Tag Archives: Data Protection

UK’s ICO Data Protection Act

November 27, 2015 Damien Garvey

The UK Data Protection Act, put into action by the Information Commissioner’s Office (ICO), regulates the use of personal data that is within the reach of commercial and non-commercial companies, as well as individuals. Such data might have been acquired for various kinds of reasons and, therefore, adherence to compliance is expected. The ICO is a self regulating authority created to support information rights for protecting personal privacy.

Basic Interpretative Provisions

The Data Protection Act defines “Data” as “information which—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68,

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)”.

The Data Protection Act further defines “Personal Data” as “data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

“Sensitive Personal Data” is further explained here:

According to The Data Protection Act, “Sensitive Personal Data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(d) whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

ICO has already levied penalties under the Data Protection Act for data breaches. The fine amount shows that the ICO office is very serious to reinforce the act. It continues to monitor violations and regulate the provisions of the act in the entire UK. For that reason, if are a UK based organisation that is engaged in a service that warrants collection of information or data of various sorts, you need to pay a special attention to compliance under the act; so as to avoid penalties and legal suits. It must be noted that compliance to the data protection act is not an option, but mandatory.

Cloud Computing: Data Protection in Healthcare Industry

July 24, 2015 Stewart Parkin

Whenever news about data breach or failure of cloud system is on the media, it seems as if cloud is not a reliable source of data protection. In fact, all clouds are not created equal; they come with different purposes. There are certain clouds which are developed to cover sensitive information. Companies cannot avoid the cloud. Keep in mind that each cloud is designed for specific purpose; so it is in your interest to find the right cloud solution for the right function.

HIPAA Compliance

Health Insurance Portability and Accountability Act (HIPAA) is basically a chain of codes that controls the design, transmission and right to use electronic protected health information (ePHI). In other words, HIPAA protects sensitive health information of patients. Health care providers require a secure system for HIPAA compliance. To fulfil such demands, cloud is one of the best and quickest ways.

If you are IT provider, you must know two significant factors before serving healthcare industry’s clients:

1/ Protection and Right of Access

It is true replicating of data and transferring to the cloud is quite an easy job. What matters a lot is the level of security. What is the kind of safety provided to customers to protect offsite data? Keep in mind that entities which are covered require access to facilities and information systems. Make certain that data is encrypted all the time, in flight and at rest. Remember that all service providers do not provide such encryption feature. If it is your objective to secure ePHI, choose the right cloud service provider. Healthcare industry needs to select service providers that have capability to encrypt data whether it is in transit, onsite or at data centre location. Physical access to the system is another notable factor to consider. Selected data centre should provide digital and physical safeguards to avoid unauthorized access.

2/ System for Backup and Disaster Recovery

It is confirmed through CFR 164.308 that disaster recovery as well as backup plans are basic requirements of Covered Entities. Cloud gives long lasting benefit to companies as offsite backup is easy to recover if onsite backup data can not be recovered. Many clouds are developed to make recovery process fast and easy which is important for HIPAA compliance. Covered Entities are required to work in emergency conditions and have data backup for immediate recovery. Clouds which are developed to handle all these issues are ideal for IT providers.

No doubt, the cloud is dependable way to handle some aspects of HIPAA; however, it does not cover all aspects. For some IT providers, HIPAA is nothing more than a mess. However, the fact is, HIPAA is based on rules to provide highest level of security standards.

Any system working through private or public cloud can suffer a disaster at any time. Cloud service providers must use a meticulous approach for data protection by making use of technologies, such as malware protection tools, and encryption systems. The healthcare industry must have local disaster recovery and offsite data recovery plans for HIPAA compliance.

Facts about RAID & Strategies for Data Protection

July 22, 2015 Callum Huddlestone

Redundant array of independent disks (RAID) stores data on multiple hard disks to improve performance. It is considered that RAID is one of the best solutions available for protection of valuable data. For software or hardware implementation, RAID supports single disk failure; however RAID is not perfect system for ongoing data security.

RAID level 1 works in a systematic way where two disks are available for storing similar data. In case, one disk fails, clients can use data from another disk. Drawback of RAID is that it cannot verify the corrupted disk thus unable to inform the system. If failure is not noticed, system will keep on working and copying data from the corrupted drive to the good drive. As a result, more problems are created due to this shortcoming of RAID. In IT environment, data security is obligatory for business continuity. Disaster can occur anytime due to man-made or machine or human errors. Some of the reasons are as follows:

Power outages
Improper shutdown
Virus infection
System freezes
Bad disk sectors
Hard drive failure
Improper eject before disconnecting storage devices

RAID Levels

RAID is available in various formats. When higher level is selected, it gives more satisfactory results than the previous levels. As compared to other levels, RAID 5 is acknowledged for reliable swapping and great performance. By using RAID 5, companies can take out corrupted arrays from NAS devices and servers anytime without switching off the system. RAID 6 has twofold parity structural design, which can cover data even if two disk drives are corrupted. In spite of parity features, RAID cannot be considered a perfect system for data protection.

Strategies for System Protection

If it is your priority to select RAID, you need to protect your system by following these strategies:

Apply Disconnection and Shutdown Procedure

Give training to workers how to disconnect storage devices and shutdown the system properly. They must know that not following this procedure could lead to data corruption.

UPS System

To cope with issues such as brownouts, surges and power outages, you must have an Uniterruptible Power Supply (UPS) that can work without any outage. In case electrical source is not available, UPS works as backup system for data protection.

Handle Issues Immediately

If there are problems in your system, restarting the system does not necessarily solve the issues. Instead, troubleshoot to determine the actual problems and solve the issues instantly.

Safe Surfing

Online world has malicious stuff which can affect the performance of your system. If you do not follow safe surfing strategy, malevolent websites could corrupt your data.

BDR Strategy

Backup and Disaster Recovery (BDR) planning gives surety of data protection even if hard disk fails. System without backup and recovery plan is always at risk.

RAID Recovery Solution

If your organization suffers because of corrupted data, there are chances to recover lost data by repairing the damaged disks. RAID recovery software rebuilds damaged arrays in configurations, software and hardware. For data security, companies can get data recovery software in commercial, as well as free versions. Perform the proper research and search online to select the right software for resurrecting the damaged data.

Data Backup: The Impact of Failed Backups

June 21, 2013

Data Backup is becoming an ever more important component of a data protection solution as the frequency of attacks is increasing and the sophistication of attacks used by cyber criminals is improving. Companies are also having to cope with rapid increases of data that is being kept on their systems and therefore increasing the chances of employees deleting critical data which could have unprecedented results on the company financially and have a damaging impact of the company�s reputation.

A survey that was conducted by CFI Software concluded that many of the participating IT administrators had been unable to restore critical business data such as financial data and emails. Within the survey, the IT administrators revealed that not being able to restore such information because of failed backups has affected customer relations, business operations and brand reputation.

One of the key reasons why the participating IT administrators had been unable to recover the required data was because they do not run backups on a daily basis. Over 50% of the participants revealed that they do not carry out daily backups, with 32% of respondent citing the reason that it isn’t an efficient use of their time. This statistic suggests that nearly a third of participating IT administrators do not consider backing up critical business data on a daily basis as a priority. This is quite concerning considering the impact that being unable to restore data has had on the companies.

The results of the survey also revealed that half of the respondents revealed that they wished their current backup method was faster and more efficient. This reflects the findings why so many IT administrators are reluctant to backup critical data on a daily basis. This cannot be considered as a reason why critical business data isn�t being backed up on a daily basis as there are now automated solutions that can be scheduled to run a daily basis with no human intervention. This is accompanied with backup providers offering a fully managed service and therefore taking over the running of the backups for the company.

Companies of all sizes need a robust backup solution in place that backs up their critical business data on a daily basis. Not being able to recover critical data because a backup hasn’t been scheduled to run or because it failed can have an unprecedented impact on the company. Depending on the backup solution that is utilised, a number of the key constraints detailed in the survey are dealt with and therefore they cannot be used as an excuse when the data cannot be restored.

Do you backup your business data on a daily basis? Do you have any problems with your current backup method?

Data Protection: how much do you value your data?

September 12, 2012

Within recent weeks, there have been two data loss incidents which have been widely reported, from a large national oil company who have suffered from a cyber-attack to an individual who lost everything as hackers managed to gain access to his iCloud account. It is now imperative that if you value your data, you will do your all to ensure that it is appropriately protected.

The world�s largest oil firm, Saudi Armco, was successfully targeted by hacking group The Cutting Sword of Justice. They used a computer virus, known as Shamoon to cause the damage which resulted in 30,000 workstations being affected.

All the affected workstations have now been fully restored and have been added back onto the internal network. It did take a bit longer for the website to be brought back online and for their email service to be in full working order, the impact of this data loss has been significantly reduced due to the data protection measures that were in place.

This attack demonstrates the importance of adequately protecting your data, be it business data which if lost, could have a detrimental impact on your company or personal data such as family photographs which are priceless. Keeping one copy of your data is becoming more unsecure as each day passes and can cost thousands of pounds to recover your data if it hasn�t been properly backed up.

This is shown when stories about Matt Honan�s data loss experience were published when he had his iCloud account hacked. This resulted with hackers wiping his iPad, iPhone and MacBook. Hanon had to pay for the services of a data recovery specialist who managed to recover around 75% of the deleted contents but this came at a cost.

Honan stated, �The bottom line is that I have all my photos and all the home movies I�ve shot. Every one of them. And seemingly all of my most important documents as well. That felt like a miracle. The bill for all this? $1,690. Data doesn�t come cheap.�

At the end of the day, it comes down to how much you value your data. There are several ways to backup your data from USB hard drives and tape to independent cloud backup services. Due to the vast range of products that are available, there is a solution out there which will protect your data and save you time and money in the event of a disaster.

Do you value your data? Do you protect your data?

Data Protection by Design

March 29, 2012

The new proposed EU Data laws could mean companies face fines worth up to 2% of their annual turnover.

These regulations are a re-vamp of those outlined in 1995 and will have far reaching effects on the way in which public sector bodies process personal information.

New rules include �right to be forgotten� and a strong obligation for organisations to report data loss �as soon as possible.�

The commissioner argued that through simplifying the current set of rules in place businesses could expect to save $2bn a year.

Viviance Reding, The Justice Commissioner had this to say:

�My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information.�

The new laws are predicted to be �hugely beneficial to SMEs,� as stated by Le Bail, Director General of the Commission�s Justice. This is down to them removing much of the red tape which accompanies the old data regime.

One thing which is hugely emphasised by new EU regulation is �Protection by Design.� Modern privacy strategy has to be strategic, combining people, regulation and understanding.

When considering whether to upgrade certain services there are many safe harbour considerations to take into account such as not moving data out of the EU.

�Modern CIOs have to create �security by design� if they want to do their job properly. We don�t have to convince people, either; security is absolutely core working culture,� stated Kurt Frary ICT manager at Norfolk county council.