Organizations use data protection practices to demonstrate to their customers and users that they can be trusted with their personal data. Learn about key data protection and privacy principles and how to apply them in your day-to-day with this starter Qstream microlearning course.
Data Protection & Privacy Principles
Content Preview
Data Protection & Privacy Principles
Navigate through the Qstream questions below to preview. Each challenge is designed following Qstream’s best practices for maximum knowledge reinforcement and engagement. This Qstream is free for clients to use as a starting point.
Click on each title to preview the question in the mobile/desktop widget.
Follow the interactions on each screen to answer Qstream questions as a Participant.
You have been working on a spreadsheet that analyses customer trends. The information will be used to help identify whether there are any other customer needs that the company can help to meet. You are trying to assess how confidential the data contained in the spreadsheet is.
What is the best way to proceed?
Answer explanation:
The safest way to proceed is to assume that the content of the spreadsheet should be treated as confidential information until it is indicated to you that this categorization should be changed. It is far better, in cases of doubt, to assume that information should be treated confidentially than to assume that it should not.
The data protection officer will be concerned as to whether the spreadsheet contains the personally identifying information of any individuals. Personal data is data relating to a living individual who is or can be identified either from the data. Even if the information contained within the spreadsheet is not enough, on its own, to identify an individual, if the data in the spreadsheet can be used in conjunction with other information that is in our possession, or is likely to come into our possession, this may still be considered personal data.
The information security manager will be concerned as to whether the spreadsheet contains any commercially sensitive or confidential information.
In the first instance, there is no need to contact the data protection officer or information security manager as long as you assume the information should be treated confidentially.
A colleague recently took a job with another company. You get a phone call from someone claiming to be from your colleague’s new employer. The person asks your opinion about your former colleague.
What should you do?
Answer explanation:
As an employee, you are entitled to the same confidential treatment of your personal information as anyone else. Therefore, if anyone calls looking for “off the record” information about a former employee, the matter should immediately be referred to the human resources department, which will have access to the employment record of the former employee.
It is not appropriate for you to comment on your opinion of your former colleague. This will be your personal opinion and will not reflect the company’s opinion of the capabilities of the former employee.
Additionally, unless you have some way of validating the authenticity of the person who has called, you might be providing confidential information about a former employee to anyone at all, potentially causing a data protection breach.
You might be inclined to call your former colleague to let them know that someone has been calling about them but the matter is best left to the human resources department.
Right after you send an email to a supplier, you realize that you accidentally attached the wrong spreadsheet. It has confidential customer contact details.
What should you do now?
Answer explanation:
Accidentally emailing the wrong information is one of the most common forms of a data breach that takes place. Although the information may have been confidential, this does not necessarily mean that a data breach (under data protection legislation) has taken place because this will depend on the exact nature of the information contained within the spreadsheet that has been emailed in error.
It is important to report all such incidents to the data protection officer so that they can evaluate whether a breach has taken place. The data protection officer will be best placed to look at the content of the spreadsheet and decide on the best course of action.
In the case outlined here, it is not advisable to have any communication with the supplier about the matter until the nature of the breach has been determined by the data protection officer.
You attend a meeting for a project you’re working on. You’re asked to circulate the meeting minutes. Attendees included representatives from the vendors involved in the meeting.
What’s the best thing to do?
Answer explanation:
Data is categorized based on the impact on the organization or an individual of a breach of confidentiality, integrity, or availability of the data. In each case, the impact is categorized as “Low”, “Medium” or “High”. In this case, the implications of a breach of confidentiality can be categorized as “High” and so the data falls into the highest security category.
The nature and substance of the meeting will determine which category the minutes should fall into. In the case of most meetings, the impact of the loss of confidentiality, integrity, and availability will be “Low” and therefore the lowest category of restricted data classification should be applied.
For the purposes of emailing the minutes, therefore, the document should be marked confidential and circulated by email. If the confidentiality of the discussions was higher, consider encrypting the contents for transmission.
There is no need to contact the data protection officer (unlikely that there is information relating to any data subjects in the minutes of meetings) or the information security manager (circulating minutes is, in most cases, a business as usual activity and should be handled according to established processes).
You receive a phone call from someone who asks for a copy of all the information that your company has about them. The person says that they have a right to access this information under data protection law.
What should you do?
Answer explanation:
An individual that your company holds information about is called a data subject. A data subject has the right to request a copy of all information that you hold about them, including the reason you are holding that information. When an individual makes a request like this, it is called a subject access request.
The best thing for you to do is to refer any incoming subject access requests to the data protection officer.
While it is true that a subject access request must be made in writing, there is no need for you to inform the individual about this. The data protection officer will be familiar with the process of handling incoming subject access requests and will be able to inform the individual how they need to proceed. As a matter of courtesy, you can take the individual’s contact details and provide them to the data protection officer.
You should not provide the individual with any information that you are aware of until the data protection officer has had the opportunity to examine the incoming subject access request. The data protection officer will manage the process of assembling all of the data that the company holds about the individual.
The data protection officer may require proof of identity before processing the subject access request but it is not up to you to perform this validation. Your best course of action is to refer the matter to the data protection officer.
You receive a call from a person closely related to one of our customers (wife, parent, etc.). The person requests information regarding our relationship with the customer.
What’s the best thing to do?
Answer explanation:
Our relationship is with our customers and our responsibility is to them to keep their data confidential. We do not know what the implications of providing information to any third party, including a closely related third party, would be. Therefore, we cannot provide any information to a third party without the written consent of our customer.
This should be politely explained to the third party on the phone, but no information about our customer should be provided under any circumstances.
It is not appropriate to call the person back or to call the customer and ask for permission to provide information. It is also not necessary to contact the data protection officer.
You’ve been helping to develop a new product service that your company is considering offering to its customers. As part of the service, a third party conducts an analysis of customer data. You’re in the process of negotiating with the third party. From a data protection standpoint, it is most important to make sure that __________.
Answer explanation:
As the controller of the data, it is our responsibility to make sure that any third parties that will be processing the data on our behalf have appropriate security measures, equivalent to the security measures we would put in place ourselves. Contact the Data Protection Office for guidance on the issues that the contract with the third party must cover.
As well as having a contract in place, it may be necessary for our information security team to satisfy themselves that the third party has appropriate technical controls in place to ensure that the data will be held securely by the third party. A third-party due diligence process is in place and will typically involve a security assessment of the third party’s organization and possibly technical testing of the third party solution to ensure that the data will be held securely.
It is not important how long the company has been in business as long as the data protection and information security controls that they have in place are adequate. It is also not important, from a data protection point of view, whether the third party’s services are value for money.
You’re helping develop a new product and think some of our existing customers may be interested.
What is your next step, from a data protection standpoint?
Answer explanation:
It is a principle of data protection that information should only be used for the purpose for which it was provided. Unless we have explicit consent to contact a customer with information about other services that we offer, it is not appropriate to do this.
Therefore, the best thing to do is to see which of our customers have given consent to be approached with information about other services.
It does not matter where in the billing cycle the customer is. Nor does it matter how the contact is made; phone, email, etc.
You’re planning a new service. In order to provide this new service, you need to decide what kind of information you need from prospective customers.
What’s the best approach?
Answer explanation:
There is a principle of data protection that the data gathered about a person should be adequate, and relevant but not excessive. Therefore, it is not appropriate to gather any data you think you might need, “just in case”.
You should consider exactly what data will be required to provide the service and only gather that data.
It does not matter what data people are prepared to provide, it only matters what data is required to provide the service. Therefore, surveying customers to find out what they would provide is not an appropriate approach.
It is also better to consider in advance what data will be required to provide the service instead of gathering a small amount now and consent to get more later if required.
How should you throw out a printed spreadsheet that contains confidential data?
Answer explanation:
Confidential data should be disposed of in a secure way. Therefore, the document should either be immediately shredded or placed in a secure disposal bin for shredding.
After 10 years, your company has decided to stop offering a particular service.
What should be done with the customer data associated with the service?
Answer explanation:
It is a principle of data protection that data should be retained for no longer than is necessary to perform the purpose for which it was provided. Since the service is now being discontinued, any customer data that has been provided to us solely for the purpose of providing that service must now be disposed of.
Most companies have a policy of retaining personal data for a period of time (typically, say, 90 days) after the purpose for which it was provided has been completed, before deleting the data. This is to allow for the possibility of the data being present in business-as-usual backups of data. After the retention period, all copies of the data (including backups) should have been deleted.
However, it is possible that the customer is also using some of our other services, therefore it is not appropriate to automatically delete the data of all customers who were using the service.
It is also not appropriate to retain the data for future reference. Data must be deleted once the purpose for which the data has been provided is complete.
It is also not appropriate to contact the customer with offers to subscribe to other services because this was not the reason for which the data was gathered in the first place. If the customer has separately consented to receive marketing material about other products and services, this is acceptable.
You have been working on a spreadsheet that analyses customer trends. The information will be used to help identify whether there are any other customer needs that the company can help to meet. You are trying to assess how confidential the data contained in the spreadsheet is.
What is the best way to proceed?
Answer explanation:
The safest way to proceed is to assume that the content of the spreadsheet should be treated as confidential information until it is indicated to you that this categorization should be changed. It is far better, in cases of doubt, to assume that information should be treated confidentially than to assume that it should not.
The data protection officer will be concerned as to whether the spreadsheet contains the personally identifying information of any individuals. Personal data is data relating to a living individual who is or can be identified either from the data. Even if the information contained within the spreadsheet is not enough, on its own, to identify an individual, if the data in the spreadsheet can be used in conjunction with other information that is in our possession, or is likely to come into our possession, this may still be considered personal data.
The information security manager will be concerned as to whether the spreadsheet contains any commercially sensitive or confidential information.
In the first instance, there is no need to contact the data protection officer or information security manager as long as you assume the information should be treated confidentially.
A colleague recently took a job with another company. You get a phone call from someone claiming to be from your colleague’s new employer. The person asks your opinion about your former colleague.
What should you do?
Answer explanation:
As an employee, you are entitled to the same confidential treatment of your personal information as anyone else. Therefore, if anyone calls looking for “off the record” information about a former employee, the matter should immediately be referred to the human resources department, which will have access to the employment record of the former employee.
It is not appropriate for you to comment on your opinion of your former colleague. This will be your personal opinion and will not reflect the company’s opinion of the capabilities of the former employee.
Additionally, unless you have some way of validating the authenticity of the person who has called, you might be providing confidential information about a former employee to anyone at all, potentially causing a data protection breach.
You might be inclined to call your former colleague to let them know that someone has been calling about them but the matter is best left to the human resources department.
Right after you send an email to a supplier, you realize that you accidentally attached the wrong spreadsheet. It has confidential customer contact details.
What should you do now?
Answer explanation:
Accidentally emailing the wrong information is one of the most common forms of a data breach that takes place. Although the information may have been confidential, this does not necessarily mean that a data breach (under data protection legislation) has taken place because this will depend on the exact nature of the information contained within the spreadsheet that has been emailed in error.
It is important to report all such incidents to the data protection officer so that they can evaluate whether a breach has taken place. The data protection officer will be best placed to look at the content of the spreadsheet and decide on the best course of action.
In the case outlined here, it is not advisable to have any communication with the supplier about the matter until the nature of the breach has been determined by the data protection officer.
You attend a meeting for a project you’re working on. You’re asked to circulate the meeting minutes. Attendees included representatives from the vendors involved in the meeting.
What’s the best thing to do?
Answer explanation:
Data is categorized based on the impact on the organization or an individual of a breach of confidentiality, integrity, or availability of the data. In each case, the impact is categorized as “Low”, “Medium” or “High”. In this case, the implications of a breach of confidentiality can be categorized as “High” and so the data falls into the highest security category.
The nature and substance of the meeting will determine which category the minutes should fall into. In the case of most meetings, the impact of the loss of confidentiality, integrity, and availability will be “Low” and therefore the lowest category of restricted data classification should be applied.
For the purposes of emailing the minutes, therefore, the document should be marked confidential and circulated by email. If the confidentiality of the discussions was higher, consider encrypting the contents for transmission.
There is no need to contact the data protection officer (unlikely that there is information relating to any data subjects in the minutes of meetings) or the information security manager (circulating minutes is, in most cases, a business as usual activity and should be handled according to established processes).
You receive a phone call from someone who asks for a copy of all the information that your company has about them. The person says that they have a right to access this information under data protection law.
What should you do?
Answer explanation:
An individual that your company holds information about is called a data subject. A data subject has the right to request a copy of all information that you hold about them, including the reason you are holding that information. When an individual makes a request like this, it is called a subject access request.
The best thing for you to do is to refer any incoming subject access requests to the data protection officer.
While it is true that a subject access request must be made in writing, there is no need for you to inform the individual about this. The data protection officer will be familiar with the process of handling incoming subject access requests and will be able to inform the individual how they need to proceed. As a matter of courtesy, you can take the individual’s contact details and provide them to the data protection officer.
You should not provide the individual with any information that you are aware of until the data protection officer has had the opportunity to examine the incoming subject access request. The data protection officer will manage the process of assembling all of the data that the company holds about the individual.
The data protection officer may require proof of identity before processing the subject access request but it is not up to you to perform this validation. Your best course of action is to refer the matter to the data protection officer.
You receive a call from a person closely related to one of our customers (wife, parent, etc.). The person requests information regarding our relationship with the customer.
What’s the best thing to do?
Answer explanation:
Our relationship is with our customers and our responsibility is to them to keep their data confidential. We do not know what the implications of providing information to any third party, including a closely related third party, would be. Therefore, we cannot provide any information to a third party without the written consent of our customer.
This should be politely explained to the third party on the phone, but no information about our customer should be provided under any circumstances.
It is not appropriate to call the person back or to call the customer and ask for permission to provide information. It is also not necessary to contact the data protection officer.
You’ve been helping to develop a new product service that your company is considering offering to its customers. As part of the service, a third party conducts an analysis of customer data. You’re in the process of negotiating with the third party. From a data protection standpoint, it is most important to make sure that __________.
Answer explanation:
As the controller of the data, it is our responsibility to make sure that any third parties that will be processing the data on our behalf have appropriate security measures, equivalent to the security measures we would put in place ourselves. Contact the Data Protection Office for guidance on the issues that the contract with the third party must cover.
As well as having a contract in place, it may be necessary for our information security team to satisfy themselves that the third party has appropriate technical controls in place to ensure that the data will be held securely by the third party. A third-party due diligence process is in place and will typically involve a security assessment of the third party’s organization and possibly technical testing of the third party solution to ensure that the data will be held securely.
It is not important how long the company has been in business as long as the data protection and information security controls that they have in place are adequate. It is also not important, from a data protection point of view, whether the third party’s services are value for money.
You’re helping develop a new product and think some of our existing customers may be interested.
What is your next step, from a data protection standpoint?
Answer explanation:
It is a principle of data protection that information should only be used for the purpose for which it was provided. Unless we have explicit consent to contact a customer with information about other services that we offer, it is not appropriate to do this.
Therefore, the best thing to do is to see which of our customers have given consent to be approached with information about other services.
It does not matter where in the billing cycle the customer is. Nor does it matter how the contact is made; phone, email, etc.
You’re planning a new service. In order to provide this new service, you need to decide what kind of information you need from prospective customers.
What’s the best approach?
Answer explanation:
There is a principle of data protection that the data gathered about a person should be adequate, and relevant but not excessive. Therefore, it is not appropriate to gather any data you think you might need, “just in case”.
You should consider exactly what data will be required to provide the service and only gather that data.
It does not matter what data people are prepared to provide, it only matters what data is required to provide the service. Therefore, surveying customers to find out what they would provide is not an appropriate approach.
It is also better to consider in advance what data will be required to provide the service instead of gathering a small amount now and consent to get more later if required.
How should you throw out a printed spreadsheet that contains confidential data?
Answer explanation:
Confidential data should be disposed of in a secure way. Therefore, the document should either be immediately shredded or placed in a secure disposal bin for shredding.
After 10 years, your company has decided to stop offering a particular service.
What should be done with the customer data associated with the service?
Answer explanation:
It is a principle of data protection that data should be retained for no longer than is necessary to perform the purpose for which it was provided. Since the service is now being discontinued, any customer data that has been provided to us solely for the purpose of providing that service must now be disposed of.
Most companies have a policy of retaining personal data for a period of time (typically, say, 90 days) after the purpose for which it was provided has been completed, before deleting the data. This is to allow for the possibility of the data being present in business-as-usual backups of data. After the retention period, all copies of the data (including backups) should have been deleted.
However, it is possible that the customer is also using some of our other services, therefore it is not appropriate to automatically delete the data of all customers who were using the service.
It is also not appropriate to retain the data for future reference. Data must be deleted once the purpose for which the data has been provided is complete.
It is also not appropriate to contact the customer with offers to subscribe to other services because this was not the reason for which the data was gathered in the first place. If the customer has separately consented to receive marketing material about other products and services, this is acceptable.