Data Security and Cryptology, XV

Legal Aspects of Data Security. Personal Data Protection

Data Security and Cryptology, XV

Legal Aspects of Data Security. Personal Data Protection

December 10th, 2014

Valdo Praust 

mois@mois.ee

Lecture Course in Estonian IT CollegeAutumn 2014 

  

December 10th, 2014

Valdo Praust 

mois@mois.ee

Lecture Course in Estonian IT CollegeAutumn 2014 

  

Phases of Security Management, I

1. Developing of IT Security Policy

2. Determining of roles and responsibilities inside the organization

3. Risk management, including the defining of protectable assets, threats, vulnerabilities and risks and choosing principles of applicable safeguards

Phases of Security Management, II

4. Determining of priciples of contingency planning and disaster recovery

5. Choosing and implementing the safeguards (performing of a security plan)

6. Implementing of a security awareness program

7. Follow-up activities (maitenance, monitoring, incident handling etc)

Why We Need the IT Security Policy?

Why We Need the IT Security Policy?

NB! IT security policy isn’t a “playgound” only for IT specialists, but the result (agreement) inside a set of different specialists called a security forum

IT specialists know only their narrow field - they can answer the question “how to secure” but can’t usually answer the question “why to secure”

Main reason – protection of (IT) assets needs usually a systematic and coordinated activity inside all branches (divisions) of organization and making the corresponding agreements

Main reason – protection of (IT) assets needs usually a systematic and coordinated activity inside all branches (divisions) of organization and making the corresponding agreements

... or members of IT Security Forum:• business management • audit• finance• information systems (both technicians and users)• utilities/infrastructure (i.e. persons responsible for building structure and accommodation, power, air-conditioning etc.)

• personnel• general (physical) security

Mandatory Participants for Developing IT Security PolicyMandatory Participants for

Developing IT Security Policy

• must provide general objectives for all assets with achieving the consistency

• must clearly define the relationship between security policy, IT policy and marketing policy

• must clearfly determine the ways, how the security problems will be solved in different areas/data (detailed risk analysis, baseline approach etc)

• must clearly determine responsibilities and duties

Important Elements of IT Security Policy

Important Elements of IT Security Policy

Organisation Aspects of Security Management

Roles and responsibilities (mandatory):

• IT Security Forum

• IT Securoity Officer

Consistent Methodology:

• Covering all lifecycle stages of IT system

• Obeying of standards

Roles of IT Security Officer• oversight of the implementation of the IT

security program

• liaison with and reporting to the IT security forum and the corporate security officer

• maintaining the corporate IT security policy and directives

• coordinating incident investigations

• managing corporate-wide security awareness program

• determining the terms of reference for IT project and system security officers (if these systems exist)

IT Security Plan, I

Must involve:

• general security archtecture and solution

• an overview of compliance of IT system to necessary security goals

• an assessment of the residual risks expected and accepted after implementing the safeguards identified

IT security plan is a document which determines the concrete activities and responsibilities for realizing all necessary safeguards

IT Security Plan, II

Must involve (continue) :

• estimation of the installation and running costs for these safeguards

• list of activities necessary for implementing the determined safeguards

• a detailed working plan for implementing safefguards with responsibilities, schedule, budget and priorities

• list of necessary follow-up activities

Implementing of Safeguards

Must be always taken into account:

• the cost of safeguards remains within pre-determined (agreed) limits

safeguards are implemented and installed correctly, according to information security plan (and policy)

• safeguards are used (maintained) correctly, according to information security plan (and policy)

For implementing of safeguards is responsible IT security officer

Confirmation of SafeguardsWhen all safeguards are implemented, there’s necessary to confirm the set of safeguards (officially, by the act)

Even after the safeguards confirmation we can take-up the information system

NB! Any essential modification of IT system needs always re-inspection, re-testing and re-validation of security (re-validation and/or changing of safeguards, sometime also security policy and plan)

Follow-up Activities (After Development)

• maintenance (hooldus)

• security compliance checking (turbe vasrtavuse kontroll)

• monitoring (turvaseire)

• incident handling (intsidendihaldus)

• change management (muutuste haldus)

Incident HandlingMain reasons of incident investigation:• Gives us a feedback and forms a base for a

rational and effective incident response• Allows us to learn from incidents in order to

avoid them in future

Incident analysis must be always documented (and later discussed) including following aspects:

• What and when happens?• Whether staff followed the plan?• Had the staff the necessary information at right

time?• Which should have been done differently?

Changes Management

Involves all activities, features, objects etc:

• new procedures

• new properties

• software updates

• hardware revisions

• new users to include external groups or anonymous groups

• additional networking and interconnection

Main Legal Acts Regulating Data Security in Estonia

Main Legal Acts Regulating Data Security in Estonia

• Personal Data Protection Act – regulates processing of personal data

• Public Information Act – regulates databases of public sector, including security standard ISKE and secure data exchange layer X-road (X-tee)

• Digital Signature Act – regulates components of PKI necessary for successful operating of digital signature

Public Information ActPublic Information Act

Earlier there was a special Data Collection Act (andmekogude seadus) in Estonia. Now the topics of mentioned act are incuded into Public Information Act

The aim of Public Informartion Act (avaliku teabe seadus) is to ensure that the public and every person has the opportunity to access information intended for public use, based on the principles of a democratic and social rule of law and an open society, and to create opportunities for the public to monitor the performance of public duties.

It also regulates the topics concerning public sector databases (avaliku sektori andmekogud), including principles of establishment (asutamine) and management of these databases and their supervision (järelevalve)

The aim of Public Informartion Act (avaliku teabe seadus) is to ensure that the public and every person has the opportunity to access information intended for public use, based on the principles of a democratic and social rule of law and an open society, and to create opportunities for the public to monitor the performance of public duties.

It also regulates the topics concerning public sector databases (avaliku sektori andmekogud), including principles of establishment (asutamine) and management of these databases and their supervision (järelevalve)

(Legal) Database(Legal) Database

(Legal) database (andmekogu) is a (technical) database (andmebaas) with the necessary added administrtative and legal componets

(Legal) database (andmekogu) is a structured body of data processed within an information system of the state, local government or other person in public law or person in private law performing public duties which is established and used for the performance of functions provided in an Act, legislation issued on the basis thereof or an international agreement

(Legal) database (andmekogu) is a structured body of data processed within an information system of the state, local government or other person in public law or person in private law performing public duties which is established and used for the performance of functions provided in an Act, legislation issued on the basis thereof or an international agreement

Chief and Authorized ProccessorChief and Authorized ProccessorThe chief processor or administrator of a database (andmekogu vastutav töötleja) is the state or local government agency who organizes the putting into service and maintenance of the database, and the processing of data. The chief processor of a database is responsible for the legality of the administration of the database and for developing the database.

The chief processor of a database may authorize, within the extent determined by the chief processor, another state or local government agency, legal person in public law or, based on a procurement contract or a contract under public law, a person in private law to perform the tasks of processing of data and housing of the database. This subject is called an authorized processor (volitatud töötleja)

Chief and Authorized ProcessorChief and Authorized ProcessorAn authorized processor is required to comply with the instructions of the chief processor in the processing of data and housing of the database, and shall ensure the security of the database

The chief processor of a database shall organize the establishment and administration of the central technological environment of a database established for the performance of the tasks imposed on or delegated to a local government by the state.

Chief and authorized processor may coincide or may not coincide. There might be several different authorized processors of one database, but only one chief processor

Chief and authorized processor may coincide or may not coincide. There might be several different authorized processors of one database, but only one chief processor

State Information SystemState Information System

The following support systems for the maintenance of databases shall be established by a Regulation of the Government of the Republic:

• the classifications system

• the geodetic system

• the address data system

• the system of security measures for information systems

• the data exchange layer of information systems (X-road, X-tee)

• the administration system of the state information system

The State Information System (riigi infosüsteem) consists of databases which are interfaced with the data exchange layer of the state information system and registered in the administration system of the state information system, and of the systems supporting the maintenance of the databases.

The State Information System (riigi infosüsteem) consists of databases which are interfaced with the data exchange layer of the state information system and registered in the administration system of the state information system, and of the systems supporting the maintenance of the databases.

X-Road Project: EssenceX-Road Project: Essence

Technically it consists of X-road central system and a TLS-protocol-based secure data exchange protocol

Actually is can be considered as a special case of VPN structure which is controlled and managed by the state

Exchange layer of State Information System (X-road, X-tee) is a a platform-independent secure standard interface between databases and information systems to connect databases and information systems of the public sector

Why to Set Restrictions to Personal Data Processing?Why to Set Restrictions to Personal Data Processing?

In order to protect privacy of persons: contemporary digital and networked wolrd allow very fast complex searching from different databases including the details reflecting the privacy of persons. Because we are no more able to protect these details technically, we must protect them legally

In a paper-documents world (before 1990s) a potential violation of privacy was not a problem because the data processing was very expensive and unconvinient and needed a lot of resources

Strasbourg Convention as a Basis of Personal Data

Protection

Strasbourg Convention as a Basis of Personal Data

Protection• January 28th, 1981, ETS 108

• The purpose of mentioned convention was to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").

• Is alsi adopted by Estonian Parlament (RT II, 2001, 1, 3)

• It was a real stating point of any personal data protection activity in Europe

European Directive 95/46/EUEuropean Directive 95/46/EU• Full name: ” Directive 95/46/EC on the

protection of individuals with regard to the processing of personal data and on the free movement of such data”

• Has adopted by the European Parliament and European Council in October 24th, 1995

• Provides a good practice of personal data protection in Europe, including Estonia, which has taken over by the Estonian National Personal Data Protection Act

Personal Data Protection ActPersonal Data Protection Act

• Sets to the personal data processing a number of limitations, conditions and obligations

• First act version was adopted in 1996

• Since January 1st 2008 the 3rd version of Act is in force. 2nd version was in force between 2003 and 2007

• Different act versions have different numeration of paragraphs (they do not coincide)

The aim of this Act is to protect the fundamental rights and freedoms of natural persons upon processing of personal data, above all the right to inviolability of private life

The aim of this Act is to protect the fundamental rights and freedoms of natural persons upon processing of personal data, above all the right to inviolability of private life

Implementation of Personal Data Protection Act

Implementation of Personal Data Protection Act

The following are excluded from the scope of Act:• processing of personal data by natural persons

for personal purposes• transmission of personal data through the

Estonian territory without any other processing of such data in Estonia

The Act applies to criminal proceedings and court procedure with the specifications provided by procedural law

Essence of Personal DataEssence of Personal Data

Personal data are all data about the person when it is able to identify the person uniquely

Personal data (isikuandmed) are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist

Personal data (isikuandmed) are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist

Processing of Personal DataProcessing of Personal Data 

Processing of personal data (isikuandmete töötlemine) is any act performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used

NB! Take into account that processing is not only the changing of data!

NB! Take into account that processing is not only the changing of data!

Classification of Personal DataClassification of Personal Data 

Estonian Personal Data Protection Act divides all personal data into two main categories with different protecting conditions:

• sensititive personal data (delikaatsed isikuandmed)

• other (ordinary) personal data

In the 2nd version of Act there were also defined private personal data (eraelulised isikuandmed) as an additional class (now it is not)

In the 2nd version of Act there were also defined private personal data (eraelulised isikuandmed) as an additional class (now it is not)

Sensitive Personal Data, I Sensitive Personal Data, I

 Sensitive personal data are:

• data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law

• data revealing ethnic or racial origin

• data on the state of health or disability

• data on genetic information

Sensitive Personal Data, II Sensitive Personal Data, II

 Sensitive personal data are (continued):

• biometric data (above all fingerprints, palm prints, eye iris images and genetic data)

• information on sex life

• information on trade union membership

• information concerning commission of an offence or falling victim to an offence before a public court hearing, or making of a decision in the matter of the offence or termination of the court proceeding in the matter

Principles of Processing Personal Data, I

Principles of Processing Personal Data, I

 

1. Principle of legality - personal data shall be collected only in an honest and legal manner

2. Principle of purposefulness - personal data shall be collected only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing

3. Principle of minimalism - personal data shall be collected only to the extent necessary for the achievement of determined purposes

Principles of Processing Personal Data, II

Principles of Processing Personal Data, II

 

 4. Principle of restricted use - personal data shall

be used for other purposes only with the consent of the data subject or with the permission of a competent authority

5. Principle of data quality - personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing

Principles of Processing Personal Data, III

Principles of Processing Personal Data, III 

 6. Principle of security - security measures shall

be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction

7. Principle of individual participation - the data subject shall be notified of data collected concerning him or her, the data subject shall be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data

Processor(s) of Personal DataProcessor(s) of Personal Data

 

• A processor of personal data shall determine the purposes of processing of personal data, the categories of personal data to be processed the procedure for and manner of processing personal data and permission for communication of personal data to third persons

• A processor of personal data (hereinafter chief processor) may authorise, by an administrative act or contract, another person or agency (hereinafter authorized processor, volitatud töötleja) to process personal data, unless otherwise prescribed by an Act or regulation

A processor (chief processor, vastutav töötleja) of personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data are processed

A processor (chief processor, vastutav töötleja) of personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data are processed

Different SubjectsDifferent Subjects 

• Processor or chief processor of personal data (isikuandmete (vastutav) töötleja) is a processor of personal data

• Authorized processor of personal data (isikuandmete volitatud töötleja) is a person or authority who technically processes personal data by a commissioning of achief processor

• Data subject (andmesubjekt) is a person whose data are processed

• All other subjects are third persons (kolmandad isikud)

Permission for Processing Personal Data

Permission for Processing Personal Data

 

An administrative authority shall process personal data only in the course of performance of public duties in order to perform obligations prescribed by law, an international agreement or directly applicable legislation of the Council of the European Union or the European Commission

General rule: personal data can be processed only with the consent of a data subject

General rule: personal data can be processed only with the consent of a data subject

Consent of Data Subject, IConsent of Data Subject, I 

1. The declaration of intention of a data subject whereby the person permits the processing of his or her personal data (hereinafter consent) is valid only if it is based on the free will of the data subject. The consent shall clearly determine the data for the processing of which permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted, the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity shall not be deemed to be a consent. Consent may be partial and conditional

2. Consent shall be given in a format which can be reproduced in writing unless adherence to such formality is not possible due to a specific manner of data processing. If the consent is given together with another declaration of intention, the consent of the person must be clearly distinguishable

Consent of Data Subject, IIConsent of Data Subject, II 

3. Before obtaining a data subject's consent for the processing of personal data, the processor of personal data shall notify the data subject of the name of the processor of the personal data or his or her representative, and of the address and other contact details of the processor of the personal data. If the personal data are to be processed by the chief processor and authorised processor then the name of the chief processor and authorised processor or the representatives thereof and the address and other contact details of the chief processor and authorised processor shall be communicated or made available

4. For processing sensitive personal data, the person must be explained that the data to be processed is sensitive personal data and the data subject's consent shall be obtained in a format which can be reproduced in writing

Consent of Data Subject, IIIConsent of Data Subject, III 

5. A data subject has the right to prohibit, at all times, the processing of data concerning him or her for the purposes of research of consumer habits or direct marketing, and communication of data to third persons who intend to use such data for the research of consumer habits or direct marketing

6. The consent of a data subject shall remain valid during the lifetime of the data subject and for thirty years after the death of the data subject unless the data subject has decided otherwise

7. Consent may be withdrawn by the data subject at any time. Withdrawal of consent has no retroactive effect. The provisions of the General Principles of the Civil Code Act concerning declaration of intention shall additionally apply to consent

8. In the case of a dispute it shall be presumed that the data subject has not granted consent for the processing of his or her personal data. The burden of proof of the consent of a data subject lies on the processor of personal data

Processing of Personal Data for Scientific Research or Official

Statistics Needs, I

Processing of Personal Data for Scientific Research or Official

Statistics Needs, I 

• Data concerning a data subject may be processed without the consent of the data subject for the needs of scientific research or official statistics only in coded form

• Before handing over data for processing it for the needs of scientific research or official statistics, the data allowing a person to be identified shall be substituted by a code

• Decoding and the possibility to decode is permitted only for the needs of additional scientific research or official statistics

• The processor of the personal data shall appoint a specific person who has access to the information allowing decoding

Processing of Personal Data for Scientific Research or Official

Statistics Needs, II

Processing of Personal Data for Scientific Research or Official

Statistics Needs, II 

Processing of personal data for scientific research or official statistics purposes without the consent of the data subject is permitted if the processor of the personal data has taken sufficient organisational, physical and information technology security measures for the protection of the personal data, has registered the processing of sensitive personal data and the Data Protection Inspectorate has verified, before the commencement of the processing of the personal data, compliance with the requirements set out in this section and, if an ethics committee has been founded based on law in the corresponding area, has also heard the opinion of such committee

Registration of Processing Sensitive Personal Data

Registration of Processing Sensitive Personal Data

 

A registration application must be submitted at least one month before the start of processing sensitive personal data. Important part of it is the description of applied safeguards

If there is an appointed person responsible for the protection of personal data, the registration is not mandatory

If a processor of personal data has not appointed a person responsible for the protection of personal data the processor of personal data is required to register the processing of sensitive personal data with the Data Protection Inspectorate.

If a processor of personal data has not appointed a person responsible for the protection of personal data the processor of personal data is required to register the processing of sensitive personal data with the Data Protection Inspectorate.

Rights of Data Subject, I Rights of Data Subject, I

 

These rights involve:• the personal data concerning the data subject• the purposes of processing of personal data• the categories and source of personal data• third persons or categories thereof to whom transfer of the

personal data is permitted• third persons to whom the personal data of the data subject

have been transferred• the name of the processor of the personal data or

representative

A data subject has the right to obtain personal data relating to him or her from the processor of personal data.

A data subject has the right to obtain personal data relating to him or her from the processor of personal data.

Rights of Data Subject, IIRights of Data Subject, IIThe rights of a data subject to receive information and personal data concerning him or her upon the processing of the personal data shall be restricted if this may:• damage rights and freedoms of other persons• endanger the protection of the confidentiality of filiation

of a child• hinder the prevention of a criminal offence or

apprehension of a criminal offender• complicate the ascertainment of the truth in a criminal

proceeding

A processor of personal data shall inform a data subject of the decision to refuse to release information or personal data

Security Demands to Processing Environment

Security Demands to Processing Environment

 

A processor of personal data is required to take organisational, physical and information technology security measures (safeguards) to protect personal data:

• against accidental or intentional unauthorised alteration of the data, in the part of the integrity of data

• against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data

• against unauthorised processing, in the part of confidentiality of the data

Most Important Technical DemandsMost Important Technical Demands

 

• prevent access of unauthorised persons to equipment used for processing personal data

• prevent unauthorised reading, copying and alteration of data within the data processing system, and unauthorised transfer of data carriers

• prevent unauthorised recording, alteration and deleting of personal data and to ensure that it be subsequently possible to determine when, by whom and which personal data were recorded, altered or deleted or when, by whom and which data were accessed in the data processing system

• ensure the existence of information concerning the transmission of data: when, to whom and which personal data were transmitted and ensure the preservation of such data in an unaltered state

Processor of peronal data must:

Personal Data versus ISKE: Confidentiality

Personal Data versus ISKE: Confidentiality

If to compare this statement to security class and sublass definitions of ISKE then

it corresponds to the confidentiality subclass S2

Personal dsata Protection Act determines the set of persons who can access (process) personal data

Personal Data versus ISKE: IntegrityPersonal Data versus ISKE: Integrity

This definition corresponds to ISKE integrity subclass T2 definition

Personal Data Protection Act states that “personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing” and to “prevent unauthorised recording, alteration and deleting of personal data and to ensure that it be subsequently possible to determine when, by whom and which personal data were recorded, altered or deleted or when, by whom and which data were accessed in the data processing system”

Two Typical Demands to Public-Sector Database

Two Typical Demands to Public-Sector Database

1. to ensure that all public data have web output (according to Public Information Act)

2. to ensure the confidentiality of personal data (according to Personal Data Protecting Act)

..that must usually both be satisfied together in one database:

Technicaly these data are often stored in same database tables, in neigbor fields or attributes