8 Data privacy, security, and protection
The increasing volume of digital data collected in today’s world necessitates robust protection mechanisms. Breaches can lead to devastating consequences, such as identity theft, financial loss, and potential public health risks, particularly in sectors like healthcare where patient privacy is paramount under regulations such as the General Data Protection Regulation (GDPR).
For institutions, safeguarding sensitive data is crucial for maintaining customer trust, preventing identity theft, and avoiding the loss of valuable customers due to data breaches.
8.1 Definitions
8.1.1 Data privacy
Data privacy is about controlling how your personal information is collected, used, and shared. It’s about protecting your right to know who has your data, how it’s being used, and who else it’s being shared with. Essentially, it’s the right to privacy in the digital world.
8.1.2 Data protection
Data protection encompasses the security strategies and processes designed to safeguard sensitive data against unauthorised access, misuse, corruption, and loss. It aims to maintain the integrity, availability, and confidentiality of data, while also ensuring compliance with relevant regulations and ethical standards.
8.1.3 Data security
Data privacy and data security are distinct but related disciplines. Both are core components of an institution’s broader data governance strategy.
Data privacy focuses on the individual rights of data subjects or the users who own the data. For organisations, the practice of data privacy is a matter of implementing policies and processes that allow users to control their data in accordance with relevant data privacy regulations.
8.2 Legal frameworks
The General Data Protection Regulation (GDPR) is a European Union law that controls how organizations handle the personal data of EU residents. It was adopted in 2016 and became effective on May 25, 2018. It aims to give individuals more control over their personal data and to ensure that organizations are more transparent and accountable for how they process that data.
Since then, other countries have followed suit in creating their own legislation similar to the GDPR. Generally, countries created such laws as a response to the EU’s rollout of GDPR given that the GDPR applies to any organisation that processes the personal data of EU residents, regardless of whether the organisation is located within the EU.
The Seychelles has passed into law the Data Protection Act, 2023 otherwise entitled as
An act for the protection of individuals with regard to the processing of personal data, to recognise the right to privacy envisaged in article 20 of the constitution, to promote and facilitate responsible and transparent flow of information by private and public entities and to provide for other related matters.
8.3 Principles of data protection
Article 5 of the GDPR sets out key principles which lie at the heart of the general data protection regime. These key principles are set out right at the beginning of the GDPR and they both directly and indirectly influence the other rules and obligations found throughout the legislation. Therefore, compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR. The following is a brief overview of the Principles of Data Protection found in article 5 GDPR:
8.3.1 Lawfulness, fairness, and transparency
Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
8.3.2 Purpose Limitation
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.
8.3.3 Data Minimisation
Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).
8.3.4 Accuracy
Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.
8.3.5 Storage Limitation
Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
8.3.6 Integrity and Confidentiality
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
8.3.7 Accountability
Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance.
8.4 Types of data security
To enable the confidentiality, integrity and availability of sensitive information, organizations can implement the following data security measures:
8.4.1 Encryption
By using an algorithm to transform normal text characters into an unreadable format, encryption keys scramble data so that only authorized users can read it. File and database encryption software serve as a final line of defense for sensitive volumes by obscuring their contents through encryption or tokenization. Most encryption tools also include security key management capabilities.
8.4.2 Data erasure
Data erasure uses software to completely overwrite data on any storage device, making it more secure than standard data wiping. It verifies that the data is unrecoverable.
8.4.3 Data masking
By masking data, organizations can allow teams to develop applications or train people that use real data. It masks personally identifiable information (PII) where necessary so that development can occur in environments that are compliant.
8.4.4 Data resiliency
Resiliency depends on how well an organization endures or recovers from any type of failure—from hardware problems to power shortages and other events that affect data availability. Speed of recovery is critical to minimize impact.
8.5 Summary
Data privacy, security, and protection are fundamental concerns in today’s digital landscape. They involve protecting personal information from unauthorised access, implementing robust security measures, and upholding ethical standards in data handling. Addressing these challenges effectively requires a holistic approach that integrates technical safeguards with ongoing education and ethical practices to maintain trust and prevent significant risks.