Computer and Data Security Laws and Regulations --short most basic version-- Nicolas T. Courtois - University College of London.

Slides:



Advertisements
Similar presentations
Institutional Telecomms and Computer Network Monitoring Andrew Charlesworth University of Bristol 10 June 2002.
Advertisements

NATIONAL INFORMATION GOVERNANCE BOARD
The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Data Protection (Jersey) Law 2005.
Workshop on Harmonizing Cyberlaw in the ECOWAS region ( Procedural Law in the Budapest Convention ) Ghana, Accra 17 – 21 March 2014, Kofi Annan International.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
The Information Commissioner’s Office David Evans.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Implementation of Security and Confidentiality in GP Practices.
PRIVACY. In pairs Work out a definition of the word PRIVACY that you think makes sense You’ve got about 7 minutes...
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
Health research and the protection of personal information rights in international ethics and human rights law Colin M Harper Promoting Health Research.
The Data Protection Act 1998 The Eight Principles.
Coding Compliance Plan July 12, Benefits of a compliance program  To demonstrate our commitment to honest and responsible conduct, decrease the.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Regulation of Personal Information Sally Brierley & Emma Harvey.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data protection and compliance in context 19 November 2007 Stewart Room Partner.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Human Rights Act, Privacy in the context of auditing Phil Huggins Chief Technologist, IRM PLC
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
Computing, Ethics & The Law. The Law Copyright, Designs and Patents Act (1988) Computer Misuse Act (1990) Data Protection Act (1998) (8 Main Principles)
Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Data protection—training materials [Name and details of speaker]
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
The Data Protection Act 1998
The Data Protection Act 1998
Privacy principles Individual written policies
General Data Protection Regulation
Data Protection Act.
The Data Protection Act 1998
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
G.D.P.R General Data Protection Regulations
Current Privacy Issues That May Affect Your Credit Union
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
Presentation transcript:

Computer and Data Security Laws and Regulations --short most basic version-- Nicolas T. Courtois - University College of London

CompSec COMPGA01 Nicolas T. Courtois, December Is Privacy Universal? A Western concept, not easy to translate into a foreign language. Italian: “la privacy”. Yet, the right to privacy has been enacted by the United Nations in 1948: no one voted against, but the Soviet Block+South Africa+Saudi Arabia abstained. Article 12 of Universal Declaration of Human Rights: No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.

CompSec COMPGA01 Nicolas T. Courtois, December Concept of Privacy [UK] The Calcutt Committee in the United Kingdom was satisfied that “it would be possible to define it legally” and adopted this definition: The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information This brings us to two types of Privacy Physical: human body/intimate life personal belongings: free from intrusion/searches/seizures. Informational Privacy. about collection and sharing of data about ourselves… about us: religion, sexual orientation, political affiliations, personal activities, etc… about our actions: location data, what we buy, what we do, say, write, who we voted for, what search for with Google, etc.

CompSec COMPGA01 Nicolas T. Courtois, December EU and Data Privacy 1950: European Convention on Human Rights = ECHR Article 8 provides a right to respect for one's "private and family life, his home and his correspondence",

CompSec COMPGA01 Nicolas T. Courtois, December Data Privacy and Confidentiality

CompSec COMPGA01 Nicolas T. Courtois, December EU and Data Protection 95/46/EU [1995]: to allow the free flow of personal data (only) between member states by harmonizing minimal information protection. An organization must implement appropriate technical and organizational measures to protect personal data against: accidental or unlawful destruction accidental loss, alteration, unauthorized disclosure or access, (includes interception/eavesdropping over a network).

CompSec COMPGA01 Nicolas T. Courtois, December EU Data Protection Directive 95/46/EU [1995] Enforced by Laws of each EU country Local “ Data Protection Commissioner ” in each country. Example: UK: Data Protection Act [1998] Information Commissioner ’ s Office

CompSec COMPGA01 Nicolas T. Courtois, December UK Data Protection Act 8 Principles: All data must be: - processed fairly and lawfully - obtained & used only for specified and lawful purposes - adequate, relevant and not excessive - accurate, and where necessary, kept up to date - kept for no longer than necessary - processed in accordance with the data subject’s rights - kept secure - transferred only to countries that offer adequate data protection More details: tion_guide.aspx

CompSec COMPGA01 Nicolas T. Courtois, December Legal Safeguards and Deterrents

CompSec COMPGA01 Nicolas T. Courtois, December UK Law The Fraud Act 2006 came into force in early The Fraud Act introduces a general offence of fraud which can be committed by 1.false representation (e.g. phishing) 2.failing to disclose information [e.g. on an ad/prospectus] 3.abuse of position [employee access, carer 4 elderly..] One previous loophole: possession of software or data designed or adapted for use in [connection with] fraud. Possession: up to 5 years. [possession + intention to be somewhat used to fraud/cheat, even if used by sb. else] Writing software: up to 10 years. Maximum sentence: 10 years.

CompSec COMPGA01 Nicolas T. Courtois, December Data “Non-Privacy”

CompSec COMPGA01 Nicolas T. Courtois, December Correspondence The content: good legal protection in most countries. In contrast, and less protection since Sept 11 th : Communications: lawful interception implemented and technology makes it easier and easier to intercept data illegally.. Even less protection: traffic data, who talks to whom?

CompSec COMPGA01 Nicolas T. Courtois, December Telecommunications and Data Retention

CompSec COMPGA01 Nicolas T. Courtois, December Data Retention EU Directive 2006/04/EC. Obligatory to keep for 6-24 months: trace and identify the source of a communication; same for the destination of a communication; to identify the date, time and duration of a communication identify the type of communication; identify the communication device; identify the geographical location of mobile communication equipment.

CompSec COMPGA01 Nicolas T. Courtois, December Retention

CompSec COMPGA01 Nicolas T. Courtois, December US: Publicly Traded Companies retention obligations must retain their and Instant Messaging (IM) that should be produced in lawsuit or/and a regulatory or financial audit...

CompSec COMPGA01 Nicolas T. Courtois, December UK: Your Employer retention? Regulation of Investigatory Powers Act 2000 (RIPA): allows employers to log, intercept and/or record all forms of communications - for instance telephone calls as well as s and the use of internet sites – in certain circumstances regardless of whether the parties to the communication have consented to the interception or not. Only business communications, not personal.

CompSec COMPGA01 Nicolas T. Courtois, December All Good Reasons to Log/Record establish the existence of facts relevant to the business (which might include establishing the disputed facts of a conversation or exchange); ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business ascertain or demonstrate standards which are, or ought to be, achieved by the person using the system (which could include quality control or staff training) prevent or detect crime investigate or detect the unauthorized use of telecommunications systems ensure the effective operation of the system. Example given: right to open an employee account to access relevant business communications when a member of staff is off sick or away. Caveat: Only business communications, not personal. Monitoring - but not recording - is also authorized for the purpose of determining whether or not communications are relevant to the business.

CompSec COMPGA01 Nicolas T. Courtois, December Code of Practice Code of practice: pdf it will usually be intrusive to monitor workers workers have legitimate expectations of privacy for their private lives, and also should expect some degree of privacy in the Workplace if employers wish to monitor their workers they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by the real benefits that will be delivered workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified in any event, workers' awareness will influence their expectations

CompSec COMPGA01 Nicolas T. Courtois, December Types of Data

CompSec COMPGA01 Nicolas T. Courtois, December Types of Data: Regulators and companies frequently make distinction between: Personal Data (name, address, family details etc … ) More related to privacy … Financial Data: account number, credit history, etc … More related to security and fraud …

CompSec COMPGA01 Nicolas T. Courtois, December Personal Data - Underestimated Risk Both types of data are used by criminals.

CompSec COMPGA01 Nicolas T. Courtois, December EU Data Protection Directive 95/46/EU [1995]: Gives a definition of personal data: Article 2A: any information relating to an identified or identifiable natural person ('data subject'); –an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

CompSec COMPGA01 Nicolas T. Courtois, December Scope of « Personal Data » ? “ any information relating to an identified or identifiable natural person ('data subject') ” Seems every data is personal data??? A more precise notion is [as appears in US standards, e.g. NIST] Personally Identifiable Information (PII) = def –Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

CompSec COMPGA01 Nicolas T. Courtois, December EU Directive - Protection 95/46/EU [1995]: must implement measures … to protect personal data against: unauthorized disclosure or access,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.