Data Security and Cryptology XV Legal Aspects of

  • Slides: 51
Download presentation
Data Security and Cryptology, XV Legal Aspects of Data Security. Personal Data Protection December

Data Security and Cryptology, XV Legal Aspects of Data Security. Personal Data Protection December 9 th, 2015 Valdo Praust [email protected] ee Lecture Course in Estonian IT College Autumn 2015

Phases of Security Management, I 1. Developing of IT Security Policy 2. Determining of

Phases of Security Management, I 1. Developing of IT Security Policy 2. Determining of roles and responsibilities inside the organization 3. Risk management, including the defining of protectable assets, threats, vulnerabilities and risks and choosing principles of applicable safeguards

Phases of Security Management, II 4. Determining of priciples of contingency planning and disaster

Phases of Security Management, II 4. Determining of priciples of contingency planning and disaster recovery 5. Choosing and implementing the safeguards (performing of a security plan) 6. Implementing of a security awareness program 7. Follow-up activities (maitenance, monitoring, incident handling etc)

Why We Need the IT Security Policy? Main reason – protection of (IT) assets

Why We Need the IT Security Policy? Main reason – protection of (IT) assets needs usually a systematic and coordinated activity inside all branches (divisions) of organization and making the corresponding agreements NB! IT security policy isn’t a “playgound” only for IT specialists, but the result (agreement) inside a set of different specialists called a security forum IT specialists know only their narrow field - they can answer the question “how to secure” but can’t usually answer the question “why to secure”

Mandatory Participants for Developing IT Security Policy. . . or members of IT Security

Mandatory Participants for Developing IT Security Policy. . . or members of IT Security Forum: • business management • audit • finance • information systems (both technicians and users) • utilities/infrastructure (i. e. persons responsible for building structure and accommodation, power, air-conditioning etc. ) • personnel • general (physical) security

Important Elements of IT Security Policy • must provide general objectives for all assets

Important Elements of IT Security Policy • must provide general objectives for all assets with achieving the consistency • must clearly define the relationship between security policy, IT policy and marketing policy • must clearfly determine the ways, how the security problems will be solved in different areas/data (detailed risk analysis, baseline approach etc) • must clearly determine responsibilities and duties

Organisation Aspects of Security Management Roles and responsibilities (mandatory): • IT Security Forum •

Organisation Aspects of Security Management Roles and responsibilities (mandatory): • IT Security Forum • IT Securoity Officer Consistent Methodology: • Covering all lifecycle stages of IT system • Obeying of standards

Roles of IT Security Officer • oversight of the implementation of the IT security

Roles of IT Security Officer • oversight of the implementation of the IT security program • liaison with and reporting to the IT security forum and the corporate security officer • maintaining the corporate IT security policy and directives • coordinating incident investigations • managing corporate-wide security awareness program • determining the terms of reference for IT project and system security officers (if these systems exist)

IT Security Plan, I IT security plan is a document which determines the concrete

IT Security Plan, I IT security plan is a document which determines the concrete activities and responsibilities for realizing all necessary safeguards Must involve: • general security archtecture and solution • an overview of compliance of IT system to necessary security goals • an assessment of the residual risks expected and accepted after implementing the safeguards identified

IT Security Plan, II Must involve (continue) : • estimation of the installation and

IT Security Plan, II Must involve (continue) : • estimation of the installation and running costs for these safeguards • list of activities necessary for implementing the determined safeguards • a detailed working plan for implementing safefguards with responsibilities, schedule, budget and priorities • list of necessary follow-up activities

Implementing of Safeguards For implementing of safeguards is responsible IT security officer Must be

Implementing of Safeguards For implementing of safeguards is responsible IT security officer Must be always taken into account: • the cost of safeguards remains within predetermined (agreed) limits safeguards are implemented and installed correctly, according to information security plan (and policy) • safeguards are used (maintained) correctly, according to information security plan (and policy)

Confirmation of Safeguards When all safeguards are implemented, there’s necessary to confirm the set

Confirmation of Safeguards When all safeguards are implemented, there’s necessary to confirm the set of safeguards (officially, by the act) Even after the safeguards confirmation we can take-up the information system NB! Any essential modification of IT system needs always re-inspection, re-testing and re-validation of security (re-validation and/or changing of safeguards, sometime also security policy and plan)

Follow-up Activities (After Development) • maintenance (hooldus) • security compliance checking (turbe vasrtavuse kontroll)

Follow-up Activities (After Development) • maintenance (hooldus) • security compliance checking (turbe vasrtavuse kontroll) • monitoring (turvaseire) • incident handling (intsidendihaldus) • change management (muutuste haldus)

Incident Handling Main reasons of incident investigation: • Gives us a feedback and forms

Incident Handling Main reasons of incident investigation: • Gives us a feedback and forms a base for a rational and effective incident response • Allows us to learn from incidents in order to avoid them in future Incident analysis must be always documented (and later discussed) including following aspects: • What and when happens? • Whether staff followed the plan? • Had the staff the necessary information at right time? • Which should have been done differently?

Changes Management Involves all activities, features, objects etc: • new procedures • new properties

Changes Management Involves all activities, features, objects etc: • new procedures • new properties • software updates • hardware revisions • new users to include external groups or anonymous groups • additional networking and interconnection

Main Legal Acts Regulating Data Security in Estonia • Personal Data Protection Act –

Main Legal Acts Regulating Data Security in Estonia • Personal Data Protection Act – regulates processing of personal data • Public Information Act – regulates databases of public sector, including security standard ISKE and secure data exchange layer X-road (X-tee) • Digital Signature Act – regulates components of PKI necessary for successful operating of digital signature

Public Information Act The aim of Public Informartion Act (avaliku teabe seadus) is to

Public Information Act The aim of Public Informartion Act (avaliku teabe seadus) is to ensure that the public and every person has the opportunity to access information intended for public use, based on the principles of a democratic and social rule of law and an open society, and to create opportunities for the public to monitor the performance of public duties. It also regulates the topics concerning public sector databases (avaliku sektori andmekogud), including principles of establishment (asutamine) and management of these databases and their supervision (järelevalve) Earlier there was a special Data Collection Act (andmekogude seadus) in Estonia. Now the topics of mentioned act are incuded into Public Information Act

(Legal) Database (Legal) database (andmekogu) is a structured body of data processed within an

(Legal) Database (Legal) database (andmekogu) is a structured body of data processed within an information system of the state, local government or other person in public law or person in private law performing public duties which is established and used for the performance of functions provided in an Act, legislation issued on the basis thereof or an international agreement (Legal) database (andmekogu) is a (technical) database (andmebaas) with the necessary added administrtative and legal componets

Chief and Authorized Proccessor The chief processor or administrator of a database (andmekogu vastutav

Chief and Authorized Proccessor The chief processor or administrator of a database (andmekogu vastutav töötleja) is the state or local government agency who organizes the putting into service and maintenance of the database, and the processing of data. The chief processor of a database is responsible for the legality of the administration of the database and for developing the database. The chief processor of a database may authorize, within the extent determined by the chief processor, another state or local government agency, legal person in public law or, based on a procurement contract or a contract under public law, a person in private law to perform the tasks of processing of data and housing of the database. This subject is called an authorized processor (volitatud töötleja)

Chief and Authorized Processor An authorized processor is required to comply with the instructions

Chief and Authorized Processor An authorized processor is required to comply with the instructions of the chief processor in the processing of data and housing of the database, and shall ensure the security of the database The chief processor of a database shall organize the establishment and administration of the central technological environment of a database established for the performance of the tasks imposed on or delegated to a local government by the state. Chief and authorized processor may coincide or may not coincide. There might be several different authorized processors of one database, but only one chief processor

State Information System The State Information System (riigi infosüsteem) consists of databases which are

State Information System The State Information System (riigi infosüsteem) consists of databases which are interfaced with the data exchange layer of the state information system and registered in the administration system of the state information system, and of the systems supporting the maintenance of the databases. The following support systems for the maintenance of databases shall be established by a Regulation of the Government of the Republic: • the classifications system • the geodetic system • the address data system • the system of security measures for information systems • the data exchange layer of information systems (X-road, X-tee) • the administration system of the state information system

X-Road Project: Essence Exchange layer of State Information System (Xroad, X-tee) is a a

X-Road Project: Essence Exchange layer of State Information System (Xroad, X-tee) is a a platform-independent secure standard interface between databases and information systems to connect databases and information systems of the public sector Technically it consists of X-road central system and a TLS-protocol-based secure data exchange protocol Actually is can be considered as a special case of VPN structure which is controlled and managed by the state

Why to Set Restrictions to Personal Data Processing? In order to protect privacy of

Why to Set Restrictions to Personal Data Processing? In order to protect privacy of persons: contemporary digital and networked wolrd allow very fast complex searching from different databases including the details reflecting the privacy of persons. Because we are no more able to protect these details technically, we must protect them legally In a paper-documents world (before 1990 s) a potential violation of privacy was not a problem because the data processing was very expensive and unconvinient and needed a lot of resources

Strasbourg Convention as a Basis of Personal Data Protection • January 28 th, 1981,

Strasbourg Convention as a Basis of Personal Data Protection • January 28 th, 1981, ETS 108 • The purpose of mentioned convention was to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection"). • Is alsi adopted by Estonian Parlament (RT II, 2001, 1, 3) • It was a real stating point of any personal data protection activity in Europe

European Directive 95/46/EU • Full name: ” Directive 95/46/EC on the protection of individuals

European Directive 95/46/EU • Full name: ” Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data” • Has adopted by the European Parliament and European Council in October 24 th, 1995 • Provides a good practice of personal data protection in Europe, including Estonia, which has taken over by the Estonian National Personal Data Protection Act

Personal Data Protection Act The aim of this Act is to protect the fundamental

Personal Data Protection Act The aim of this Act is to protect the fundamental rights and freedoms of natural persons upon processing of personal data, above all the right to inviolability of private life • Sets to the personal data processing a number of limitations, conditions and obligations • First act version was adopted in 1996 • Since January 1 st 2008 the 3 rd version of Act is in force. 2 nd version was in force between 2003 and 2007 • Different act versions have different numeration of paragraphs (they do not coincide)

Implementation of Personal Data Protection Act The following are excluded from the scope of

Implementation of Personal Data Protection Act The following are excluded from the scope of Act: • processing of personal data by natural persons for personal purposes • transmission of personal data through the Estonian territory without any other processing of such data in Estonia The Act applies to criminal proceedings and court procedure with the specifications provided by procedural law

Essence of Personal Data Personal data (isikuandmed) are any data concerning an identified or

Essence of Personal Data Personal data (isikuandmed) are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist Personal data are all data about the person when it is able to identify the person uniquely

Processing of Personal Data Processing of personal data (isikuandmete töötlemine) is any act performed

Processing of Personal Data Processing of personal data (isikuandmete töötlemine) is any act performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used NB! Take into account that processing is not only the changing of data!

Classification of Personal Data Estonian Personal Data Protection Act divides all personal data into

Classification of Personal Data Estonian Personal Data Protection Act divides all personal data into two main categories with different protecting conditions: • sensititive personal data (delikaatsed isikuandmed) • other (ordinary) personal data In the 2 nd version of Act there were also defined private personal data (eraelulised isikuandmed) as an additional class (now it is not)

Sensitive Personal Data, I Sensitive personal data are: • data revealing political opinions or

Sensitive Personal Data, I Sensitive personal data are: • data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law • data revealing ethnic or racial origin • data on the state of health or disability • data on genetic information

Sensitive Personal Data, II Sensitive personal data are (continued): • biometric data (above all

Sensitive Personal Data, II Sensitive personal data are (continued): • biometric data (above all fingerprints, palm prints, eye iris images and genetic data) • information on sex life • information on trade union membership • information concerning commission of an offence or falling victim to an offence before a public court hearing, or making of a decision in the matter of the offence or termination of the court proceeding in the matter

 Principles of Processing Personal Data, I 1. Principle of legality - personal data

Principles of Processing Personal Data, I 1. Principle of legality - personal data shall be collected only in an honest and legal manner 2. Principle of purposefulness - personal data shall be collected only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing 3. Principle of minimalism - personal data shall be collected only to the extent necessary for the achievement of determined purposes

 Principles of Processing Personal Data, II 4. Principle of restricted use - personal

Principles of Processing Personal Data, II 4. Principle of restricted use - personal data shall be used for other purposes only with the consent of the data subject or with the permission of a competent authority 5. Principle of data quality - personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing

 Principles of Processing Personal Data, III 6. Principle of security - security measures

Principles of Processing Personal Data, III 6. Principle of security - security measures shall be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction 7. Principle of individual participation - the data subject shall be notified of data collected concerning him or her, the data subject shall be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data

Processor(s) of Personal Data A processor (chief processor, vastutav töötleja) of A personal data

Processor(s) of Personal Data A processor (chief processor, vastutav töötleja) of A personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data are processed • A processor of personal data shall determine the purposes of processing of personal data, the categories of personal data to be processed the procedure for and manner of processing personal data and permission for communication of personal data to third persons • A processor of personal data (hereinafter chief processor) may authorise, by an administrative act or contract, another person or agency (hereinafter authorized processor, volitatud töötleja) to process personal data, unless otherwise prescribed by an Act or regulation

Different Subjects • Processor or chief processor of personal data (isikuandmete (vastutav) töötleja) is

Different Subjects • Processor or chief processor of personal data (isikuandmete (vastutav) töötleja) is a processor of personal data • Authorized processor of personal data (isikuandmete volitatud töötleja) is a person or authority who technically processes personal data by a commissioning of achief processor • Data subject (andmesubjekt) is a person whose data are processed • All other subjects are third persons (kolmandad isikud)

Permission for Processing Personal Data General rule: personal data can be processed only with

Permission for Processing Personal Data General rule: personal data can be processed only with the consent of a data subject An administrative authority shall process personal data only in the course of performance of public duties in order to perform obligations prescribed by law, an international agreement or directly applicable legislation of the Council of the European Union or the European Commission

 Consent of Data Subject, I 1. The declaration of intention of a data

Consent of Data Subject, I 1. The declaration of intention of a data subject whereby the person permits the processing of his or her personal data (hereinafter consent) is valid only if it is based on the free will of the data subject. The consent shall clearly determine the data for the processing of which permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted, the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity shall not be deemed to be a consent. Consent may be partial and conditional 2. Consent shall be given in a format which can be reproduced in writing unless adherence to such formality is not possible due to a specific manner of data processing. If the consent is given together with another declaration of intention, the consent of the person must be clearly distinguishable

 Consent of Data Subject, II 3. Before obtaining a data subject's consent for

Consent of Data Subject, II 3. Before obtaining a data subject's consent for the processing of personal data, the processor of personal data shall notify the data subject of the name of the processor of the personal data or his or her representative, and of the address and other contact details of the processor of the personal data. If the personal data are to be processed by the chief processor and authorised processor then the name of the chief processor and authorised processor or the representatives thereof and the address and other contact details of the chief processor and authorised processor shall be communicated or made available 4. For processing sensitive personal data, the person must be explained that the data to be processed is sensitive personal data and the data subject's consent shall be obtained in a format which can be reproduced in writing

Consent of Data Subject, III 5. A data subject has the right to prohibit,

Consent of Data Subject, III 5. A data subject has the right to prohibit, at all times, the processing of data concerning him or her for the purposes of research of consumer habits or direct marketing, and communication of data to third persons who intend to use such data for the research of consumer habits or direct marketing 6. The consent of a data subject shall remain valid during the lifetime of the data subject and for thirty years after the death of the data subject unless the data subject has decided otherwise 7. Consent may be withdrawn by the data subject at any time. Withdrawal of consent has no retroactive effect. The provisions of the General Principles of the Civil Code Act concerning declaration of intention shall additionally apply to consent 8. In the case of a dispute it shall be presumed that the data subject has not granted consent for the processing of his or her personal data. The burden of proof of the consent of a data subject lies on the processor of personal data

Processing of Personal Data for Scientific Research or Official Statistics Needs, I • Data

Processing of Personal Data for Scientific Research or Official Statistics Needs, I • Data concerning a data subject may be processed without the consent of the data subject for the needs of scientific research or official statistics only in coded form • Before handing over data for processing it for the needs of scientific research or official statistics, the data allowing a person to be identified shall be substituted by a code • Decoding and the possibility to decode is permitted only for the needs of additional scientific research or official statistics • The processor of the personal data shall appoint a specific person who has access to the information allowing decoding

Processing of Personal Data for Scientific Research or Official Statistics Needs, II Processing of

Processing of Personal Data for Scientific Research or Official Statistics Needs, II Processing of personal data for scientific research or official statistics purposes without the consent of the data subject is permitted if the processor of the personal data has taken sufficient organisational, physical and information technology security measures for the protection of the personal data, has registered the processing of sensitive personal data and the Data Protection Inspectorate has verified, before the commencement of the processing of the personal data, compliance with the requirements set out in this section and, if an ethics committee has been founded based on law in the corresponding area, has also heard the opinion of such committee

Registration of Processing Sensitive Personal Data If a processor of personal data has not

Registration of Processing Sensitive Personal Data If a processor of personal data has not appointed a person responsible for the protection of personal data the processor of personal data is required to register the processing of sensitive personal data with the Data Protection Inspectorate. A registration application must be submitted at least one month before the start of processing sensitive personal data. Important part of it is the description of applied safeguards If there is an appointed person responsible for the protection of personal data, the registration is not mandatory

Rights of Data Subject, I A data subject has the right to obtain personal

Rights of Data Subject, I A data subject has the right to obtain personal data relating to him or her from the processor of personal data. These rights involve: • the personal data concerning the data subject • the purposes of processing of personal data • the categories and source of personal data • third persons or categories thereof to whom transfer of the personal data is permitted • third persons to whom the personal data of the data subject have been transferred • the name of the processor of the personal data or representative

Rights of Data Subject, II The rights of a data subject to receive information

Rights of Data Subject, II The rights of a data subject to receive information and personal data concerning him or her upon the processing of the personal data shall be restricted if this may: • damage rights and freedoms of other persons • endanger the protection of the confidentiality of filiation of a child • hinder the prevention of a criminal offence or apprehension of a criminal offender • complicate the ascertainment of the truth in a criminal proceeding A processor of personal data shall inform a data subject of the decision to refuse to release information or personal data

 Security Demands to Processing Environment A processor of personal data is required to

Security Demands to Processing Environment A processor of personal data is required to take organisational, physical and information technology security measures (safeguards) to protect personal data: • against accidental or intentional unauthorised alteration of the data, in the part of the integrity of data • against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data • against unauthorised processing, in the part of confidentiality of the data

Most Important Technical Demands Processor of peronal data must: • prevent access of unauthorised

Most Important Technical Demands Processor of peronal data must: • prevent access of unauthorised persons to equipment used for processing personal data • prevent unauthorised reading, copying and alteration of data within the data processing system, and unauthorised transfer of data carriers • prevent unauthorised recording, alteration and deleting of personal data and to ensure that it be subsequently possible to determine when, by whom and which personal data were recorded, altered or deleted or when, by whom and which data were accessed in the data processing system • ensure the existence of information concerning the transmission of data: when, to whom and which personal data were transmitted and ensure the preservation of such data in an unaltered state

Personal Data versus ISKE: Confidentiality Personal dsata Protection Act determines the set of persons

Personal Data versus ISKE: Confidentiality Personal dsata Protection Act determines the set of persons who can access (process) personal data If to compare this statement to security class and sublass definitions of ISKE then it corresponds to the confidentiality subclass S 2 for a sensitive personal data. For ordinary personal data it’s resonable to use confidentiality subclass S 1

Personal Data versus ISKE: Integrity Personal Data Protection Act states that “personal data shall

Personal Data versus ISKE: Integrity Personal Data Protection Act states that “personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing” and to “prevent unauthorised recording, alteration and deleting of personal data and to ensure that it be subsequently possible to determine when, by whom and which personal data were recorded, altered or deleted or when, by whom and which data were accessed in the data processing system” This definition corresponds to ISKE integrity subclass T 2 definition

Two Typical Demands to Public-Sector Database. . that must usually both be satisfied together

Two Typical Demands to Public-Sector Database. . that must usually both be satisfied together in one database: 1. to ensure that all public data have web output (according to Public Information Act) 2. to ensure the confidentiality of personal data (according to Personal Data Protecting Act) Technicaly these data are often stored in same database tables, in neigbor fields or attributes