Management of Sensitive Data

Transcription

1 Management of Sensitive Data Daryl L. Superio Southeast Asian Fisheries Development Center, Aquaculture Dept. IOC/IIOE2-OTGA and IORA Joint Training Course: Research Data Management May 2016: Kuala Terengganu, Malaysia Hosted by: Government of Malaysia and Malaysian Ocean Teacher Global Academy (OTGA) Regional Training Centre (RTC), INOS, UMT Supported by: Australian Aid, UNESCO/IOC Perth Programme Office, UNESCO/IOC Project Office for International Oceanographic Data and Information Exchange (IODE) and the Indian Ocean Rim Association (IORA)

2 Learning Outcomes At the end of the session you will: identify sensitive data know some data privacy laws learn how to keep your research data secure

3 Sensitive Data Defined Australian National Data Service are data that can be used to identify an individual, species, object, or location that introduces a risk of discrimination, harm, or unwanted attention major, familiar categories of sensitive data are: human health/medical and personal data, including information about secret or sacred practices; or ecological data that may place vulnerable species at risk.

4 List of Data Breaches Source: List of data breaches. (2016). Retrieved 10 May 2016 from

5 Research Data Breach at University of North Carolina at Chapel Hill Source: Chronlology of data breaches. (2016). San Diego, CA: Privacy Rights Clearinghouse. Retrieved 10 May 2016 from

6 2015 Cost of Data Breach Ponenom Institute, companies in 11 countries $3.79 million is the average total cost of data breach 23% increase in total cost of data breach since 2013 $154 is the average cost per lost or stolen record

7 Types of Sensitive Data Briney, 2015 research data containing personally identifiable information research data containing information that could cause harm if publicly released research data leading to patents and other intellectual property

8 National Data Privacy Laws DLA Piper, 2016 Laws governing how sensitive data should be handled vary from country to country o Australia data privacy/protection in Australia is currently made up of a mix of Federal and State/Territory legislation The Federal Privacy Act 1988 (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities Australian States and Territories (except for Western Australia and South Australia) each have their own data protection legislation applying to State Government agencies (and private businesses' interaction with them). These acts are:» Information Privacy Act 2014 (Australian Capital Territory)» Information Act 2002 (Northern Territory)» Privacy and Personal Information Protection Act 1998 (New South Wales)» Information Privacy Act 2009 (Queensland)» Personal Information Protection Act 2004 (Tasmania)» Privacy and Data Protection Act 2014 (Victoria) more details at:

9 National Data Privacy Laws DLA Piper, 2016 o India no specific legislation on privacy and data protection Information Technology Act, 2000 (the Act ) contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically) the Privacy Rules, which took effect in 2011, require corporate entities collecting, processing and storing personal data, including sensitive personal information to comply with certain procedures. more details at:

10 National Data Privacy Laws DLA Piper, 2016 o Indonesia no general law on data protection however, there are certain regulations concerning the use of electronic data Electronic Information and Trasactions ( EIT Law ) Government Regulation No. 82 of 2012 more details at: aw-section/c1_id

11 National Data Privacy Laws DLA Piper, 2016 o Malaysia Malaysia s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 ('PDPA'), was passed by the Malaysian Parliament on 2 June 2010 and came into force on 15 November more details at: aw-section/c1_my

12 National Data Privacy Laws DLA Piper, 2016 o Seychelles The Data Protection Act (the 'Act') was enacted in 2003 (Act No. 9 of 2003) with the aim of protecting the fundamental privacy rights of individuals against the use of data concerning them without their informed consent. more details at: aw-section/c1_sc

13 National Data Privacy Laws DLA Piper, 2016 o South Africa The Constitution of the Republic of South Africa guarantees the right to privacy. Certain provisions within the Electronic Communications and Transactions Act regulate the electronic collection of personal information, although compliance with these provisions is voluntary. more details at: aw-section/c1_za

14 National Data Privacy Laws DLA Piper, 2016 o Thailand Does not have any general statutory law governing data protection or privacy. However, the Constitution does recognize the protection of privacy rights. In addition, statutory laws in some specific areas (such as telecommunications, banking and financial businesses (Specific Businesses) as well as other nonbusiness related laws, such as certain provisions under Thai Penal Code and the Child Protection Act B.E (2003), do provide a certain level of protection against any unauthorised collection, processing, disclosure and transfer of personal data. more details at:

15 National Data Privacy Laws UK Data Protection Act 1998 (Research Data Management Support Services, UK Data Service, 2014) Personal data: o relates to living individual o individual can be identified from those data or from those data and other information o include any expression of opinion about the individual

16 National Data Privacy Laws UK Data Protection Act 1998 (Research Data Management Support Services, UK Data Service, 2014) Requirements for handling personal data o processed fairly and lawfully o obtained and processed for a specified purpose o adequate, relevant and not excessive for the purpose o accurate o processed in accordance with the rights of data subjects, e.g. informed about how data will be used, stored, processed, transferred, destroyed, kept secure and no kept longer than necessary o not transferred abroad without adequate protection Personal data can be disclosed only with consent

17 Best Practices for Legal Compliance (Research Data Management Support Services, UK Data Service, 2014) Investigate early which laws apply to your data Do not collect personal or sensitive data if not essential to your research Seek advice from you research office Plan early in research If you must deal with personal or sensitive data inform participants about how their data will be used remember: not all research data are personal (e.g. anonymised data are not personal)

18 Ethics and Sensitive Data Briney, 2015 When there is no law or policy specifically governing the handling and retention of research data, research ethics require researchers to securely maintain data containing things like human subject information A researcher entrusted with personal data has an obligation to the research subject to protect the subject s information

19 Keeping Data Secure (Cont.) Briney, 2015 Basic computer security Access Encryption Destroying data Personnel Security plan

20 Keeping Data Secure (Cont.) Briney, 2015 Basic computer security o Software regularly update OS, browsers, anti-virus, and other software that protects the computer from intrusion o Practice safe usage practice safe behavior when using the computer stick to known sites when browsing the web if the source is unknown, do not click the link, download the file, or install the software

21 Keeping Data Secure (Cont.) Briney, 2015 o Passwords use strong passwords use mixture of letter (both upper-and lowercase), numbers and characters at least eight characters long non-obvious» 12345; qwerty; monkey; password; abc123 not a dictionary word not a proper name

22 Access Keeping Data Secure (Cont.) Briney, 2015 o maintain a secure storage environment entails both physical and electronic methods of preventing access entails avoiding storage options that are easily accessible o controlling access block outsiders but keep track of those who are allowed to use the data

23 Encryption Keeping Data Secure (Cont.) Briney, 2015 o the process of converting data contained in a message into a secret code prior to transmission via public telecommunication channels to make the content incomprehensible to all but authorized recipient o is a security measure taken to protect confidential information, such as credit card numbers used in online business transactions and to ensure that only those who have paid for a fee-based service can obtain it (Reitz, 2014)

24 Keeping Data Secure (Cont.) Briney, 2015 Destroying data o securing data at the end of the life of a dataset by destroying after it is no longer needed o can t be achieved by simply deleting, specialized type of software is required to truly delete data from a hard drive o data from flash media, CDs and DVDs can be destroyed by physically destroying the media o paper-based information can be destroyed by shredding

25 Personnel Keeping Data Secure (Cont.) Briney, 2015 o provide access to sensitive data to people you trust to prevent sabotage or other untoward incidents Training and keeping a security plan o the final part of keeping data secure o everyone who comes into contact with the data knows the security procedure systematize security practices in a written document review security plan on a regular basis regular training for the entire research group

26 Anonymization Anonymizing Data Briney, 2015 the process of transforming sensitive data into non-sensitive data the process of de-identifying sensitive data while preserving its format and data type (Raghunathan, 2013) two types: data masking data de-identification

27 Anonymizing Data (Cont.) Briney, 2015 Data masking removing or obscuring the identifiable information in a dataset three techniques: suppression- involves removing, leaving blank, or setting to null all the fields that contain personally identifiable information in a data set randomization-replacing identifiable content with random values pseudonymization- replacing identifiable information with consistent pseudonyms

28 Anonymizing Data (Cont.) Briney, 2015 Data de-identification balances the risk of re-identification with preserving as much information in a dataset as possible generalization- making data point less specific, ex. changing birth date to birth year or replacing a specific address with the more general state or province the goal is to use the data but not include specific information that can identify someone

29 Dos and Don ts for Maintaining Data Security Briney, 2015 Do keep your operating system and software patched and up to date Do use anti-virus, a firewall, and anti-malware software Don t visit unknown sites on the internet Don t open suspicious attachments or click on suspicious links in s Don t browse the web on the computer you use for sensitive data storage and analysis Do use strong passwords Don t repeat passwords Don t share your passwords with others Don t collect sensitive data unless you have to Do encrypt your sensitive data

30 Dos and Don ts for Maintaining Data Security (Cont.) Briney, 2015 Don t move sensitive data outside of its secure storage environment Don t store sensitive data without using both physical and electronic safeguards Don t put sensitive data on the internet, in the cloud or in Do plan how you will safely move sensitive data before you collect data in a secondary location Don t move unencrypted, identified data Do use logs to monitor access to sensitive data Do cut off access someone leaves the group Do destroy sensitive data once it is no longer needed Don t provide someone with access to sensitive data if you do not trust them Do hire competent technical support Do make a security plan and frequently review it with others

31 Publishing Sensitive Data Australian National Data Service Publishing your data, or just a description of your data, means that others can discover it, reuse it and cite it o sensitive data that has been confidentialised can be openly published and shared example of de-identified dataset: o you can publish a description (i.e. the metadata) of your data without making the data itself openly accessible, which enables you to place conditions around access to the data

32 Publishing Sensitive Data (Cont.) Australian National Data Service

33 References Australian National Data Service. (n.d.). Sharing sensitive data. Retrieved May 2016 from: Briney, K. (2015). Data management for researchers: Organize, maintain and share your data for research success. UK: Pelagic Publishing. List of data breaches. (2016). Retrieved May 2016 from Ponemon Institute. (2015) Cost of Data Breach Study: Global Analysis. Retrieved May 2016 from /2015-Cost-of-Data-Breach-Study.PDF