ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Rules of Business Data Protection

Updated on July 8, 2020
tamarawilhite profile image

Tamara Wilhite is a technical writer, an industrial engineer, a mother of two, and a published sci-fi and horror author.

Who Determines the Rules of Business Data Protection?

The rules of business data protection will differ based upon where the business is located and the type of information that must be protected. Information security standards will create a set of rules businesses must follow if they wish to hold ISO certification or if their business contracts require meeting ISO IT security standards. What are the most common rules, laws and regulations for protecting business data?

Biometric scanners like this are only one form of protection available to limit access to business data.
Biometric scanners like this are only one form of protection available to limit access to business data. | Source

About the Data Protection Act

What is the Data Protection Act? The Data Protection Act, or DPA for short, is a UK law passed in 1998 to help protect sensitive personal data. It was updated in 2003 and 2018.The DPA states that sensitive information must be protected from accidental disclosure and cannot be shared without someone’s consent unless there is a legitimate reason to do so.

Under the DPA, sensitive personal information includes a person’s political beliefs, religious beliefs, ethnicity, union membership, health information, sexual preference and activities, criminal record and court records. Individuals have the right to access their own personal information unless there is a compelling reason for data controllers to deny it; for example, someone can request information on their court records but may not be told that they are a suspect in another crime and currently under surveillance.

This “sensitive personal information” is restricted except under a narrow set of exemptions. For example, the courts have access to information on someone’s criminal history and all court records, whereas general inquiries from the public would be rebuffed. The National Health Service has access to medical records and mental health records, whereas most others would not. Social workers and schools can gain access to information on someone’s ethnic status for generating statistics on student achievement on the basis of race. Researchers and statisticians have access to this information when it is for a legitimate, scientific purpose.

National security is another large exemption. For example, when screening for terrorists among arrested suspects, being Muslim and holding membership in radical anarchist political groups are relevant screening criteria. Tracking those who have traveled to and from a quarantined area is another.

The data protection Act requires a combination of technical and administrative controls to protect sensitive personal information. The administrative controls include administrative policies that limit access to paper files and training of personnel in proper procedures.

The technical controls to protect data include firewalls to prevent hackers from accessing sensitive information, access control limits that restrict access to data to authorized data controllers and regular backups of data to prevent loss of this information. Access logs allow system administrators to determine who has accessed and altered data.

Personally Identifiable Information or PII

What is PII? In the United States, Personally Identifiable Information or PII refers to the combination of someone’s name, Social Security Number (SSN) or Taxpayer Identification Number (TIN) or driver’s licensed number.

Names and addresses combined with financial information such as bank account numbers is also considered personally identifiable information. This information is the often enough to steal someone’s identity for the purposes like opening credit cards in someone’s name, draining an existing bank account or working under their SSN because you are in the country illegally.

Data must be protected both during transmission and storage.
Data must be protected both during transmission and storage. | Source

Business Data, Personal Information and the Law

The United States has laws to protect personal information and sensitive data based on the type of information. For example, the Health Insurance Portability and Accountability Act mandates protective measures to protect patients’ medical records. These protective measures range from requiring the next person in line to speak with a pharmacist having to stand several feet back to requiring access control limits restricting access to data to only those whose jobs require on all electronic medical records systems.

The Gramm-Leach-Bliley Act requires financial institutions like banks to protect sensitive information when sharing information about customers with other institutions. For example, a customer’s credit card number or mortgage loan number should not be given to a third party when sending them customer lists to be used when marketing insurance products. The Gramm-Leach-Bliley Act also requires financial institutions to explain their data sharing policies to customers in terms they can understand while giving them the option to opt out before their information is shared.

The Payment Card Industry Data Security Standard applies to payment card processors like banks with ATMs and prepaid card providers like the debit cards given in lieu of pay checks to the unbanked. Also called the PCI DSS, this act requires firewalls to protect payment card information, regular maintenance of antivirus software, system monitoring and tight controls over access to payment information. The PCI DSS also mandates encryption of cardholder data, though this may be done in accordance with ISO standards.

IT Security Standards and Business Data Protection

The International Standards Organization or ISO has a number of standards on information security and information technology security. These standards apply to all computing systems that meet ISO standards.

ISO 27001 lists the requirements for information security management. ISO 27002 lists the ISO’s recommended practices for protecting information security. These recommended practices include controlling access to hardware and data, training individuals to protect PII, protecting hardware that contains sensitive information and tracking all security incidents for root cause analysis while responding to them in a timely manner.

ISO 29100 is a standard published in 2011 and amended in 2018. ISO 29100 creates a common privacy terminology for use in other standards. It describes the formal roles such as PII custodians, defining who processes personally identifiable information and who has the responsibility to protect it. ISO 29100 builds upon existing IT security standards to add additional safeguards for privacy.

The ISO has created standards for the security of personally identifiable information. For example, ISO 9564 outlines the principles and security practices for protecting the Personal Identification Number or PIN used to access someone’s bank account. ISO 11568 is the standard for encryption systems to protect retail and banking data. ISO 13491 is used to ensure the security of the financial data in a retail environment, such as protecting the information from the card swipe device by the register at the grocery store.

ISO standards also extend to online financial data protection. ISO 15782 is the standard for financial service provider certificates, like the certificate used to verify that your bank’s website is legitimate before you enter in your account number to view the bank balance or transfer funds.

While ISO information security standards are not law, they are contractually required by many companies and followed by many more.

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)