Data Protection Act and Conducting International Trade - Assignment Example

Data Protection Act and Conducting International Trade Introduction Going by the PIPED Act, an individual's consent or permission is necessary for any disclosure of data to a third party. All Canadian organizations are subject to the PIPED Act, and are liable and responsible for complying with the information therein, the physical location of the information notwithstanding. Organizations have to ensure that their foreign operations are carried out in the same manner as those used for their operations in Canada. (http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/adequacy-faq_en.htm) In cases where there is disclosure of information to a third party outside Canada for processing, the Canadian organization in question must have permission or consent to do so. It is necessary to ensure that every organization’s foreign organization follows the same requirements that would apply for Canadian operations, if the information is being transferred for processing. This can be achieved by entering into a contract or legal agreement with the other party “and adherence to the agreement that the foreign organization must work by the requirements of the Act, the OECD is an instance of such agreements.” (http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/adequacy-faq_en.htm) Many members of the OECD in the European now have legislations in place, which apply the Privacy Protection Guidelines to the private and public sectors. As a result of this, the most recent OECD analysis on access and supply rights recognizes that: 1. Governments may have a right to block the transfer or broadcast of information between a supplier and potential customer(s) if the information may be considered to endanger national security or to conflict with societal norms on censorship or data protection 2. Third party individuals may require the right to block transfer or broadcast of information between a supplier and potential customer(s) if the information relates to the privacy of the individual. (OECD, 1990, pp. 47) Impact of the Data Protection Act on Security Functions Every organization considers its data pool and its information resources to be invaluable assets, and thus will apply the necessary security strategies in order to protect its information in a way to safeguard its interests. The data protection act helps in avoiding any breach of security that might affect data privacy. The Data protection act requires the implementation of standardized strategies for a secure data management. Every organization is required to assess its own security practices, because necessary security provisions might involve the development and implementation of security policies to protect private data and information. Thus, security policies help to ensure that the organization’s data privacy goals or requirements are met. The amount resources and effort utilized to achieve this will vary according to the size and nature of the organization. A flexible safeguard requirement has been formed in Canadian law, and a short documentation of how information is safeguarded can be found below: Security policy (design, implement and audit). Physical measurements (locked filing cabinets, restricting access to offices, alarm systems). Organizational controls (security clearances, limiting access on a “need-to-know” basis, staff training, and confidentiality agreements). Reviewing and updating security measures regularly. Technological tools (passwords, encryption, firewalls, safeguarding software). Training of Employee (Making employees aware of the importance of maintaining the security and confidentiality of personal information by holding regular staff training on safeguards). (http://www.nymity.com/privaworksdefinitions.asp) Developing a Security Plan with policies Having a security policy is instrumental in the formation of a secure organization, so a security policy is necessary to establish standards for what is permissible and what is not, within a company’s framework. Standards have to be established for protecting the network resources and for assigning program management responsibilities and providing basic rules and guidelines to be followed in the organization. A security policy contains various sections that can be categorized into sections. The first category outlines what parameters are to be used within the policy. The second category defines accreditation and risk assessment, while the third category outlines the rules and guidelines formed using the information from the second section. (Caroline_Reyes_GSEC v1.3, 2005, p. 3-4.) Physical security measurements It is very necessary to check all possible avenues that can lead to unauthorized access. Theft and damage of computer equipment, hardware and software might arise from internal, as well as external sources, and social engineering is another concern that must be taken into consideration. This may include Alarm systems, deployment of Biometric Technology, locked filing cabinets and restricted access to offices. Controlling Access Security control system must ensure that only authorized personnel are able to access office computers and computer files. Employees who need access to perform their work tasks should have a computer account and access to that which is relevant to their work responsibilities only. Storage of sensitive information A major purpose of the data protection act is to “extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.” (http://www.privcom.gc.ca/legislation/index_e.asp). Some information may be sensitive from a strategic point of view. An instance, personal information for both employees and customers, could be considered valuable and sensitive which may require special handling for storage and protection. (http://www.privacyguide.cebi.ca) Desktop security can be used to save sensitive information that is stored on individual or personal computers. This involves a process of computer deployment and the setting of best practices for use in workstations. Technological tools A password can be defined as a code that can be used to gain access into a secure or locked system. From a security conscious point of view, a good password is one that: Cannot be guessed easily, Contains upper and lower case letters, and Has characters that are Non-letters, which are not simple combinations. Back ups: Are one of the main concepts of data security strategy, it has a high priority in any good and proper plan. A recovery disaster strategy of data files is mainly based and relies on regular back-up procedures. Anti-virus tools: software searches incoming messages, data and your personal computer's memory for computer viruses and removes any that are found. This tool is a key to ensuring the safety of information and data that you receive from others and the data you keep on your personal computer. Software Patches: To update and upgrade the safeguards software in case of vulnerability has been discovered, related patches are released to recover any vulnerability. Regular check with vendors' Web sites for the latest available fixes will be sufficient. Encryption: is an electronic process of using an algorithm (a mathematical set of steps) and a key to enable systems to scramble information from a sender and then unscramble it at the receiving end. There are two types: symmetric key and asymmetric key. Asymmetric is also known as Public Key Infrastructure (PKI), which allows information to be transmitted confidentially and in a way that authenticates the sender. Firewalls: Generally, packet filtering firewall or proxy/application firewalls are set up to protect against unauthorized access from the outside world. Firewalls provide an important logging and filtering function, often they provide reports about what kinds and amount of traffic passed through it, how many attempts there were to break into it. Others: Secure Socket Layer (SSL), Virtual Private Network, remote Access, web security, monitoring, detection and containment, Intrusion Detection software (IDS) they all provide network administrators with insight into activity on their networks, and provide them with an "alarm" system that identifies potentially malicious network traffic. Awareness training Policies are useless if they are not followed in a proper manner, and individuals’ actions and behavior do play a big role in policy success. The first rule of implementation is making sure that people who have access to information and systems are aware of and well trained in what the suitable controls are, what security is required, and why it's important to follow them. Updating security measurements Policies and security measurements must be reviewed regularly to cover the new vulnerabilities and violations. This is an essential issue to enhance the security strategy. (http://www.privacyguide.cebi.ca) Conclusion Since the data protection act is designed to protect personal data stored on computers from misuse, it is essential to control the flow of information, and to give legal rights to organizations or individuals who have information stored about them. This will go along way in alleviating the fear and worries inherent in the abuse of data if it gets into the wrong hands. This report discusses a number of concerns about who is allowed to access information, how the data protection act can help to ensure data privacy, and the requirements placed on individuals and organizations in order to meet major security principles, due to the necessity to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves References Caroline_Reyes_GSEC v1.3, 2005, p. 3-4. http://www.privacyguide.cebi.ca http://www.privcom.gc.ca/legislation/index_e.asp http://www.privcom.gc.ca/information/guide_e.asp http://www.nymity.com/privaworksdefinitions.asp http://canada.justice.gc.ca/en/news/nr/1998/attback2.html http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/adequacy-faq_en.htm OECD, 1990, pp. 47 Read More