Get Cheapest Assignment in Australia, UK, US, UAE, Canada and NZ Order Now

Assignment Item 4 Privacy & Data Strategy

0 Comments

Assessment item 4

Privacy & Data Strategy

Value: 25%

Task

Scenario

The Department of Administrative Services (DAS) provides a number of services to other departments in an Australian State Government. These services include HR and personnel management, payroll, contract tendering management, contractor management, and procurement. These services have all been provided from the Department’s own data centres. 

As a result of a change in Government policy, DAS is moving to a “Shared Services” approach. This approach will mean that DAS will centralise a number of services for the whole of Government (WofG). This means that each Department or Agency that runs one of these services for its own users, will be required to migrate its data to DAS so that it can be consolidated into the DAS centralised database. DAS will then provide these consolidated services to all other Departments and Agencies within the Government.

Another Government policy mandates a “Cloud first” approach to the process of updating or acquiring software or services. Following these strategic policy changes from Government, DAS has decided to:

  • Purchase a HR and personnel management application from a US based company that provides a SaaS application. 
    • The application will provide DAS with a HR suite that will provide a complete HR suite which will also include performance management. The application provider has advised that the company’s main database is in California, with a replica in Dublin, Ireland. However, all data processing, configuration, maintenance, updates and feature releases are provided from the application provider’s processing centre in Bangalore, India.
    • Employee data will be uploaded from DAS daily at 12:00 AEST. This will be processed in Bangalore before being loaded into the main provider database.
    • Employees will be able access their HR and Performance Management information through a link placed on the DAS intranet to the HR platform portal. Each employee will use their DAS digital ID to authenticate to the HR and Performance management system. The internal digital ID is generated by the DAS Active Directory instance and is used for internal authentication and authorisation.
    • It is proposed that the link to the HR platform on the DAS Intranet will be an SSO (Single Sign On) link to the HR platform portal. Authentication will be made using the user’s agency ID credentials. DAS will need to use Active Directory Federated Services (ADFS) to federate to an Azure AD instance for authentication and authorisation. This authentication process will be validated with a SAML 2.0 certificate.  

Tasks

After your successful engagement to provide a security and privacy risk assessment for the DAS, you have again been engaged to develop privacy and personal data protection strategies for DAS. 

You are to write a report that proposes appropriate policies for DAS in the following areas:

  1. Develop a Privacy strategy proposal for DAS. The strategy should include the following items:
    1. Management of personal information,
    2. Collection and management of solicited personal information,
    3. Use and disclosure of personal information,
    4. Use and security of digital identities, 
    5. Security of personal information,
    6. Access to personal information, 
    7. Quality and correction of personal information.
  2. The controls that you recommend that would:
    1. Mitigate the previously identified privacy risks,
    2. Implement the privacy strategy.
  3. Develop a personal data protection strategy proposal for DAS. This strategy should include:
    1. Protection of personal information,
    2. Authorised access & disclosure of personal information,
    3. Use of personal digital identities,
  4. The controls that you recommend that would:
    1. Mitigate the previously identified data security risks,
    2. Implement the personal data protection strategy.

You are to provide a written report with the following headings:

  • Privacy strategy for personal data
  • Recommended privacy controls
  • Personal data protection strategy
  • Recommended personal data protection controls.

As a rough guide, the report should not be longer than about 5,000 words

Rationale

This assessment task will assess the following learning outcome/s:

  • be able to examine the legal, business and privacy requirements for a cloud deployment model.
  • be able to evaluate the risk management requirements for a cloud deployment model.
  • be able to critically analyse the legal, ethical and business concerns for the security and privacy of data to be deployed to the cloud.
  • be able to develop and present a series of proposed security controls to manage the security and privacy of data deployed to the cloud.
  • be able to develop and present a cloud governance framework to underpin the cloud operations for an enterprise.

Marking criteria and standards

Question HD DI CR PS FL
Q1. Privacy strategy for personal data (25 marks) Comprehensive development of policy covering all aspects, with excellent discussion of threats and risks to privacy of data  Thorough development of policy covering most  aspects, with  proficient discussion of threats and risks to privacy of data  Detailed development of policy covering most aspects, with good discussion of threats and risks to privacy of data Adequate development of policy covering some aspects, with some discussion of threats and risks to privacy of data  Incomplete or inadequate development of policy covering few  aspects, with little or no discussion of threats and risks to privacy of data 
Q2. Recommended privacy controls (25 marks) Comprehensive  evaluation and matching of privacy threats   with  controls showing excellent logical analysis Thorough  evaluation and matching of privacy threats  with controls showing  proficient logical analysis Detailed  evaluation and matching of privacy threats  with controls showing good logical analysis Adequate  evaluation and matching of privacy threats  with controls showing  satisfactory logical analysis Incomplete or inadequate  evaluation and matching of privacy threats  with few controls and little or no logical analysis
Q3. Personal data protection strategy  (25 marks) Comprehensive  evaluation and matching of data protection threats   with  controls showing excellent logical analysis Thorough  evaluation and matching of data protection   threats  with controls showing  proficient logical analysis Detailed  evaluation and matching of data protection   threats  with controls showing good logical analysis Adequate  evaluation and matching of data protection threats   with controls showing  satisfactory logical analysis Incomplete or inadequate  evaluation and matching of data protection threats  with few controls and little or no logical analysis
Q4.  Recommended data protection  controls (25 marks) Comprehensive  evaluation and matching of data protection threats   with  controls showing excellent logical analysis Thorough  evaluation and matching of data protection   threats  with controls showing  proficient logical analysis Detailed  evaluation and matching of data protection   threats  with controls showing good logical analysis Adequate  evaluation and matching of data protection threats   with controls showing  satisfactory logical analysis Incomplete or inadequate  evaluation and matching of data protection threats  with few controls and little or no logical analysis
Referencing & Presentation Up to 5 marks may be deducted for incorrect or incomplete referencing  Up to 5 marks may be deducted for poor presentation, spelling and grammar

Presentation

You are to provide a written report with the following headings:

  • Privacy strategy for personal data
  • Recommended privacy controls
  • Personal data protection strategy
  • Recommended personal data protection controls.

As a rough guide, the report should not be longer than about 5,000 words.

Requirements

Each student is required to submit the following through Turnitin when their group assignment is complete. This submission should contain the following:

  • Student name
  • Assignment  number
  • Assignment file name

This will allow you to receive marks and feedback when your team assignment is marked.

Sample Solution

Personal Data Protection strategy of the Charity :

• Information must be fairly collected and all donors must be provided with adequate notice of how their personal data will be processed. • If a charity has information about people and wishes to use it for a new purpose, the charity is obliged to give an option to individuals to indicate whether or not they wish their information to be used for the new purpose. • Only the minimum necessary personal data should be sought by charities. • The retention of PPSNs by charities other than in relation to donations where relief is still owed is a breach of the Data Protection Acts 1988 & 2003. • Charities should implement a comprehensive retention policy for all records containing the personal data of donors, beneficiaries, registered campaigners etc. • All marketing preferences should be accurately recorded and respected.  

1) Donor Databases :

Donors and volunteers are the lifeblood of all charities and the Office of the Data Protection Commissioner acknowledges their importance and the care that is taken by charities to manage and sustain these personal relationships, on a lifelong basis in some cases.
A fundamental principle of data protection is ‘fair obtaining and processing’.
“the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly”
– section 2(1)(a) of the Data Protection Acts 1988 & 2003
‘Fair Obtaining’ means that an organisation collecting personal data must collect and use the information fairly. This provision requires that at the time of providing personal information, individuals are made fully aware
of:
• the identity of the persons who are collecting it (though this may often be implied)
• to what use the information will be put
• the persons or category of persons to whom the information will be disclosed.
Secondary or future uses, which might not be obvious to individuals, should be brought to their attention at the time of obtaining personaldata.
Individuals should be given the option of saying whether or not they wish their information to be used in these other ways.

Donations received Online

In an online environment, there is a clear opportunity to capture the consent of an individual to have their donation recorded for tax relief and other stated purposes. Alternatively, the charity can provide an opt-out to allow them not to have their donation recorded at all. Notice of whatever the practice of the charity is with regard to the recording of donations should be made available to the donor up-front.

The Office of the Data Protection Commissioner advises charities that if an individual is making a credit or laser card donation online they should be provided with notice to the effect that their details will be entered onto the charity’s donor database, if this is the practice of the charity concerned.

An opportunity should be provided for the donor to opt-out from having their details recorded on the donor database. In this way once payment reconciliation and auditing requirements have been met, the details would no longer be retained by the charity.  

Donations received over the Phone

For credit or laser card donations made over the phone, the Office considers there is a clear opportunity to capture the consent of an individual to have the donation recorded for tax relief purposes or other stated purposes. Alternatively, the charity could provide an opt-out at the end of the call to allow them not to have their donation recorded on the donor database or in a follow up letter to the phone call.

The Office of the Data Protection Commissioner advises charities that if an individual is making a credit or laser card donation over 8 the phone they should be provided with notice to the effect that their details will be recorded onto the charity’s donor database, if this is the practice of the charity concerned.

Donations made by Direct Debit

• It is recommended that Direct Debit Forms are amended where needed, to highlight the tax calculation purpose. Direct debit donors should be provided with the opportunity to opt-out from having their donation recorded on the donor database

2) Personal Public Service Numbers (PPSNs)

The Office of the Data Protection Commissioner is aware that Section 848A of the Taxes Consolidation Act 1997 (TCA 1997) provides for a scheme of tax relief for certain “eligible charities” and other “approved bodies” in respect of donations received on or after 6 April 2001. This scheme is administered by the Charity Claims Unit in the Office of the Revenue Commissioners.  

The Office of the Data Protection Commissioner acknowledges that this tax relief scheme has a specific legal basis but retains a fundamental concern that PPSNs collected and retained by charities for tax relief purposes are being integrated onto the charities’ ‘donor databases’. This practice first came to light in 2008 during the course of an audit of a charity and the charity was immediately instructed to discontinue this practice as part of the audit findings and recommendations.

3) Fundraising & Marketing

Overall, the Office of the Data Protection Commissioner found that a high degree of compliance was in evidence in the sector with regard to direct marketing. Clear evidence that the preferences of individuals were actively respected at all times was observed. Charities sought to capture the consent of individuals to be marketed (or not) from the outset of the relationship with a donor. Also, the charities demonstrated clarity and transparency with regard to the channels through which an individual might be contacted and this is to be commended. As general advice for the sector, the Office of the Data Protection Commissioner recommends

• Consistency with regard to marketing opt-ins and opt-outs should be applied across all channels taking into account the specific legal requirements with regard to electronic communications because unsolicited electronic marketing is a criminal offence. For example, all e-mail and sms messages

should contain an ‘unsubscribe’ optout at the bottom of each e-mail message.

4) Data Retention.

Section 2(1)(c) of the Data Protection Acts 1988 and 2003 provides that a data controller shall not retain personal data longer than is necessary for the purpose or purposes for which it was obtained. It is the responsibility of a data controller to implement a comprehensive retention policy for all records containing the personal data of donors, beneficiaries, registered campaigners, etc.

A schedule listing all records featuring personal data should be drawn up by each charity containing maximum retention periods for each type of document, file set or database featuring personal data. Non-active donor details should be removed from databases.

5) Security  

On the security side, the retention of data gleaned from credit card donations for any function other than payment and reconciliation would not be considered to be in compliance with the Acts. There is no justification for the integration of any details of once-off donors into a donor database other than to document the amount donated and classify the donation as a once-off credit card donation. Any such practices beyond this increase organisational risk in terms of security and the damage that would be incurred if a data breach of donor data were to take place by means of a theft or loss of donor data. The same applies to the recording of bank account numbers (except where required for direct debit purposes).

Where a donation is being made by standing order from a bank account, the bank account details should be stored or held in a masked or encrypted format.

Removable media: drives and ports should be disabled or restricted unless there is a clear business need to have them available to certain staff.

Individual user logins should be in use at all times as opposed to generic logins.

All access to personal data on donor databases should be restricted and subject to monitoring

Monitoring measures should be made known to staff to discourage inappropriate access.  

6) Third party ‘data processors’

If a charity uses a third party to process personal data on its behalf for example, a call centre, printing company or IT Service provider then the processing of such data must be covered by contract. The contract should stipulate at least the following:

• the conditions under which data may be processed;

the minimum security measures that the data processors must have in place;  

7) Access Requests  

Under Section 4 of the Data Protection Acts 1988 & 2003, any individual has the right to request a copy of any data held about them. This applies to all types of information – for example, written details about a person held electronically or on paper, photographs and CCTV images.

An individual is also entitled to know where the information was obtained, how it has been used and if it has been passed on to anyone else. A person can exercise their rights of access by writing to the charity. They do not need to quote the Data Protection Acts, but the Office of the Data Protection Commissioner would always advise that they do so and include any additional details that would help the charity to locate their information. The charity is entitled to ask for evidence of identity and to charge a fee, but this cannot exceed €6.35.  

8) Sensitive Data

The Data Protection Acts 1988 & 2003 place a particular focus on any sensitive data that may be processed by an organisation.  

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

(b) whether the data subject is a member of a trade-union,

(c) the physical or mental health or condition or sexual life of the data subject,

(d) the commission or alleged commission of any offence by the data subject, or

9) Data Protection Policies

One key point of contact employed within the charity should be tasked with co-ordinating data protection policy and compliance issues.  

Every charity should draw up a Data Protection Privacy Policy. A Privacy Policy documents an organisation’s application of the eight data protection principles to the manner in which it processes data organisation-wide. The policy applies to all personal data processed by the organisation, including customer data, third party data and employee data.

If the charity has a website in operation, a data protection statement should be drawn up and a link to this statement situated on the homepage of the website. A Privacy Statement is a public declaration of how the organisation applies the data protection principles to data processed on its website. It is a more narrowly focused document than a Privacy Policy.