Upload
mervyn-doyle
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
• Data Protection
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive
1 On 25 January 2012, the European Commission unveiled a draft
European General Data Protection Regulation that will supersede the
Data Protection Directive.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 The right to privacy is a highly developed area of law in Europe. All the member states
of the European Union (EU) are also signatories of the European Convention on
Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one's "private
and family life, his home and his correspondence," subject to certain
restrictions. The European Court of Human Rights has given this article a very broad
interpretation in its jurisprudence.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development
(OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border
Flows of Personal Data.” The seven principles governing the OECD’s
recommendations for protection of personal data were:
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Notice—data subjects should be given notice when their data is being collected;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Consent—data should not be disclosed without
the data subject’s consent;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Security—collected data should be kept secure
from any potential abuses;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Disclosure—data subjects should be informed as to who is collecting their data;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Access—data subjects should be allowed to access their data and
make corrections to any inaccurate data; and
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 Accountability—data subjects should have a method available to them to hold data collectors accountable for
following the above principles.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 The OECD Guidelines, however, were nonbinding, and data privacy laws
still varied widely across Europe. The US, meanwhile, while endorsing the
OECD’s recommendations, did nothing to implement them within
the United States. However, all seven principles were incorporated into the
EU Directive.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data was negotiated within the Council of Europe. This convention
obliges the signatories to enact legislation concerning the automatic processing of personal data, which
many duly did.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Context
1 The European Commission realised that diverging data protection
legislation amongst EU member states impeded the free flow of data
within the EU and accordingly proposed the Data Protection
Directive.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Content
1 The directive regulates the processing of personal data regardless of whether such
processing is automated or not.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 Personal data are defined as "any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one
who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural
or social identity;" (art. 2 a)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 This definition is meant to be very broad. Data are "personal data" when someone is able to link the
information to a person, even if the person holding the data cannot make this link. Some examples of "personal
data" are: address, credit card number, bank statements, criminal
record, etc.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 The notion processing means "any operation or set of operations which is
performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, blocking, erasure or
destruction;" (art. 2 b)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 The responsibility for compliance rests on the shoulders of the
"controller", meaning the natural or artificial person, public authority, agency or any other body which
alone or jointly with others determines the purposes and means of the processing of personal data;
(art. 2 d)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 As a consequence, the website operator would have to comply with the European data
protection rules
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Scope
1 The proposed new European Union Data Protection Regulation (a draft for which was unveiled in January 2012) extends the scope of the EU data protection law to all foreign
companies processing data of European Union residents.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Principles
1 Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: , legitimate
purpose, and proportionality.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 The data subject has the right to be informed when his personal data is
being processed. The controller must provide his name and address, the
purpose of processing, the recipients of the data and all other information required to ensure the processing is
fair. (art. 10 and 11)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 Data may be processed only under the following
circumstances (art. 7):
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 when the data subject has given his consent
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 when processing is necessary in order to protect the vital interests of the data subject
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 processing is necessary for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller or in a third party to whom
the data are disclosed
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transparency
1 The data subject even has the right to demand the rectification, deletion
or blocking of data that is incomplete, inaccurate or isn't being
processed in compliance with the data protection rules
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Legitimate purpose
1 Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with
those purposes. (art. 6 b)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Proportionality
1 Personal data may be processed only insofar as it is adequate, relevant
and not excessive in relation to the purposes for which they are collected
and/or further processed
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Proportionality
1 When sensitive personal data (can be: religious beliefs, political
opinions, health, sexual orientation, race, membership of past
organisations) are being processed, extra restrictions apply. (art. 8)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Proportionality
1 The data subject may object at any time to the processing of personal
data for the purpose of direct marketing. (art. 14)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Proportionality
1 A decision which produces legal effects or significantly affects the
data subject may not be based solely on automated processing of data.
(art. 15) A form of appeal should be provided when automatic decision
making processes are used.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in
that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge
complaints about violations to the supervisory authority or in a court of law.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 The controller must notify the supervisory authority before he
starts to process data. The notification contains at least the following information (art. 19):
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 a description of the category or categories of data subject and of the data or categories of data relating to
them;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 proposed transfers of data to third
countries;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 a general description of the measures taken to ensure security of processing.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Supervisory authority and the public register of processing operations
1 This information is kept in a public register.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transfer of personal data to third countries
1 Third countries is the term used in legislation to designate countries
outside the European Union. Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided,
for instance when the controller himself can guarantee that the
recipient will comply with the data protection rules.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transfer of personal data to third countries
1 The Directive's Article 29 created the "Working party on the Protection of
Individuals with regard to the Processing of Personal Data,"
commonly known as the "Article 29 Working Party". The Working Party
gives advice about the level of protection in the European Union and
third countries.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transfer of personal data to third countries
1 The Working Party negotiated with U.S. representatives about the
protection of personal data, the Safe Harbor Principles were the result.
According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because they contain fewer
obligations for the controller and allow the contractual waiver of
certain rights.https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transfer of personal data to third countries
1 In July 2007, a new, controversial, Passenger Name Record agreement
between the US and the EU was undersigned.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Transfer of personal data to third countries
1 The tensions between Washington and Brussels are mainly caused by the lower level of data protection in
the US, especially since foreigners do not benefit from the US Privacy Act of
1974
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Implementation by the member states
1 EU directives are addressed to the member states, and aren't legally
binding for citizens in principle. The member states must transpose the directive into internal law. Directive
95/46/EC on the protection of personal data had to be transposed
by the end of 1998. All member states have enacted their own data
protection legislation.https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Comparison with US data protection law
1 To date, the US has no single data protection law comparable to the EU's Data Protection
Directive
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Comparison with US data protection law
1 The reasoning behind this approach probably has as much to do with
American laissez-faire economics as with different social perspectives.
The First Amendment of the United States Constitution guarantees the
right to free speech. While free speech is an explicit right
guaranteed by the United States Constitution, privacy is an implicit
right guaranteed by the Constitution as interpreted by the United States Supreme Court, although it is often
an explicit right in many state constitutions.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Comparison with US data protection law
1 Germany and France, in particular, set forth comprehensive data protection laws
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Directive Comparison with US data protection law
1 Phil Zimmermann has called the EU's requirement of data retention worse
for the individual than the ad-hoc policies of the USA.
https://store.theartofservice.com/the-data-protection-toolkit.html
Advertising Standards Authority (United Kingdom) - Data protection
1 These details are never disclosed without the complainant's
permission, in accordance with the Data Protection Act 1998
https://store.theartofservice.com/the-data-protection-toolkit.html
Advertising Standards Authority (United Kingdom) - Data protection
1 If the complaint comes from a competitor or someone with a trade or vested interest with the advertiser
about which they are complaining, the ASA requires the company to
agree to be named. This, according to the ASA, limits the number of
petty or retaliatory complaints. The ASA proceeds only with the express permission of the complainant for their organisation to be named.
https://store.theartofservice.com/the-data-protection-toolkit.html
Internet privacy - Data protection regulation
1 The two major issues the CDT addresses in this analysis of the Data
Protection Regulation are the inflexible rules against profiling users
based on their Internet usage and the parental consent policy in
regards to controlling the online information of children
https://store.theartofservice.com/the-data-protection-toolkit.html
Criticism of Facebook - Investigation by the Irish Data Protection Commissioner 2011/2012
1 Under European law Facebook Ireland is the data controller for
facebook.com, and therefore, facebook.com is governed by European data protection laws
https://store.theartofservice.com/the-data-protection-toolkit.html
Criticism of Facebook - Investigation by the Irish Data Protection Commissioner 2011/2012
1 The group [http://www.europe-v-facebook.org/EN/en.html europe-v-
facebook.org] made access requests at Facebook Ireland and received up to 1.222 pages of data per person in
57 data categories that Facebook was holding about them, including
data that was previously removed by the users.http://www.europe-v-
facebook.org/removed_content.pdf Despite the amount of information
given, the group claimed that Facebook did not give them all of its
data
https://store.theartofservice.com/the-data-protection-toolkit.html
Criticism of Facebook - Investigation by the Irish Data Protection Commissioner 2011/2012
1 The first 16 complaints target different problems, from undeleted
old pokes all the way to the question if sharing and new functions on
Facebook should be opt-in or opt-out. The second waive of 6 more
complaints was targeting more issues including one against the Like button. The most severe could be a
complaint that claims that the privacy policy, and the consent to
the privacy policy is void under European laws.
https://store.theartofservice.com/the-data-protection-toolkit.html
Criticism of Facebook - Investigation by the Irish Data Protection Commissioner 2011/2012
1 In an interview with the Irish Independent a spokesperson said
that the DPC will go and audit Facebook, go into the premises and
go through in great detail every aspect of security
https://store.theartofservice.com/the-data-protection-toolkit.html
Directive 95/46/EC on the protection of personal data - Comparison with US data protection law
1 President Bill Clinton and former Vice-President Al Gore explicitly
recommended in their Framework for Global Electronic Commerce that the
private sector should lead, and companies should implement self-
regulation in reaction to issues brought on by Internet
technology.Clinton Gore, supra To date, the US has no single data
protection law comparable to the EU's Data Protection Directive.See
Julia M
https://store.theartofservice.com/the-data-protection-toolkit.html
Directive 95/46/EC on the protection of personal data - Comparison with US data protection law
1 The reasoning behind this approach probably has as much to do with
American laissez-faire economics as with different social perspectives
https://store.theartofservice.com/the-data-protection-toolkit.html
Directive 95/46/EC on the protection of personal data - Comparison with US data protection law
1 391, 441 (2002) Germany and France, in particular, set forth comprehensive data
protection laws.Id
https://store.theartofservice.com/the-data-protection-toolkit.html
Directive 95/46/EC on the protection of personal data - Comparison with US data protection law
1 Phil Zimmermann has called the EU's requirement of data retention worse
for the individual than the ad-hoc policies of the
USA.[http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-
privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/3/ E-
mail's Big Privacy Problem: QA With Silent Circle Co-Founder Phil
Zimmermann.]https://store.theartofservice.com/the-data-protection-toolkit.html
Information Commissioner's Office - Data Protection Act 1998
1 Under the provisions of Directive 95/46/EC on the protection of
personal data|EC Directive 95/46 (introduced in the UK as the Data
Protection Act 1998, rather than as an Statutory Instrument|SI under the
European Communities Act 1972 (UK)|European Communities Act 1972) the name of the post was
changed to Data Protection Commissioner and later to Information Commissioner.
https://store.theartofservice.com/the-data-protection-toolkit.html
Information Commissioner's Office - Data Protection Act 1998
1 The register of data controllers is publicly available and searchable at
the [http://www.ico.gov.uk/ESDWebPages
/search.asp website of the ICO], which also gives links to the ICO's
counterparts around Europe.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998
1 The Act defines eight 'data protection principles'
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - History
1 At the same time it aimed to implement the European Data Protection Directive
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - History
1 The Data Protection (Jersey) Law 2005|Jersey data protection law was
modelled on the UK law. [http://www.mondaq.com/article.asp?
articleid=63832 Jersey: Data Protection In Jersey And Other
Offshore Jurisdictions] 23 July 2008 Article by Wendy Benjamin,
mondaq.com, retr 2012 Sep 14
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Personal data
1 The Act covers any data about a living and
identifiable individual
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Personal data
1 In some cases even a paper address book can be classified as a 'relevant filing system', for example diaries
used to support commercial activities such as a salesperson's diary.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Personal data
1 The Freedom of Information Act 2000 modified the act for public bodies
and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject rights
1 The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data. The person who has their data
processed has the right to: [http://www.ico.gov.uk/what_we_cove
r/data_protection/your_rights.aspx Your rights], ICO, accessed 6
September 2007https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject rights
1 * View the data an organisation holds on them. A 'subject access request' can be obtained for a nominal feeAs of 2006, the maximum fee is £10 per
individual, [http://www.ico.gov.uk/Global/faqs/data_protection_for_the_public.aspx#f5
EED57A6-1B5C-4032-A7A3-22ECBBF66D3D FAQs], ICO
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject rights
1 * Request that incorrect information be corrected. If the company ignores
the request, a court can order the data to be corrected or destroyed,
and in some cases Damages|compensation can be awarded.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject rights
1 * Require that data is not used in any way that may potentially cause
damage or distress.Data Protection Act 1998,
[http://www.legislation.gov.uk/ukpga/1998/29/section/10 Part II (Rights of data subjects and others), Section
10], Office of Public Sector Information, accessed 6 September
2007https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject rights
1 * Require that their data is not used for direct marketing.Data Protection
Act 1998, [http://www.legislation.gov.uk/ukpga/1998/29/section/11 Part II (Rights of data subjects and others), Section
11], Office of Public Sector Information, accessed 6 September
2007
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Personal data shall be processed fairly and lawfully and, in particular,
shall not be processed unless-
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 ## at least one of the conditions in Schedule 2 is
met, and
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 ## in the case of sensitive personal data, at least one of the conditions in
Schedule 3 is also met.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or
those purposes.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which
they are processed.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # About the rights of individuals e.g.The rights of individuals (Principle
6), [http://www.ico.gov.uk/for_organisati
ons/data_protection/the_guide/principle_6.aspx ICO.gov.uk],
accessed 14 April 2011 personal data shall be processed in accordance with the rights of data subjects
(individuals).https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal data
and against accidental loss or destruction of, or damage to,
personal data.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Data protection principles
1 # Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 Personal data should only be processed fairly and lawfully. In order
for data to be classed as 'fairly processed', at least one of these six
conditions must be applicable to that data (Schedule 2).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 # The data subject (the person whose data is stored) has consented
(given their permission) to the processing;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 # Processing is required under a legal obligation (other than one stated in the
contract);
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 # Processing is necessary to protect the vital interests of the data subject;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 # Processing is necessary to carry out any public functions;
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Conditions relevant to the first principle
1 # Processing is necessary in order to pursue the legitimate interests of the
data controller or third parties (unless it could unjustifiably
prejudice the interests of the data subject).[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_10#sch2 OPSI.gov.uk] Data Protection
Act 1998 Schedule 2
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Consent
1 The Data Protection Directive|European Data Protection Directive
defines consent as “…any freely given specific and informed
indication of his wishes by which the data subject signifies his agreement
to personal data relating to him being processed”, meaning the
individual may signify agreement other than in writing
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Consent
1 Additionally, consent should be appropriate to the age and capacity
of the individual and other circumstances of the case
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Consent
1 The Data Protection Act also specifies that sensitive personal data must be processed according to a stricter set
of conditions, in particular any consent must be explicit.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Exceptions
1 The Act is structured such that all processing of personal data is
covered by the act, while providing a number of exceptions in Part IV.
Notable exceptions are:
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Exceptions
1 * Section 28 - National security. Any processing for the purpose of
safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification),
Part V (enforcement), and Section 55 (Unlawful obtaining of personal
data).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Exceptions
1 * Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension
or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection
principle.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Exceptions
1 * Section 36 - Domestic purposes. Processing by an individual only for
the purposes of that individual's personal, family or household affairs
is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III
(notification).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Offences
1 The Act details a number of civil and criminal offences for which data
controllers may be liable if a data controller has failed to gain
appropriate consent from a data subject. However 'consent' is not
specifically defined in the Act; consent is therefore a common law
matter.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Offences
1 * Sub-section 21(1) - This sub-section makes it an offence to process
personal information without Register of data controllers|registration.Data
Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_4#pt3-l1g21
Part III (Notification by Data Controllers), Section 21], Office of
Public Sector Informationhttps://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Offences
1 * Sub-section 21(2) - This sub-section makes it an offence to fail to comply
with the [http://www.legislation.gov.uk/uksi/20
00/188/made notification regulations] made by the Secretary
of State (proposed by the Information Commissioner's Office|Information Commissioner under section 25 of the ActData Protection Act 1998,
[http://www.legislation.gov.uk/ukpga/1998/29/section/25 Part III
(Notification by Data Controllers), Section 25]).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Offences
1 * Section 55 - Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain
unauthorised access to the personal data.Data Protection Act 1998,
[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb2-
l1g55 Part VI (Miscellaneous and General), Section 55], Office of Public
Sector Information, accessed 14 September 2007
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Offences
1 * Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to Police caution|cautions
or convictions for the purposes of recruitment, continued employment, or the provision of
services.Data Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19
980029_en_7#pt6-pb3-l1g56 Part VI (Miscellaneous and General), Section 56], Office
of Public Sector Information, accessed 14 September 2007 This was brought into effect by
the Data Protection Act 1998 (Commencement No
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Complexity
1 Some hide behind the Act and refuse to provide even very basic, publicly
available material quoting the Act as a
restriction.[http://www.ico.gov.uk/upload/documents/library/data_protectio
n/introductory/data_protection_myths_and_realities.
pdf Data Protection myths and realities], Information
Commissioner's Office, accessed 30 August 2008 The act also impacts on
the way in which organisations conduct business in terms of who can be contacted for marketing purposes,
not only by telephone and direct mail, but also electronically and has
led to the development of permission based marketing strategies.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Definition of personal data
1 The definition of personal data is data which relates to a living individual who can be
identified
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Definition of personal data
1 Sensitive personal data concerns the subject's race, ethnicity, politics,
religion, trade union status, health, sex life or criminal record.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Subject access
1 Personal data which is normally held for under 40 days may be
legitimately denied in subject access requests under the Act
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1998 - Regulation
1 Compliance with the Act is regulated and enforced by an independent authority, the Information Commissioner's Office, which
maintains guidance relating to the Act. Full details can be found at
http://www.ico.gov.ukGuidance - The Data Protection Act,
[http://www.ico.gov.uk/what_we_cover/data_protection/guidance.aspx Page of Assorted
Guidance], Information Commissioner's Office, accessed 20 October 2007
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 'Information privacy', or 'data privacy (or data protection)', is the
relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues
surrounding them.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 Privacy concerns exist wherever personally identifiable information is collected and stored – in digital form
or otherwise. Improper or non-existent disclosure control can be the
root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of
sources, such as:
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 * Criminal justice investigations and proceedings
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 * Biological traits, such as genetic
material
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 * house|Residence and geographic records
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 The challenge in data privacy is to share data while protecting
personally identifiable information. The fields of data security and
information security design and utilize software, hardware and
human resources to address this issue. As the laws and regulations
related to Data Protection are constantly changing,it is important to keep abreast of any changes in the law and continually reassess your
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection
1 compliance with data privacy and security regulations.Robert Hasty, Dr Trevor W. Nagel and Mariam Subjally,
Data Protection Law in the USA. (Advocates for International
Development, August 2013.)http://a4id.org/sites/default/file
s/user/Data%20Protection%20Law%20in%20the%20USA_0.pdf
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Information types
1 Various types of personal information often come under
privacy concerns.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Cable television
1 The ability to control what information one reveals about
oneself over cable television, and who can access that information
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Financial
1 Information about a person's financial transactions, including the amount of assets, positions held in stocks or funds, outstanding debts,
and purchases can be sensitive
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Locational
1 As location tracking capabilities of mobile devices are increasing
(Location-based service), problems related to user privacy arise
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Political
1 Political privacy has been a concern since voting systems emerged in
ancient times. The secret ballot is the simplest and most widespread measure to ensure that political
views are not known to anyone other than the voter themself—it is nearly universal in modern democracy, and
considered to be a basic right of citizenship. In fact even where other
rights of privacy do not exist, this type of privacy very often does.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Educational
1 In the United Kingdom, in 2012 the Education Secretary Michael Gove
described the National Pupil Database as a rich dataset whose
value could be maximised by making it more openly accessible, including
to private companies
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Legality
1 The legal protection of the right to privacy in general - and of data
privacy in particular - varies greatly around the world.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data protection - Legality
1 There is a significant challenge for organizations that hold sensitive data to achieve and maintain Regulatory
compliance|compliance with so many regulations that have relevance to
information privacy.
https://store.theartofservice.com/the-data-protection-toolkit.html
Orange (UK) - Data protection
1 In 2007 Orange was found to be in breach of the Data Protection Act
1998 by the Information Commissioner's Office (ICO) after
complaints from customers about the use of their personal information
Orange has since agreed to reinforce the requirements of the Act
https://store.theartofservice.com/the-data-protection-toolkit.html
R1Soft Continuous Data Protection
1 Continuous Data Protection can restore previously captured disk
images to another disk effectively replicating the structure and
contents to a new disk
https://store.theartofservice.com/the-data-protection-toolkit.html
R1Soft Continuous Data Protection - Supported File Systems
1 File systems supported by software:http://www.r1soft.com/linux-cdp/cdp-
enterprise-edition/sys-req/
https://store.theartofservice.com/the-data-protection-toolkit.html
R1Soft Continuous Data Protection - Supported File Systems
1 * Virtual memory|Linux Swap
https://store.theartofservice.com/the-data-protection-toolkit.html
R1Soft Continuous Data Protection - Limitations
1 R1Soft CDP Enterprise Edition 3.0 can only store up to 64 Terabyte|TBs of backup data per protected disk or volume.http://www.r1soft.com/windo
ws-cdp/cdp-30-enterprise-edition/features/industrial-strength-storage/
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection
1 'Continuous data protection' (CDP), also called 'continuous backup' or
'real-time backup', refers to backup of computer data by automatically
saving a copy of every change made to that data, essentially capturing every version of the data that the
user saves
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection
1 CDP runs as a service that captures changes to data to a separate
storage location. There are multiple methods for capturing the
continuous changes involving different technologies that serve
different needs. CDP-based solutions can provide fine granularities of restorable objects ranging from
crash-consistent images to logical objects such as files, mail boxes,
messages, and database files and logs.
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Differences from traditional backup
1 Continuous data protection has no backup schedules
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Continuous vs near continuous
1 Such schemes are not universally recognized as true continuous data protection, as they do not provide
the ability to restore to any point in time
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Differences from RAID, replication or mirroring
1 Continuous data protection differs from Redundant array of
independent disks|RAID, replication (computer science)|replication, or
disk mirroring|mirroring in that these technologies only protect one copy of
the data (the most recent). If data becomes corrupted in a way that is
not immediately detected, these technologies simply protect the
corrupted data.https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Differences from RAID, replication or mirroring
1 Continuous data protection protects against some effects of data
corruption by allowing restoration of a previous, uncorrupted version of
the data. Transactions that took place between the corrupting event and the restoration is lost, however.
They could be recovered through other means, such as journaling.
https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Backup disk size
1 In some situations, continuous data protection requires less space on backup
media (usually disk) than traditional backup. Most continuous data protection
solutions save byte or block-level differences rather than file-level differences. This means that if you change one byte of a 100 GB file, only the changed byte or block is backed up. Traditional incremental and differential backups make copies of entire
files.https://store.theartofservice.com/the-data-protection-toolkit.html
Continuous data protection - Risks and disadvantages
1 The protection afforded by continuous data protection is often
heralded without consideration of the disadvantages and challenges that it
can present
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 Biometric passports are equipped with protection mechanisms to avoid and/or detect
attacks:
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Non-traceable chip characteristics. Random chip identifiers reply to each request with a different chip number.
This prevents tracing of passport chips. Using random identification
numbers is optional.
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Basic Access Control (BAC). BAC protects the communication channel between the chip and the reader by encrypting transmitted information. Before data can be read from a chip,
the reader needs to provide a key which is derived from the Machine-
readable passport|Machine Readable Zone: the date of birth, the date of expiry and the document number. If
BAC is used, an attacker cannot (easily) eavesdrop transferred
information without knowing the correct key. Using BAC is optional.
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Passive Authentication (PA)
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Active Authentication (AA). AA prevents cloning of passport chips. The chip contains a private key that
cannot be read or copied, but its existence can easily be proven. Using
AA is optional.
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Extended Access Control (EAC). EAC adds functionality to check the authenticity of both the chip (chip
authentication) and the reader (terminal authentication).
Furthermore it uses stronger encryption than BAC. EAC is typically used to protect fingerprints and iris scans. Using EAC is optional. In the EU, using EAC is mandatory for all documents issued starting 28 June
2009.
https://store.theartofservice.com/the-data-protection-toolkit.html
Biometric passport - Data protection
1 * Shielding the chip. This prevents unauthorized reading. Some
countries – including at least the US – have integrated a very thin metal
mesh into the passport's cover to act as a Faraday cage|shield when the passport cover is closed. The use of
shielding is optional.
https://store.theartofservice.com/the-data-protection-toolkit.html
Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present
1 Two months after its June 2011 acquisition of Pancetera Software, Quantum announced a new
product line called vmPRO, software and appliances for protecting virtual machine (VM)
data.[http://phx.corporate-ir.net/phoenix.zhtml?c=69905p=irol-
newsArticleID=1600998highlight= Press release announcing vmPRO] vmPRO software works
with DXi appliances and users' existing backup applications to integrate VM backup and
recovery into their existing data protection processes
https://store.theartofservice.com/the-data-protection-toolkit.html
Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present
1 vmPRO appliances are complete solutions that include both backup
software and storage to retain months of data. A high-speed backup utility writes data directly to disk and leverages deduplication for long-term
retention. The appliances also include a capacity-on-demand
feature – pre-loaded capacity that can be activated with a licensing key.
https://store.theartofservice.com/the-data-protection-toolkit.html
Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present
1 The Quantum vmPRO 4000 won the “Backup Hardware Product of the
Year” award in the Storage magazine/SearchStorage.com 2011
Products of the Year competition.[http://searchstorage.techtarget.com/feature/Quantum-Corp-vmPRO-4000-appliance SearchStorage Article] It
was also named “Storage Virtualisation Product of the Year” at the 2011 Storage, Virtualisation and
Cloud Computing (SVC) Awards.[http://searchstorage.techtarget.com/feature/Quantum-Corp-vmPRO-4000-appliance 2012 SVC Award Winners]
https://store.theartofservice.com/the-data-protection-toolkit.html
Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present
1 In March 2012, Quantum announced that its vmPRO technology and DXi V1000 virtual appliance had been
selected by Xerox as a key component of the company's a key component of Xerox's cloud backup and disaster recovery (DR) services.
[http://www.eweek.com/c/a/Data-Storage/Quantum-Releases-DXi-
V1000-Virtual-Deduplication-Appliance-846394/ eWeek Article]
https://store.theartofservice.com/the-data-protection-toolkit.html
Quantum Corporation - Virtualization and Cloud Data Protection Products 2011–present
1 In August 2012, Quantum announced Q-Cloud, its own branded cloud-based data protection service, which is also based on
vmPRO and DXi technology. Q-Cloud provides backup of both physical and virtual infrastructures for capacities ranging from 1
TB up to 1 PB of protected data.[http://www.eweek.com/c/a/Data-Storage/Quantum-Releases-DXi-V1000-
Virtual-Deduplication-Appliance-846394/ Computer Technology Article]
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API
1 In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary
use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a
user or system secret as a significant contribution of entropy.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API
1 For nearly all cryptosystems, one of the most difficult challenges is key
management - in part, how to securely store the decryption key
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API
1 The DPAPI keys used for encrypting the user's RSA keys are stored under
%APPDATA%\Microsoft\Protect\, where is the security identifier of
that user. The DPAPI key is stored in the same file as the master key that
protects the users private keys. It usually is 64 bytes of random data.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API
1 Though the DPAPI internals are largely undocumented by Microsoft, Elie Bursztein and Jean-Michel Picod presented an analysis of the protocol titled Reversing DPAPI and Stealing
Windows Secrets Offline at [http://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html Black Hat DC 2010]. In addition to their
briefing, Bursztein and Picod released [http://www.dpapick.com DPAPIck] which allows offline decryption of
data encrypted with DPAPI.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Security properties
1 DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns
ciphertext (or vice-versa).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Security properties
1 DPAPI security relies upon the Windows Operating System's ability to protect the Master Key and RSA (algorithm)|RSA private keys from compromise, which in most attack scenarios is most highly reliant on
the security of the end user's credentials
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Security properties
1 Delegated access can be given to keys through the use of a COM+
object. This enables Internet Information Services|IIS web servers
to use DPAPI.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Use of DPAPI by Microsoft software
1 While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive
version of Windows
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Use of DPAPI by Microsoft software
1 * Internet Information Services for Transport Layer Security|
SSL/TLS
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Use of DPAPI by Microsoft software
1 * Windows 2000 and later for Extensible Authentication
Protocol#EAP-TLS|EAP/TLS (VPN authentication) and 802.1x (WiFi
authentication)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Use of DPAPI by Microsoft software
1 * Windows XP and later for [http://technet.microsoft.com/en-us/li
brary/bb457059.aspx Stored User Names and Passwords] (aka
Credential Manager)
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection API - Use of DPAPI by Microsoft software
1 * .NET Framework 2.0 and later for [http://msdn2.microsoft.com/en-us/library/system.security.cryptography.pr
otecteddata.aspx System.Security.Cryptography.Protect
edData]
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984
1 The Act defines eight 'data protection principles'
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Subject rights
1 * View the data an organisation holds on them. A 'subject access request'
can be obtained for a nominal fee. As of January 2014, the maximum fee is
£2 for requests to credit reference agencies, £50 for health and
educational request, and £10 per individual otherwise,
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Consent
1 Additionally, consent should be appropriate to the age and capacity
of the individual and other circumstances of the case
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Exceptions
1 * Section 28 – National security. Any processing for the purpose of
safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification),
Part V (enforcement), and Section 55 (Unlawful obtaining of personal
data).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Exceptions
1 * Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension
or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection
principle.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Exceptions
1 * Section 36 – Domestic purposes. Processing by an individual only for
the purposes of that individual's personal, family or household affairs
is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III
(notification).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Offences
1 * Sub-section 21(1) – This sub-section makes it an offence to process
personal information without Register of data controllers|registration.Data
Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_4#pt3-l1g21
Part III (Notification by Data Controllers), Section 21], Office of
Public Sector Informationhttps://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Offences
1 * Sub-section 21(2) – This sub-section makes it an offence to fail to comply
with the [http://www.legislation.gov.uk/uksi/20
00/188/made notification regulations] made by the Secretary
of State (proposed by the Information Commissioner's Office|Information Commissioner under section 25 of the ActData Protection Act 1998,
[http://www.legislation.gov.uk/ukpga/1998/29/section/25 Part III
(Notification by Data Controllers), Section 25]).
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Offences
1 * Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain
unauthorised access to the personal data.Data Protection Act 1998,
[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb2-
l1g55 Part VI (Miscellaneous and General), Section 55], Office of Public
Sector Information, accessed 14 September 2007
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Offences
1 * Section 56 – This section makes it a criminal offence to require an individual to make a Subject Access Request relating to Police caution|cautions
or convictions for the purposes of recruitment, continued employment, or the provision of
services.Data Protection Act 1998, [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19
980029_en_7#pt6-pb3-l1g56 Part VI (Miscellaneous and General), Section 56], Office
of Public Sector Information, accessed 14 September 2007 This was brought into effect by
the Data Protection Act 1998 (Commencement No
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Act 1984 - Subject access
1 Personal data which is normally held for under 40 days may be
legitimately denied in subject access requests under the Act
https://store.theartofservice.com/the-data-protection-toolkit.html
System Center Data Protection Manager
1 'System Center Data Protection Manager (DPM)' is a software product from
Microsoft that provides near-continuous data protection and data recovery in a
Microsoft Windows environment. It is part of the Microsoft System Center family of products and is Microsoft's first entry into
the near-continuous backup and data recovery. It uses Shadow Copy
technology for continuous backups.
https://store.theartofservice.com/the-data-protection-toolkit.html
System Center Data Protection Manager - Overview
1 Data Protection Manager delivers centralized backup of branch offices and within the data center, by near-
continuously protecting changed files at the byte-level to a secondary disk, which can then be backed up to tape. This also enables rapid and reliable recovery from an easily accessible
disk instead of waiting to locate and mount tapes.
https://store.theartofservice.com/the-data-protection-toolkit.html
System Center Data Protection Manager - Overview
1 Data Protection Manager 2006 was released on September 27, 2005 at Storage Decisions in New York. The
current version, Data Protection Manager 2012, supports protection of Windows file servers, Exchange
Server, Microsoft SQL Server, SharePoint and Microsoft Virtual
Server. It features bare-metal restore.
https://store.theartofservice.com/the-data-protection-toolkit.html
System Center Data Protection Manager - Supported systems
1 Following versions of the servers are supported:
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation
1 It was welcomed by the Danish Minister of Justice in his capacity as
sitting president of the EU Justice and Home Affairs
Council.[http://eu2012.dk/en/NewsList/Januar/week-4/data-protection
Statement on the European Commission’s proposals for new EU
Data Protection rules]
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Summary
1 [http://www.mlawgroup.de/news/publications/detail.php?
we_objectID=227 New draft European data protection regime]
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Summary
1 Note: The current version contains increased fines up to 5 %.
[http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-
inofficial-consolidated-LIBE.pdf Inofficial consolidated version GDPR].
Rapporteur Jan Philipp Albrecht. Retrieved 9 December 2013.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Content
1 The proposal for the European Data Protection Regulation contains the
following key changes:[http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf Proposal for
the EU General Data Protection Regulation]. European Commission.
25 January 2012. Retrieved 3 January 2013.https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Scope
1 [http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en
European Commission’s press release announcing the proposed
comprehensive reform of data protection rules]
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Single Set of Rules
1 One single set of rules applies to all EU member states and there will be one 'Single Data Protection Authority (DPA)' responsible for each company depending on where the Company is
based or which DPA it chooses. A European Data Protection Board will
coordinate the DPAs.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Single Set of Rules
1 There is an exception for employee data that still might be subject to
individual country regulations.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Responsibility Accountability
1 The notice requirements remain and are expanded. They must include the retention time for personal data and
contact information for data controller and data protection officer
has to be provided.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Responsibility Accountability
1 'Privacy by Design' and by Default (Article 23) require that data
protection is designed into the development of business processes
for products and services.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Responsibility Accountability
1 'Data Protection Impact Assessments' (Article 33) have to be conducted when specific risks
occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the DPA for high risks. 'Data Protection Officers' (Articles
35-37) are to ensure compliance within organizations. They have to be appointed for
all public authorities and for companies processing more than 5000 data subjects
within 12 months.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Consent
1 Data controllers must be able to prove consent (opt-in) and consent
may be withdrawn.[https://www.privacyassoc
iation.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf How
the Proposed EU Data Protection Regulation Is Creating a Ripple Effect
Worldwide]
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Data breaches
1 The data controller has to notify the DPA without undue delay and, where feasible, not later than 72 hours after
having become aware of the data breach (Article 31). Individuals have
to be notified if adverse impact is determined (Article 32).
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Sanctions
1 * regular periodic data protection audits
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Sanctions
1 * a fine up to 100 000 000 EUR or up to 5% of the annual worldwide
turnover in case of an enterprise, whichever is greater
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Right to be Forgotten
1 Personal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Data Portability
1 A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to
another processing system.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Timeline
1 The preliminary schedule is [http://www.janalbrecht.eu/themen/d
atenschutz-und-netzpolitik/alles-wichtige-zur-datenschutzreform.html Important facts regarding the GDPR
(German Language)]. Jan Philipp Albrecht. Retrieved 23 July 2013
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Timeline
1 * 21 October 2013: European Parliament Committee on Civil
Liberties, Justice and Home Affairs (LIBE) had its orientation vote.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Timeline
1 * Ongoing negotiations between European Parliament, Council and Commission
(Trilogue)
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 The proposal for the new regulation is not final yet and discussions are controversial. Amendments have
been proposed.[http://lobbyplag.eu/map
Overview of amendments]. LobbyPlag. Retrieved 23 July 2013.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 The single set of rules and the removal of administrative
requirements are supposed to save money. But critics point out some
issues
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 * The requirement to have a Data Protection Officer (DPO) is new for
many EU countries and criticized by some for its administrative burden.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 * The GDPR was developed with a focus on social networks and cloud
providers, but did not consider requirements for handling employee
data sufficiently.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 * Data Portability is not seen as a key aspect for data protection, but more a functional requirement for social
networks and cloud providers.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 * Language and staffing challenges for the Data Protection Authorities (DPA):
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 ** Non-European companies might prefer the UK / Irish DPA because of
the English language. This will require extensive resources in those
countries.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 ** EU citizens no longer have a single DPA to contact for their concerns, but
have to deal with the DPA the company chose. Communication
problems due to foreign languages have to be expected.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 * The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments).
Companies in such countries should not be acceptable for processing EU
personal data anymore.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 ** The European Commission and DPAs have to provide sufficient
resources and power to enforce the implementation and a unique level of
data protection has to be agreed upon by all European DPAs since a
different interpretation of the regulation might still lead to different
levels of privacy.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 ** The implementation of the EU GDPR will require comprehensive changes of business practices for
companies that did not implement a comparable level of privacy until now (especially non-European companies
handling EU personal data).
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Discussion Challenges
1 ** There is already a lack of privacy experts and knowledge as of today
and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor for the success of the
GDPR.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Change Management
1 # The proposed changes to the European Data Protection Regulation will affect you if
you have
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Change Management
1 #* European employees, partners, offices, etc.
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Change Management
1 # Take your time to go through the changes of the GDPR and identify new requirements
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Change Management
1 # Determine what risks to privacy need
real protection considering your
https://store.theartofservice.com/the-data-protection-toolkit.html
General Data Protection Regulation - Change Management
1 #* Business situation (like reputation, customer
satisfaction)
https://store.theartofservice.com/the-data-protection-toolkit.html
News site - Online newspapers are much like hard-copy newspapers and have the same legal boundaries, such as laws regarding libel, privacy and
copyright,[http://www.copyrightservice.co.uk/copyright/p01_uk_copyright_law UK Copyright Law] info. website also apply to online publications in most countries, like in the UK. Also in the UK the Data
Protection Act applies to online newspapers and news pages,[http://www.legislation.gov.uk/ukpga/1998/29 Data Protection Act 1998] as well as the Press
Complaints Commission|PCC rules in the UK. But the distinction was not very clear to the public in the UK as to what was a blog or forum site and what was an online newspaper. In 2007, a ruling was passed
to formally regulate UK based online newspapers, news audio, and news video websites covering the responsibilities expected of them and to clear up what is, and what isn't, an online publication.See
[http://www.journalism.co.uk/news/story3152.shtml Journalism Mag.] and also the PCC [http://www.pcc.org.uk/news/index.html?articleNDMyMQ1 website] AOP (UK Association
of Online Publishers)
https://store.theartofservice.com/the-data-protection-toolkit.html
Orange UK - Data protection
1 In 2007 Orange was found to be in breach of the Data Protection Act
1998 by the Information Commissioner's Office (ICO) after
complaints from customers about the use of their personal information
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection
1 In computing, 'off-site data protection', or 'vaulting', is the
strategy of sending critical data out of the main location (off the main site) as part of a disaster recovery
plan
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection
1 Although some organizations manage and store their own off-site backups, many choose to have their
backups managed and stored by third parties who specialize in the commercial protection of off-site
data.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Data vaults
1 The storage of off-site data is also known as vaulting, as backups are
stored in purpose built vaults. There are no generally recognized
standards for the type of structure which constitutes a vault. That said, commercial vaults typically fit into
three categories:
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Data vaults
1 * Underground vaults - often converted defunct cold war military or communications facilities, or even
disused mines.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Data vaults
1 * Insulated chambers sharing facilities - often implemented within
existing record center buildings.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Hybrid on site and off-site vaulting
1 Hybrid on-site and off-site data vaulting, sometimes known as Hybrid Online Backup, involve a combination of Local backup for fast backup and restore, along with Off-site backup
for protection against local disasters. According to Liran Eshel, CEO of
CTERA Networks, this ensures that the most recent data is available locally in the event of need for
recovery, while archived data that is needed much less often is stored in
the cloud.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Hybrid on site and off-site vaulting
1 Hybrid Online Backup works by storing data to local disk so that the
backup can be captured at high speed, and then either the backup
software or a Cloud Storage Gateway|D2D2C (Disk to Disk to Cloud) appliance encrypts and
transmits data to a service provider
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Hybrid on site and off-site vaulting
1 ;Note : See also Comparison of online backup services to see list of online backup services that support
Hybrid Online Backups.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 Data Protection Statutes are usually non-prescriptive within the
commercial IT arena in how data is to be protected, but they increasingly
require the active protection of data. United States Federal entities have specific requirements as defined by
the U.S. National Institute of Standards and Technology (NIST).
NIST documentation can be obtained at
http://csrc.nist.gov/publications/PubsSPs.html and commercial agencies
have the option of using these documents for compliance
requirements.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 *History - today's regulatory requirements started with the
Rainbow Series. Every organization has used these standards to develop
their version of compliance - don't get wrapped around the NIC on
compliance - use Due Care and apply Due Diligence and base your
infrastructure using SECURITY as the foundation.
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 Statutes which mandate the protection of data
are:
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * Federal Information Security Management Act of 2002|Federal Information Systems Management
Act (FISMA) - US
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * GAO Federal Information System Controls Audit Manual
(FISCAM) - US
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * Health Insurance Portability and Accountability Act|Health Insurance
Portability and Accountability Act (HIPAA) - US
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * Basel II - International - US
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * Data Protection Act|Data Protection Act 1998 - UK
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Statutory obligations
1 * Foreign Corrupt Practices Act|
Foreign Corrupt Practices Act (FCPA)
- UShttps://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Legal precedents
1 * Thomas F. LINNEN, et als v. A.H. ROBINS COMPANY, INC., et als, (Mass. Super. Court,
No. 97-2307).
https://store.theartofservice.com/the-data-protection-toolkit.html
Off-site data protection - Legal precedents
1 * Linnen v. Robins, 1999 WL 462015, 10 Mass. L.Rptr. 189 (Mass Super. Court, 1999).
https://store.theartofservice.com/the-data-protection-toolkit.html
List of European Union directives - Privacy and data protection
1 *Directive 95/46/EC on the protection of personal data|Directive on the
protection of individuals with regard to the processing of personal data and on the free movement of such data (95/46/EC 24 October 1995)
https://store.theartofservice.com/the-data-protection-toolkit.html
List of European Union directives - Privacy and data protection
1 *Directive on a Community framework for electronic signatures
(1999/93/EC 13 December 1999) [http://eur-lex.europa.eu/LexUriServ/L
exUriServ.do?uri=CELEX:31999L0093:EN:NOT on
EUR-Lex]
https://store.theartofservice.com/the-data-protection-toolkit.html
List of European Union directives - Privacy and data protection
1 *Directive on Privacy and Electronic Communications (2002/58/EC 12 July
2002) [http://eur-lex.europa.eu/LexUriServ/L
exUriServ.do?uri=CELEX:32002L0058:EN:NOT on
EUR-Lex]
https://store.theartofservice.com/the-data-protection-toolkit.html
List of European Union directives - Privacy and data protection
1 * Directive 2009/136/EC (25 November 2009) [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML on EUR-Lex],
was COD/2007/0248 in the Telecoms Package, amending Directive 2002/22/EC on universal service
and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic
communications sector and Regulation (EC) No 2006/2004 on cooperation between national
authorities responsible for the enforcement of consumer protection laws.
https://store.theartofservice.com/the-data-protection-toolkit.html
National data protection authority
1 'National data protection authorities' are authorities tasked with the data
protection|protection of data and privacy in the European Union and
the European Free Trade Association|EFTA member countries. Their status
was formalized by the Data Protection Directive and they were involved in the Madrid Resolution.
https://store.theartofservice.com/the-data-protection-toolkit.html
National data protection authority - EU countries
1 * France: the Commission nationale de
l'informatique et des libertés
https://store.theartofservice.com/the-data-protection-toolkit.html
National data protection authority - EU countries
1 * United Kingdom: the Information Commissioner's
Office
https://store.theartofservice.com/the-data-protection-toolkit.html
National data protection authority - Third countries
1 * Australia: the Office of the Australian Information
Commissioner
https://store.theartofservice.com/the-data-protection-toolkit.html
National data protection authority - Third countries
1 * Isle of Man: the Office of the Data
Protection Supervisor
https://store.theartofservice.com/the-data-protection-toolkit.html
Right to be forgotten - European Data Protection Regulation
1 The 2012 European Data Protection Regulation Article 17 details the right
to be forgotten and to erasure
https://store.theartofservice.com/the-data-protection-toolkit.html
Right to be forgotten - European Data Protection Regulation
1 The EU General Data Protection Regulation requires data controllers
who have been informed that an individual has requested the deletion
of any links to or copies of information must take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible,
to inform third parties which are processing such data, that a data
subject requests them to erase any links to, or copy or replication of that
personal data
https://store.theartofservice.com/the-data-protection-toolkit.html
Right to be forgotten - European Data Protection Regulation
1 The European Parliament is expected to adopt the proposals in first reading
in the April 2013 Plenary session
https://store.theartofservice.com/the-data-protection-toolkit.html
Right to be forgotten - European Data Protection Regulation
1 The European Union is a highly influential body and this movement towards the right to be forgotten in the EU is a step towards its global recognition as a right. To support
this, in 2012 the Obama Administration released a Privacy Bill
of Rights to protect consumers online, and while this is not quite the
strength of the EU law, it is a step towards recognition of the right to be
forgotten.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Commissioner
1 It is the national data protection authority for Ireland.
https://store.theartofservice.com/the-data-protection-toolkit.html
Data Protection Commissioner
1 In the UK, this function is carried out by the Information Commissioner's Office|Information Commissioner.
https://store.theartofservice.com/the-data-protection-toolkit.html
Michael Gove - Children's Homes Scandal and Data Protection Rules
1 In September 2013 news that the DfE did not maintain a register of
Children's Homes in the UK came to light as a result of an article Gove
wrote for the Daily Telegraph. Gove asserted his prior ignorance and
surprise that the department did not hold this information and claimed
that Ofsted was prevented by 'data protection' rules, 'child protection'
concerns and other bewildering regulations from sharing that data with us, or even with the police.
https://store.theartofservice.com/the-data-protection-toolkit.html
Michael Gove - Children's Homes Scandal and Data Protection Rules
1 Gove's claim was refuted the same day by the Information Commissioner, Christopher Graham, who pointed out there was nothing in data protection legislation that prevents
vulnerable young people from being properly protected in care homes. Graham noted that [t]his law covers information about people so
it has no bearing on the disclosure of non-personal information like the location of care homes, and said he would be writing to both Gove and Michael Wilshaw about the matter.
https://store.theartofservice.com/the-data-protection-toolkit.html
Office of the Data Protection Supervisor
1 The office was originally created as the Isle of Man Data Protection
Registrar by the Data Protection Act 1986
https://store.theartofservice.com/the-data-protection-toolkit.html
The Carphone Warehouse - Data protection
1 During 2005, TalkTalk's proactive sales techniques drew criticism in the
press when it was accused of practising Telephone slamming|slamming to win new customers.
https://store.theartofservice.com/the-data-protection-toolkit.html
The Carphone Warehouse - Data protection
1 Customers who bought mobile phones from Carphone Warehouse
retail outlets alleged that their landline accounts were subsequently
switched without their consent.
https://store.theartofservice.com/the-data-protection-toolkit.html
The Carphone Warehouse - Data protection
1 On 15 August 2006, the Information Commissioner's Office issued
Preliminary Enforcement Notices for breaches of PECR (The Privacy and
Electronic Communications Regulations) against Carphone
Warehouse and TalkTalk (Telecommunications Company)|
TalkTalk for making marketing calls to people who are signed up to the
Telephone Preference Service (TPS) or people who have asked that the company make no further calls to
them.
https://store.theartofservice.com/the-data-protection-toolkit.html
The Carphone Warehouse - Data protection
1 On 28 October 2006, in a The Times|Times interview, Richard Thomas (lawyer)|Richard Thomas, Britain's Information Commissioner's Office|
Information Commissioner, stated:We're taking action against
some of the telecom companies, Talk Talk and Carphone Warehouse
https://store.theartofservice.com/the-data-protection-toolkit.html
Sabine Leutheusser-Schnarrenberger - On data protection
1 to tell state data protection officials about the kind of data the company was gathering on individual iPhone
users in Germany.Kevin J
https://store.theartofservice.com/the-data-protection-toolkit.html
For More Information, Visit:
• https://store.theartofservice.com/the-data-protection-toolkit.html
The Art of Servicehttps://store.theartofservice.com