How {not} to lose data in the face of GDPR
By utnvrrv, on 25 November 2019
GDPR has now been around for 18 months and is going to stay with us for a while.
The objective of this post is to emphasise how we can protect the data entrusted to us while managing technological change.
Data retention – Let’s delete everything and start afresh!
This means that all information is lost and there aren’t any records to back up any decisions that have been made about the research, not to say, we’ve lost all the patient data that the project relies on. Let’s start again!
Top Tip! Categorise your data holdings. See the UCL Record Retention Schedule for further information.
Let’s just keep everything and not worry – Storage is cheap?
This could fall foul of established data retention policies. If there isn’t one for your specific area of work (record set), it would be a good idea to establish a data retention policy. The more data that is stored, the larger the breach, this may be data that might no longer be required.
Top Tip: Review your data holdings now.
Data Security – Let’s encrypt everything!
What would happen if the key (password/passphrase) was lost, misplaced or forgotten. Maybe a colleague left and forgot to share the password. In this case access to the data would be lost permanently. If encrypted correctly (long passphrase and the key stored securely) and the passphrase being unavailable, it would be difficult to break the encryption. Definitely not a good idea of encrypting everything without a plan if funding depends on the information that we hold about subjects.
Top tip: Use password management software to store and share passwords securely.
Running a legacy Operating System
This isn’t much of a problem unless.. the machine exchanges information by being connected to the network, or the internet or external USB drives being plugged in. A legacy platform, also called a legacy operating system, is an operating system (OS) no longer in widespread use, or that has been supplanted by an updated version of earlier technology. These older operating systems or applications may have security vulnerabilities due to lack of security patches being available or applied. This puts information at risk due to a malware infection, as the malware could encrypt the data or even mangle it in a way that it no longer is usable. Even with backups(possibly also infected), the risk of losing critical research data is also quite high. Article 32 (1)(b) in the GDPR states that (C)onfidentiality, (I)ntegrity, (A)vailability of the data should be assured. Please see the information from the Information Commissioners Office in the References Section below.
Top Tip: Conduct a risk assessment.
Running a self-managed machine
If you have administrator rights on your machine and if the machine isn’t patched frequently with the latest patches, there is a very high risk that some malware could infect your machine and encrypt all the data. If the machine is connected to the network, the malware could spread thereby making everyone’s data unavailable. This is also covered by the ICO’s guidance and Article 32(1)(b) of the GDPR.
Top Tip: You are responsible for the patching of your machine, keep it updated.
Useful links:
UCL Policies – https://www.ucl.ac.uk/information-security/
Guidance from the Information Commissioners Office – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
If you think that I’ve missed something or if there is an area that you would like to hear more about, then contact ISG: https://www.ucl.ac.uk/isvices/stay-secure