Rules of Business Data Protection
Who Determines the Rules of Business Data Protection?
The rules of business data protection will differ based upon where the business is located and the type of information that must be protected. Information security standards will create a set of rules businesses must follow if they wish to hold ISO certification or if their business contracts require meeting ISO IT security standards. What are the most common rules, laws and regulations for protecting business data?
About the Data Protection Act
What is the Data Protection Act? The Data Protection Act, or DPA for short, is a UK law passed in 1998 to help protect sensitive personal data. It was updated in 2003 and 2018.The DPA states that sensitive information must be protected from accidental disclosure and cannot be shared without someone’s consent unless there is a legitimate reason to do so.
Under the DPA, sensitive personal information includes a person’s political beliefs, religious beliefs, ethnicity, union membership, health information, sexual preference and activities, criminal record and court records. Individuals have the right to access their own personal information unless there is a compelling reason for data controllers to deny it; for example, someone can request information on their court records but may not be told that they are a suspect in another crime and currently under surveillance.
This “sensitive personal information” is restricted except under a narrow set of exemptions. For example, the courts have access to information on someone’s criminal history and all court records, whereas general inquiries from the public would be rebuffed. The National Health Service has access to medical records and mental health records, whereas most others would not. Social workers and schools can gain access to information on someone’s ethnic status for generating statistics on student achievement on the basis of race. Researchers and statisticians have access to this information when it is for a legitimate, scientific purpose.
National security is another large exemption. For example, when screening for terrorists among arrested suspects, being Muslim and holding membership in radical anarchist political groups are relevant screening criteria. Tracking those who have traveled to and from a quarantined area is another.
The data protection Act requires a combination of technical and administrative controls to protect sensitive personal information. The administrative controls include administrative policies that limit access to paper files and training of personnel in proper procedures.
The technical controls to protect data include firewalls to prevent hackers from accessing sensitive information, access control limits that restrict access to data to authorized data controllers and regular backups of data to prevent loss of this information. Access logs allow system administrators to determine who has accessed and altered data.
Personally Identifiable Information or PII
What is PII? In the United States, Personally Identifiable Information or PII refers to the combination of someone’s name, Social Security Number (SSN) or Taxpayer Identification Number (TIN) or driver’s licensed number.
Names and addresses combined with financial information such as bank account numbers is also considered personally identifiable information. This information is the often enough to steal someone’s identity for the purposes like opening credit cards in someone’s name, draining an existing bank account or working under their SSN because you are in the country illegally.
Business Data, Personal Information and the Law
The United States has laws to protect personal information and sensitive data based on the type of information. For example, the Health Insurance Portability and Accountability Act mandates protective measures to protect patients’ medical records. These protective measures range from requiring the next person in line to speak with a pharmacist having to stand several feet back to requiring access control limits restricting access to data to only those whose jobs require on all electronic medical records systems.
The Gramm-Leach-Bliley Act requires financial institutions like banks to protect sensitive information when sharing information about customers with other institutions. For example, a customer’s credit card number or mortgage loan number should not be given to a third party when sending them customer lists to be used when marketing insurance products. The Gramm-Leach-Bliley Act also requires financial institutions to explain their data sharing policies to customers in terms they can understand while giving them the option to opt out before their information is shared.
The Payment Card Industry Data Security Standard applies to payment card processors like banks with ATMs and prepaid card providers like the debit cards given in lieu of pay checks to the unbanked. Also called the PCI DSS, this act requires firewalls to protect payment card information, regular maintenance of antivirus software, system monitoring and tight controls over access to payment information. The PCI DSS also mandates encryption of cardholder data, though this may be done in accordance with ISO standards.
IT Security Standards and Business Data Protection
The International Standards Organization or ISO has a number of standards on information security and information technology security. These standards apply to all computing systems that meet ISO standards.
ISO 27001 lists the requirements for information security management. ISO 27002 lists the ISO’s recommended practices for protecting information security. These recommended practices include controlling access to hardware and data, training individuals to protect PII, protecting hardware that contains sensitive information and tracking all security incidents for root cause analysis while responding to them in a timely manner.
ISO 29100 is a standard published in 2011 and amended in 2018. ISO 29100 creates a common privacy terminology for use in other standards. It describes the formal roles such as PII custodians, defining who processes personally identifiable information and who has the responsibility to protect it. ISO 29100 builds upon existing IT security standards to add additional safeguards for privacy.
The ISO has created standards for the security of personally identifiable information. For example, ISO 9564 outlines the principles and security practices for protecting the Personal Identification Number or PIN used to access someone’s bank account. ISO 11568 is the standard for encryption systems to protect retail and banking data. ISO 13491 is used to ensure the security of the financial data in a retail environment, such as protecting the information from the card swipe device by the register at the grocery store.
ISO standards also extend to online financial data protection. ISO 15782 is the standard for financial service provider certificates, like the certificate used to verify that your bank’s website is legitimate before you enter in your account number to view the bank balance or transfer funds.
While ISO information security standards are not law, they are contractually required by many companies and followed by many more.