often converted defunct cold war military or communications facilities, or even

disused mines.



1 * Insulated chambers sharing facilities - often implemented within

existing record center buildings.


Off-site data protection - Hybrid on site and off-site vaulting

1 Hybrid on-site and off-site data vaulting, sometimes known as Hybrid Online Backup, involve a combination of Local backup for fast backup and restore, along with Off-site backup

for protection against local disasters. According to Liran Eshel, CEO of

CTERA Networks, this ensures that the most recent data is available locally in the event of need for

recovery, while archived data that is needed much less often is stored in

the cloud.



1 Hybrid Online Backup works by storing data to local disk so that the

backup can be captured at high speed, and then either the backup

software or a Cloud Storage Gateway|D2D2C (Disk to Disk to Cloud) appliance encrypts and

transmits data to a service provider



1 ;Note : See also Comparison of online backup services to see list of online backup services that support

Hybrid Online Backups.


Off-site data protection - Statutory obligations

1 Data Protection Statutes are usually non-prescriptive within the

commercial IT arena in how data is to be protected, but they increasingly

require the active protection of data. United States Federal entities have specific requirements as defined by

the U.S. National Institute of Standards and Technology (NIST).

NIST documentation can be obtained at

http://csrc.nist.gov/publications/PubsSPs.html and commercial agencies

have the option of using these documents for compliance

requirements.



1 *History - today's regulatory requirements started with the

Rainbow Series. Every organization has used these standards to develop

their version of compliance - don't get wrapped around the NIC on

compliance - use Due Care and apply Due Diligence and base your

infrastructure using SECURITY as the foundation.



1 Statutes which mandate the protection of data

are:



1 * Federal Information Security Management Act of 2002|Federal Information Systems Management

Act (FISMA) - US



1 * GAO Federal Information System Controls Audit Manual

(FISCAM) - US



1 * Health Insurance Portability and Accountability Act|Health Insurance

Portability and Accountability Act (HIPAA) - US



1 * Basel II - International - US



1 * Data Protection Act|Data Protection Act 1998 - UK



1 * Foreign Corrupt Practices Act|

Foreign Corrupt Practices Act (FCPA)

- UShttps://store.theartofservice.com/the-data-protection-toolkit.html

Off-site data protection - Legal precedents

1 * Thomas F. LINNEN, et als v. A.H. ROBINS COMPANY, INC., et als, (Mass. Super. Court,

No. 97-2307).


Off-site data protection - Legal precedents

1 * Linnen v. Robins, 1999 WL 462015, 10 Mass. L.Rptr. 189 (Mass Super. Court, 1999).


List of European Union directives - Privacy and data protection

1 *Directive 95/46/EC on the protection of personal data|Directive on the

protection of individuals with regard to the processing of personal data and on the free movement of such data (95/46/EC 24 October 1995)



1 *Directive on a Community framework for electronic signatures

(1999/93/EC 13 December 1999) [http://eur-lex.europa.eu/LexUriServ/L

exUriServ.do?uri=CELEX:31999L0093:EN:NOT on

EUR-Lex]



1 *Directive on Privacy and Electronic Communications (2002/58/EC 12 July

2002) [http://eur-lex.europa.eu/LexUriServ/L

exUriServ.do?uri=CELEX:32002L0058:EN:NOT on

EUR-Lex]



1 * Directive 2009/136/EC (25 November 2009) [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML on EUR-Lex],

was COD/2007/0248 in the Telecoms Package, amending Directive 2002/22/EC on universal service

and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic

communications sector and Regulation (EC) No 2006/2004 on cooperation between national

authorities responsible for the enforcement of consumer protection laws.


National data protection authority

1 'National data protection authorities' are authorities tasked with the data

protection|protection of data and privacy in the European Union and

the European Free Trade Association|EFTA member countries. Their status

was formalized by the Data Protection Directive and they were involved in the Madrid Resolution.


National data protection authority - EU countries

1 * France: the Commission nationale de

l'informatique et des libertés


National data protection authority - EU countries

1 * United Kingdom: the Information Commissioner's

Office


National data protection authority - Third countries

1 * Australia: the Office of the Australian Information

Commissioner


National data protection authority - Third countries

1 * Isle of Man: the Office of the Data

Protection Supervisor


Right to be forgotten - European Data Protection Regulation

1 The 2012 European Data Protection Regulation Article 17 details the right

to be forgotten and to erasure



1 The EU General Data Protection Regulation requires data controllers

who have been informed that an individual has requested the deletion

of any links to or copies of information must take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible,

to inform third parties which are processing such data, that a data

subject requests them to erase any links to, or copy or replication of that

personal data



1 The European Parliament is expected to adopt the proposals in first reading

in the April 2013 Plenary session



1 The European Union is a highly influential body and this movement towards the right to be forgotten in the EU is a step towards its global recognition as a right. To support

this, in 2012 the Obama Administration released a Privacy Bill

of Rights to protect consumers online, and while this is not quite the

strength of the EU law, it is a step towards recognition of the right to be

forgotten.


Data Protection Commissioner

1 It is the national data protection authority for Ireland.


Data Protection Commissioner

1 In the UK, this function is carried out by the Information Commissioner's Office|Information Commissioner.


Michael Gove - Children's Homes Scandal and Data Protection Rules

1 In September 2013 news that the DfE did not maintain a register of

Children's Homes in the UK came to light as a result of an article Gove

wrote for the Daily Telegraph. Gove asserted his prior ignorance and

surprise that the department did not hold this information and claimed

that Ofsted was prevented by 'data protection' rules, 'child protection'

concerns and other bewildering regulations from sharing that data with us, or even with the police.


Michael Gove - Children's Homes Scandal and Data Protection Rules

1 Gove's claim was refuted the same day by the Information Commissioner, Christopher Graham, who pointed out there was nothing in data protection legislation that prevents

vulnerable young people from being properly protected in care homes. Graham noted that [t]his law covers information about people so

it has no bearing on the disclosure of non-personal information like the location of care homes, and said he would be writing to both Gove and Michael Wilshaw about the matter.


Office of the Data Protection Supervisor

1 The office was originally created as the Isle of Man Data Protection

Registrar by the Data Protection Act 1986


The Carphone Warehouse - Data protection

1 During 2005, TalkTalk's proactive sales techniques drew criticism in the

press when it was accused of practising Telephone slamming|slamming to win new customers.



1 Customers who bought mobile phones from Carphone Warehouse

retail outlets alleged that their landline accounts were subsequently

switched without their consent.



1 On 15 August 2006, the Information Commissioner's Office issued

Preliminary Enforcement Notices for breaches of PECR (The Privacy and

Electronic Communications Regulations) against Carphone

Warehouse and TalkTalk (Telecommunications Company)|

TalkTalk for making marketing calls to people who are signed up to the

Telephone Preference Service (TPS) or people who have asked that the company make no further calls to

them.



1 On 28 October 2006, in a The Times|Times interview, Richard Thomas (lawyer)|Richard Thomas, Britain's Information Commissioner's Office|

Information Commissioner, stated:We're taking action against

some of the telecom companies, Talk Talk and Carphone Warehouse


Sabine Leutheusser-Schnarrenberger - On data protection

1 to tell state data protection officials about the kind of data the company was gathering on individual iPhone

users in Germany.Kevin J


For More Information, Visit:

• https://store.theartofservice.com/the-data-protection-toolkit.html

The Art of Servicehttps://store.theartofservice.com






Documents

Data Protection