Chapter 6: Managing Data Protection Risks

Questions and Answers

What is the primary purpose of the ‘Motivated Intruder Test’?

• To analyze the effectiveness of sampling techniques in data anonymisation.
• To evaluate the impact of public dataset availability on data privacy.
• To assess the reliability of data encryption techniques.
• To re-identify individuals from anonymised data without any prior knowledge. (correct)

Which of the following is NOT a method of re-identification as defined in the content?

• Merging multiple anonymised datasets to find individual identities.
• Searching an anonymised dataset for matches using existing personal data.
• Comparing records from anonymised datasets with publicly available information.
• Cross-referencing anonymised data with private database records. (correct)

What can reduce the risk of re-identification when using anonymised data?

• Implementing sampling techniques that limit released data. (correct)
• Regularly updating the anonymisation methods employed.
• Using comprehensive data encryption on all datasets.
• Increasing the size of the dataset released.

What effect does the advancement of 'Big Data' and computer power have on anonymised data?

It increases the risk of re-identification through data matching. (D)

Periodic re-assessment of re-identification risk using the Motivated Intruder Test is considered good practice because:

Technology and data availability evolve over time, impacting risks. (C)

What is the primary purpose of implementing phase and functional controls in an organization?

To minimize the likelihood and impact of identified risks (D)

Which of the following best describes Data Protection by Design (DPbD)?

An approach that integrates data protection into system design (D)

What does the term ‘risk’ imply in the context of data management according to the content?

A potential threat or vulnerability within a system (A)

What is an essential action an organization must take regarding risks created by third parties?

Conduct due diligence and establish contractual protections (C)

Which of the following strategies is NOT mentioned for managing personal data protection risks?

Sharing risks with regulatory authorities (C)

What is the main objective of an organization when managing personal data protection risks?

To minimize and control the likelihood and impact of risks (B)

What type of controls does an organization implement to manage risks effectively?

A combination of technical, administrative, and physical controls (C)

Which cloud model offers the least control over personal data for organizations?

Software as a Service (SaaS) (B)

In which cloud service model is a programming language execution environment typically provided?

Platform as a Service (PaaS) (B)

What is a common example of Software as a Service (SaaS)?

SharePoint Online (C)

Which cloud service model typically requires the highest level of management and control from the organization?

Infrastructure as a Service (IaaS) (B)

How does the control over personal data change across different cloud models?

Control increases as one moves from SaaS to IaaS (B)

Why is risk retention not commonly used for managing regulatory risk?

Regulators expect organizations to comply with the law. (A)

What does risk avoidance entail for an organization?

Stopping an existing activity to eliminate risk. (D)

Which of the following is NOT an example of a technical control?

Employee training programs. (A)

What is a potential limitation of risk sharing in the context of regulatory responsibilities?

It may not adequately diminish compliance obligations. (C)

Which of the following is a key purpose of conducting penetration tests?

To identify vulnerabilities in an IT system. (A)

What is the main focus of administrative controls in data protection?

Managing human factors related to data handling. (C)

Which of the following controls does NOT directly utilize technology?

Risk management policies. (B)

In the context of mitigating risks, what is the role of encryption?

To protect data during transmission and storage. (A)

What does data loss prevention (DLP) primarily aim to do?

Prevent unauthorized access to sensitive data. (B)

Which instruction is NOT associated with the Consent Obligation in data collection?

Implement procedures for individuals to update their own personal data (B)

What is a necessary action in ensuring data accuracy when the source is a third party?

Implement data verification processes (B)

Which of the following is NOT a recommended action when handling access and correction requests?

Deny the request without verification (A)

Which practice is essential for front counter staff before they begin their duties in data protection?

To receive training on data protection (C)

What should be considered for developing access and correction processes?

A standard request form (A)

Which of the following actions should administrative staff take for personal data updates?

Conduct regular personal data update exercises (A)

What is an example of a visible notice requirement when collecting personal data?

Notices at all collection points (A)

Which data accuracy practice focuses on handwritten text?

Ensuring careful transcription of hand-written text (A)

What training focus is crucial for staff handling personal data?

Importance of accuracy in decision-making (B)

What process should be implemented to handle data portability requests?

Set up a formal procedure (B)

What are the four common ways an organization can respond to a risk?

Risk avoidance (A), Risk sharing (B), Risk modification/reduction (C), Risk retention (@)

What is the main difference between 'phased controls' and 'functional controls' (select all that apply)?

Phased controls focus on the prevention phase, detection phase, and response phase. (A), Functional controls encompass proactive, detective, and reactive measures. (D)

What are the three categories of controls and their effects? (Select all that apply)

Administrative: Contracts, policies (A), Technical: Anti-virus software (B), Physical: Physical access controls (C)

What are some of the Data Protection by Design (DPbD) measures for ICT projects? (Select all that apply)

Implementing access controls (C), Security testing (D), DPIA (A), Minimise use of Personal Data (B), Housekeeping of personal data (@), Protecting exported personal data (@)

What measures must companies take to reduce the risk of accidental disclosure of personal data? (Select all that apply)

Conduct staff training on the handling of personal data (A), Conduct data audits checks on data intermediaries (B), Ensure all emails sent externally to a group of recipients have the recipients' email addresses placed in 'bcc' fields (C)

What should organizations focus on when engaging data intermediaries (i.e. data intermediary risks)? (Select all that apply)

Conduct appropriate due diligence on proposed data intermediaries to satisfy themselves that the proposed data intermediary is capable of complying with the PDPA. (A), Ensure that it has made reasonable security arrangements to protect personal data and that the collection, use, and disclosure by the data intermediary is in compliance with the other PDPA obligations. (C), The written contract between an organization and its data intermediary should contain strong PDPA protection for the organization because the organization continues to be responsible for compliance with the PDPA where it arranges for a data intermediary to process that personal data on its behalf. (B)

What clauses should be included in the engagement contract with a data intermediary? (Select all that apply)

All of the above plus grant an indemnity (@)

Which of the following considerations under the PDPA are relevant to any plan to share personal data? (Select all that apply)

Consent: whether the individual must expressly consent to the data sharing (A), Notification: whether the organization must notify the individual that their data will be shared (B), Protection by contract: specifying how personal data will be shared and access limited (C)

Before sharing any personal data with another organisation, what steps should be taken regarding accuracy obligations? (Select all that apply)

Ensure that the personal data is accurate and complete before sharing. (A), Devise a process for updating the recipient organisation whenever the shared data changes. (B)

Which of the following suggested policies and processes should organizations and their IT vendors consider for implementation from a security perspective to comply with the PDPA obligations? (Select all that apply)

Conduct a risk assessment to identify security risks. (A), Review access configurations to prevent unauthorized access. (B), Document and regularly review the configuration of all software and hardware components. (C), keeping track of how long personal data is stored (@)

What should be the roles in incident management between organizations and their IT vendors? (Select all that apply)

The IT vendor should notify the organization of a potential security incident. (A), The incident management plan should include business continuity requirements. (C), Have an incident response plan for handling security incidents. (@)

'Anonymisation' refers to the process of removing identifying information, such that the remaining data does not identify a particular individual. Anonymisation is a useful technique that enables organisations to retain and use what would otherwise be personal data about individuals when such use does not require the organisation to be able to identify them.

True (A)

Match the following data anonymisation techniques with their descriptions:

Attribute suppression = Removal of an entire part of data (column) when not required or cannot be anonymised Record suppression = Removal of an entire record in a dataset to eliminate outlier records Character masking = Change of characters of a data value using a constant symbol to provide anonymity Pseudonymisation = Replacement of identifying data with made up values while keeping data distinguishable Generalisation = Deliberate reduction in the precision of data for values that can still be useful Swapping = Rearranging data in the dataset so individual attribute values do not correspond to original records

Match the following anonymization techniques with their corresponding descriptions:

Suppression of a record = An entire record is removed from the dataset Character masking = The characters of a data value are changed, typically partially Pseudonymisation = Personal identifiers are replaced with other references or made-up values Generalisation / recoding = The precision of the data is deliberately reduced Swapping / shuffling / permutation = Data is rearranged so individual attribute values do not correspond to the original records Data perturbation = Values from the original dataset are modified to be slightly different Synthetic data = Synthetic datasets are generated directly and separately from the original data Data aggregation = A dataset is converted from a list of records to summarized values

Personal data in documents and reports can be anonymised by: (a) redacting, which is removing individuals' names from documents; and (b) changing details in a report, such as removing precise place names and/or precise dates. Which of the following methods are effective for anonymising personal data? (Select all that apply)

Redacting individual names (A), Removing precise place names (B), Changing dates to vague terms (C)

Streaming personal data is personal data in, for example, video footage and photographs, and audio recordings. In this context, which of the following methods are included in the process of anonymising personal data?

Blurring video footage to disguise faces (A), Disguising or re-recording audio material (C)

Flashcards

Risk Management Strategy

The process of choosing how to handle risks identified in a data protection plan.

Security Gap

A weakness or vulnerability in a system that could be exploited.

Threat

A potential threat to a system's security or data privacy.

Likelihood

The likelihood of an event, incident, or attack occurring.

Impact

The potential consequences or impact of an incident on an individual, system, or organization.

Risk Control/Management

The process of reducing the likelihood and impact of risks.

Control

A combination of technical, administrative, and physical measures aimed at managing risks.

Re-identification or De-anonymisation

The process of combining anonymized data with other information to identify an individual.

Sampling Techniques

A method of reducing the risk of re-identification by releasing only parts of a dataset, rather than the entire dataset.

Motivated Intruder Test

A general test for evaluating the robustness of anonymization and the risk of re-identification.

Anonymization using video & photo blurring

Anonymizing data by blurring video and photograph content to disguise faces.

Anonymization using audio alteration or re-recording

Anonymizing data by altering or re-recording audio material.

Risk Retention

Accepting the potential negative consequences of a risk and making no attempt to mitigate it. Commonly used for risks with low impact or high difficulty of mitigation.

Regulatory Risk

The risk of not complying with regulatory requirements.

Risk Avoidance

Eliminating the source of a risk by ending the associated activity or process.

Risk Sharing

Shifting the burden of risk to other entities, such as insurers, investors, or partners.

Technical Controls

Measures implemented using technology to protect personal data, including encryption, access controls, and network security.

Administrative Controls

Procedures and guidelines for handling personal data, encompassing roles, responsibilities, and training for individuals.

Physical Controls

Physical measures to secure data assets, including physical access control, security cameras, and environmental monitoring.

Anti-virus Programs

Software that scans for and removes malicious software, protecting devices from viruses and malware.

Data Loss Prevention (DLP) Tools

Tools that identify and prevent sensitive data from leaving a secure environment, safeguarding confidential information from unauthorized access or leakage.

Cloud Computing

A method of delivering IT resources on demand, often using virtualization and distributed computing technologies.

Virtualization

A technology that divides a single piece of hardware into multiple independent segments, each operating as its own environment.

Software as a Service (SaaS)

A cloud service model where a third-party provider hosts applications and makes them available to customers through the internet.

Platform as a Service (PaaS)

A cloud service model that provides a computing platform, often including an operating system, programming language environment, database, and web server.

Infrastructure as a Service (IaaS)

A cloud service model that provides IT infrastructure (like servers, storage, and networking) over the internet.

Control Over Data in Cloud Models

The level of control an organization has over its data when using cloud services, with SaaS offering the least control and IaaS offering the most control.

Risks Associated with Cloud Computing

Cloud computing services like SaaS, PaaS, and IaaS can pose risks related to data privacy, security, and regulatory compliance.

Role of a Data Protection Officer (DPO)

A data protection officer (DPO) is responsible for implementing and maintaining an organization’s data protection policies and procedures, particularly in relation to cloud computing.

Risk Management in Cloud Services

Organizations using cloud services should be aware of the different risk levels associated with each service model, including the varying degree of control over data.

Importance of Regularly Updating Data Protection Practices

It’s important to regularly update data protection practices and policies, particularly when using cloud computing services, to keep up with changing regulations and technologies.

Purpose Limitation

The principle that organizations should collect only the personal data that is necessary to fulfill their intended purposes. It prevents unnecessary data collection and ensures data is used only for the stated reasons.

Notification Obligation

The obligation to inform individuals about the purposes for which their personal data is being collected and processed.

Consent Obligation

The obligation to obtain individuals' explicit consent before collecting and processing their personal data. It involves informing people about the data collection and obtaining their clear agreement.

Accuracy Obligation

The obligation to ensure that personal data is accurate and up-to-date. This involves verifying data, allowing individuals to correct errors, and conducting regular updates.

Data Minimization

The principle of ensuring that data is collected and used only for the intended purpose, and not extended to other purposes without the individual's consent.

Access and Correction Obligation

The obligation to provide individuals with access to their personal data and the right to request corrections if it is inaccurate. It allows individuals to check and control their own information.

Data Portability Obligation

The obligation to allow individuals to receive their personal data in a portable format so they can easily transfer it to another service provider. This gives users more control over their data.

DPO (Data Protection Officer)

A designated person responsible for overseeing and advising an organization on data protection matters. They ensure compliance with data protection laws and principles.

Personal Data Inventory Map

A record that tracks the sources of personal data, how it is collected, processed, and where it flows within an organization.

Personal Data Flow Diagram

A visual representation showing the movement of personal data within an organization. It maps the steps involved in data collection, processing, storage, and transfer.

Study Notes

Managing Risks

• Organizations identify risks associated with collecting, using, disclosing, and storing personal data.
• Controls are put in place to manage these risks.
• Organizations implement a combination of phase controls (prevention, detection, response), and functional controls (proactive, detective, reactive) to minimize risk.
• Managing risks created by data intermediaries and third-party risks is crucial, including due diligence and contractual protection.
• Data Protection by Design (DPbD) and Data Protection Impact Assessments (DPIAs) are used for proactive risk management.
• The term "risk" has different meanings in various contexts, and the Data Protection Officer (DPO) should be aware of these differences.

Developing a Risk Management Strategy and Controlling Risks

• Organizations need to develop a strategy to implement their Data Protection Management Plan (DPMP).
• "Risk" can refer to security gaps in a system, weaknesses, vulnerabilities, threats to a system, the likelihood of events/incidents/attacks, compliance gaps, and investigations/complaints.
• Organizations manage risks by modifying, retaining, avoiding, or sharing them.
• Risk management involves minimizing the likelihood of a risk occurring and its impact if it does occur.
• Expert risk management input is needed to help determine appropriate actions and controls relevant to the organization.

Four Common Ways Organizations Respond to Risk

• Risk modification/reduction: creating controls to reduce risk likelihood or impact.
• Risk retention: accepting risk and keeping business as usual.
• Risk avoidance: removing the risk source.
• Risk sharing: distributing risk with others (e.g., insurance).

Technical, Administrative, and Physical Controls

• Technical controls use technology to control access, use, and disclosure of personal data (e.g., anti-virus, encryption).
• Administrative controls address human factors (e.g., policies, procedures, employee training).
• Physical controls limit access to physical resources (e.g., security guards, locked doors).

Technical, Administrative, and Physical Controls (Further detail)

• Proactive/Preventative controls aim to prevent risks from occurring.
• Detective controls detect risks if they occur.
• Reactive/Corrective controls rectify situations after the risk has occurred.
• Standards Operating Procedures (SOPs) are tailored to specific organizational needs, and examples are provided related to consent, notifications, and retention limits.

Managing Data Intermediary Risks

• Organizations must conduct due diligence on proposed intermediaries to ensure compliance with the PDPA.
• Contracts with intermediaries should contain strong PDPA protections.
• Data security arrangements should protect personal data handled by the intermediary.
• Senior management should understand the risks of outsourcing and develop measures to mitigate them.
• Organisations needing vendors to process data need to communicate PDPA compliance requirements during selection.
• Due diligence includes reviewing vendors' policies and practices to ensure they comply with the PDPA, conducting risk assessments, and confirming adequate security measures.

Managing Risks Relating to Data Sharing

• Sharing data among departments, or to other organisations (e.g., data intermediaries, business partners) requires careful risk management.
• In some cases, consents from individuals might be deemed or may not be required for data sharing depending on whether it is within the same organization, or is among different organisations within the same group.
• The organisation should manage the risks arising from data sharing within the same organisation and among the organizations in the same corporate group. Special emphasis should be placed on the risk of data sharing with a third party organization.
• Be aware of the different types of data sharing and the necessary considerations for each scenario.

Managing Risks Relating to Outsourcing IT Services

• Organizations should ensure their IT service providers (SPs) comply with personal data protection.
• Organisations can choose between bespoke and ready-made solutions.
• Ready-made solutions require understanding capabilities, features, and limitations.
• Organisations must plan for training, security, and responsibilities in relation to outsourcing IT services.
• Security measures in place in relation to outsourced software and hardware are important considerations for the organisation.

Managing Risks Relating to Existing ICT Systems and the Development of New ICT Systems

• Consider data protection during the design, development and implementation of IT systems.
• Risk assessments and safeguards are necessary.
• Minimising personal data collection, implementing access controls, and data housekeeping procedures help prevent risks.
• Thoroughly review existing systems to identify data protection issues.
• Redesign existing systems to enhance data protection measures.

Managing Risks to Personal Data in the Electronic Medium

• Organisations need sufficient technical measures to protect personal data in an electronic environment.
• Implementing good practices is also necessary to protect personal data.
• The type of personal data, the risk and impact of unauthorized access, the form of the data, and relevant industry requirements should be considered when deciding on security measures.

Managing Risks to Personal Data in Transit / Accidental Disclosure

• Organizations ensure appropriate procedures when transmitting personal data to other organizations to avoid incorrect or unauthorized recipients and data leakage.
• Maintaining accurate recipient information, adhering to established procedures, and using appropriate measures to validate the information sent are essential to avoid risks relating to data-in-transit and accidental disclosure.
• Organisations must verify data for correctness, accuracy and completion, and take precautions prior to sending in order to minimize the risk of errors from automated processes.

Managing Risk Using Anonymization

• Anonymization is a method to remove personally identifiable components from personal data.
• Different techniques for anonymization are discussed.
• Organisations must ensure that the techniques used effectively remove personal identifiers to avoid re-identification.
• Re-identification risks need to be analysed and mitigated with safeguards.

Description

This quiz explores the essential components of managing risks associated with personal data. It covers organizational strategies for risk identification, the implementation of controls, and the importance of data protection frameworks like DPIAs. Understand how Data Protection by Design (DPbD) plays a critical role in mitigating these risks.