An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on data classification, drilling a bit deeper into confidentiality, integrity, availability (=CIA), privacy (=CAPI), traceability, and retention (=PATRIC), to be amended to meet the specific organisation's setup.
The slides come with notes that in short explain the visuals on the slides.
13. 13
- Internal - Page
Control
Data
Subject
Processing personal data
Data
Controller
Finality Legitimacy
Transparency Organisation
Proportional
end-to-end
Data Protection Act / GDPR
14. 14
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR
1. What would your reaction be
if we did it to your personal data?
15. 15
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR
1. What would your reaction be
if we did it to your personal data?
2. What would the reaction be of
somebody who likes his privacy,
if we did it to his/her personal data?
16. 16
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR
1. What would your reaction be
if we did it to your personal data?
2. What would the reaction be of
somebody who likes his privacy,
if we did it to his/her personal data?
3. What would the reaction of
the public be if what we do to
personal data is in detail explained
on the front page of tomorrow’s
newspaper?
17. 17
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR
1. What would your reaction be
if we did it to your personal data?
2. What would the reaction be of
somebody who likes his privacy,
if we did it to his/her personal data?
3. What would the reaction of
the public be if what we do to
personal data is in detail explained
on the front page of tomorrow’s
newspaper?
18. 18
- Internal - Page
Full Set of Data Classifications: PATRIC
Category Classifications
Privacy
Use the (personal) data in line with the original purpose
(original) purpose
Availability
Ensure that information is available to authorized persons
Non-Essential, Essential, Critical and Highly Critical
Traceability
Modifications can be traced back
Non-Traceable, Sensitive and Critical
Retention
Retained & disposed in line with law & business objectives
No Retention, Short-Term, Mid-Term and Long-Term
Integrity
Prevent accidental, unauthorized and deliberate alteration or
deletion
Accurate, Vital and Absolute
Confidentiality
Prevent unauthorized disclosure
Public, Internal, Restricted and Secret
Company specific
19. 19
- Internal - Page
Full Set of Data Classifications: PATRIC
Category Classifications
Privacy
Use the (personal) data in line with the original purpose
(original) purpose
Availability
Ensure that information is available to authorized persons
Non-Essential, Essential, Critical and Highly Critical
Traceability
Modifications can be traced back
Non-Traceable, Sensitive and Critical
Retention
Retained & disposed in line with law & business objectives
No Retention, Short-Term, Mid-Term and Long-Term
Integrity
Prevent accidental, unauthorized and deliberate alteration or
deletion
Accurate, Vital and Absolute
Confidentiality
Prevent unauthorized disclosure
Public, Internal, Restricted and Secret
Company specific
20. 20
- Internal - Page
Key Takeaways
ABC Group classifies on different levels :
personal data and PATRIC.
All information has a classification, even if it is
not explicit.
You should classify.
Confidentiality distinguishes different circles:
public, internal, restricted and secret, wherein
personal data is always at least “restricted”.
30 sec IS/DPP survival kit
WrapUp
Notes de l'éditeur
Welcome to the third part of the baseline training IS/DPP.
Herein we look at data and the different classifications we give it in order to be able to better handle it.
Like confidentiality,
both entailing
keeping unauthorized people out and
requiring from authorized persons to handle the information confidentially.
An example of a fail is the list of Amex cardholders and their spend being leaked on the internet via wikileaks or pastebin.
The classification “confidentiality” takes into account the impact on the ABC Group in case of disclosure or breach.
The author of the data should classify it. If you receives unclassified data, you should.
The first level is “public”. It is information intended for public use. So it can be communicated outside the ABC Group.
All non public data, is “confidential”. That is further divided into three “circles of trust”, which contain ever smaller numbers of people.
Internal data is meant for staff only. It is information that is used to support and perform normal business operations.
External staff may have access to it, but then they should be bound by a non-disclosure commitment.
Restricted data is only to be made available on a specific need-to-know basis, which means that it must be job-related for you.
Personal data in principle is restricted.
Secret data is the highest level of confidentiality. It is sometimes also indicated as “strictly confidential” or “for your eyes only”. The author must have indicated you as an addressee otherwise you are not authorized to have it. It also means that a recipient has no margin to autonomously forward the information.
Most information security frameworks refer to CIA.
CIA does not stand for the US Central Intellegence Agency but for
Confidentiality (which we already discussed)
Integrity: which entail preventing accidental, unauthorized and deliberate alteration or deletion of data.
An example of a fail is a customer succeeding in changing his card limit thus messing up our authorization process.
and
Availability: which goes to ensuring that information is available to authorized persons when required to fulfill their job.
An example of a fail is the data being lost due to a short power fail and being unable to give a workable backup, e.g. losing and entire week of work.
Due to the data protection legislation, we also add “privacy” to the “classifications”.
That is respecting the (original) purpose for which the personal data was collected.
Here we revert to the “finality” requirement under the data protection legislation, and the expectations of the data subject.
The finality requirement indicates that during the entire lifecycle of the personal data the purpose must be respected.
The expectations of the data subject, without going into detail of the technical legislation, can be captured in a quick 3 questions test.
The first: What would your reaction be if we did it to your personal data?
The second: What would the reaction be of somebody who likes his privacy, if we did it to his/her personal data?
The third: What would the reaction of the public be if what we do to personal data is in detail explained on the front page of tomorrow’s newspaper?
If on one of those three questions we have to answer : “Well, the reaction may be (seriously) negative.” We should likely reconsider.
You can imagine that transparency at the moment of collection of the data is a very imporant element here.
We complete the set of data classifications with two more, namely
Traceability: that is ensuring that modifications can be traced back to the individual that made the modification (which we refer to as “non-repudiation”) to enable compliance with regulations and standards.
and
Retention: that is ensuring that information is retained and disposed in line with legal and regulatory requirements and business objectives