Protecting sensitive data is the end goal of almost all IT security measures. Two strong arguments for protecting sensitive data are to avoid identity theft and to protect privacy.
The more valuable the information in your database, the more likely it is to be targeted. If your records include sensitive or financial information that could facilitate fraud, your database will be more appealing to hackers who can use or sell this information for financial gain.
Why should we care about personal data?
Any information which can identify a living person and can be accessed or processed is personal data. Examples of personal data includes names, phone numbers, addresses, identity card numbers, photos, medical records, employment records and credit reports. Persons who control the collection, holding, processing or use of the data, known as data users should follow these six data protection principles to protect the rights of any individuals, known as data subjects.
The six data protection principles cover the life cycle of a piece of personal data from collection, retention, use to destruction.
Collection purpose and means
- Personal data should be collected for a purpose directly related to the function or activity of the data users. It must also be collected in a lawful and fair way.
- When personal data is collected, data subjects must be informed of the purpose of use of personal data and classes of transferees.
- Of course, data collected should be necessary but not excessive.
Accuracy and retention
- Data users must ensure personal data is accurate and should not be kept longer than necessary.
- Personal data must be used for the purpose for which the data was collected or for a directly related purpose.
- It cannot be used for a new purpose unless voluntary and explicit consent is obtained from the data subject.
Security and data destruction
- Moreover, data users need to adopt security measures to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.
- Data users must make personal data policies and practices known to the public regarding the types of personal data they hold and how the data is used.
Data access and correction
- On the other hand, data subjects have the right to request access to and correction of their personal data.
If the data user contravenes these six data protection principles the Privacy Commisioner may serve an Enforcement Notice on it directing it to remedy the contravention.
None-compliance with the Enforcement Notice is an offence. An individual who suffers damage by reason of a contravention of the Ordinance may seek compensation from the data user concerned through civil proceedings.
Personal information is like money. Value it. Protect it.