US federal

law for Cyber

Security

D R . V IKR A M
DHIMAN
C S E D E PT T
What Cyber-security
Challenges do
Organizations Face
Maintaining a pulse on new and emerging global cybersecurity threats
Speed and complexity of digital transformation
Utilizing the latest cybersecurity solutions
Lack of skilled cybersecurity professionals
Solutions not customized to the types of risks we face
Lack of integrated cybersecurity solutions
Lack of ability to share threat intelligence cross-functionally (XDR)
Cybersecurity attacks
XDR
Extended detection and response or XDR is a new approach
to threat detection and response that provides holistic
protection against cyberattacks, unauthorized access, and
misuse.
XDR
The digital landscape has witnessed an exponential surge in cyberthreats, prompting
cybersecurity professionals to continually innovate their defensive strategies.

One of the most notable innovations to emerge in recent years is extended detection and
response (XDR).

Evolving from its predecessor, endpoint detection and response (EDR), XDR represents a
paradigm shift in cybersecurity by providing a holistic and integrated approach to threat
detection, response, and mitigation.
frameworks cover various approaches to
handling security challenges
Sample Questions.
Continue..
1. While there is no definitive answer to this question, there are many well-known and widely
used frameworks for cybersecurity. These include MITRE ATT&CK, HIPAA, the NIST
Cybersecurity Framework, ISO 27001, and CIS Controls. Given a business's specific
circumstances, one framework or a combination of frameworks may be most appropriate.

2. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set
of best practices and standards designed to help organizations manage their cybersecurity
risk. ISO 27001 is an international standard developed by the International Organization for
Standardization (ISO), which provides best practices and requirements for information
security management systems. While both frameworks have similar goals, they differ in their
specific approach to cybersecurity.
Continue..
3. The Center for Internet Security (CIS) Controls are a set of cybersecurity best practices developed
by the nonprofit organization CIS. The framework is designed to provide organizations with
comprehensive cybersecurity measures for protecting their data and networks.
On the other hand, NIST offers a set of standards and best practices for managing cybersecurity
risk. These frameworks seek to achieve similar goals, but differ in terms of implementation.
CIS Controls provides specific steps for protecting an organization's systems, while NIST offers a
more generalized set of guidelines and principles.

4. Choosing the right cybersecurity framework can take time, as there is no one-size-fits-all
solution. It is essential to consider your organization's or client's specific needs and determine
which framework best meets them.
One important distinction
is that there are other cybersecurity frameworks that are not codified in
law but rather are created and/or enforced by non-governmental entities.

For example, the NIST or ISO 27001 cybersecurity frameworks are both
widely used standards in many industries and government organizations.

Companies might be required to comply with these frameworks by

industry dynamics or by organizational partnerships with government or
other entities.
A Glance At Cyber
Security Laws
For more than a decade, cyber security has been a concern for the government and private
sector alike.

The growth in Information Technology and E-commerce sector in the United States has given rise
to cyber crimes, causing a huge loss to the US government and its people.

Data breaches have gained more attention due to the impact of digitization on financial,
healthcare, SMEs, and other industries. Even though data breaches occurred way before
digitization took the world by storm, the popularity of digital platforms gave a new dimension to
these breaches as the importance, volume, and cost of the data breaches have increased
considerably.
 Data breaches in the U.S.
The number of data breaches in the U.S. increased from 157
million in 2005 to 781 million in 2015, while the number of
exposed records jumped from around 67 million to 169
million during the same time frame.

In 2016, the number of data breaches in the United States

amounted to 1093 with close to 36.6 million records exposed.
Consumer Privacy Protection Act of 2017

The Consumer Privacy Protection Act of 2017 aims at

securing the personal information of customers, avoid
identity theft, update citizens and organizations regarding
security breaches, and prevent the misuse of sensitive user
information.
 Purpose of Cyber
Security Regulation
The purpose of cyber security regulation
is to force companies and organizations to
protect their systems and information
from :
cyber-attacks such as viruses, trojan
horses, phishing attacks, denial of service
(DOS) attacks, unauthorized access
(stealing intellectual property or
confidential information), control system
attacks.
 Are there any
laws about cyber-
security?

Yes, there are numerous laws and

regulations around the world governing
cyber-security.

Organizations must comply with local and

international laws to protect customer
data and guard against cyber-attacks.
Are there any
laws about cyber-
security?
Are there any
laws about cyber-
security? In India
INFORMATION TECHNOLOGY ACT, 2000

Here are some of its sections that empower Internet users and
attempt to safeguard the cyberspace.
Section 65 – Tampering with computer Source Documents. ...
Section 66 - Using password of another person.
Section 66D - Cheating Using computer resource. ...
Section 66E - Publishing private Images of Others.
Are there any
laws about cyber-
security? In India
INFORMATION TECHNOLOGY ACT, 2000

Here are some of its sections that empower Internet

users and attempt to safeguard the cyberspace.
Section 65 – Tampering with computer Source
Documents. ...
Section 66 - Using password of another person.
Section 66D - Cheating Using computer resource. ...
Section 66E - Publishing private Images of Others.
Are there any
laws about cyber-
security? In India
INFORMATION TECHNOLOGY AMENDMENT
ACT 2008
The Information Technology
Amendment Act was passed by the
Indian Parliament in October 2008 and
came into force a year later.
The act is administered by the Indian
Computer Emergency Response Team
(CERT-In) and corresponds to the Indian
Penal Code.
chapters and 117 sections and covers a wide range of topics
related to IT, cybercrime and data protection.

The act includes provisions for the following

tightening cybersecurity measures

establishing a legal framework for digital signatures
recognizing and regulating intermediaries
regulating interception, monitoring and decryption of
electronic records
cyber forensics
cyberterrorism

WHAT DOES THE INFORMATION TECHNOLOGY

AMENDMENT ACT COVER?
New criminal laws, replacing colonial-era
codes, to come into effect from July 1 2024

The three new criminal laws are-

1. Bharatiya Nyaya Sanhita,
2. Bharatiya Nagarik Suraksha Sanhita and
3. Bharatiya Sakshya Adhiniyam,
which will completely overhaul the
country's criminal justice system.
Revised criminal law Bills were introduced in the Parliament on
December 12 after incorporating recommendations by a
parliamentary committee — what are the key changes and the
existing concerns?
Cyber-security Laws &
Regulations
This article will cover the
following topics and how they
relate to Cyber Security:
Federal Laws
Federal Regulations & Guidance
State Laws
International Laws
Law v/s Act
Law
A law is a set of rules that establishes the legal framework of a jurisdiction
Laws are created by the constitution or higher legislative authority
Laws govern a wide range of legal matters, including behavior, order, and protection of citizens
Laws can be enforced through legal penalties, fines, or imprisonment
Act
An act is a specific piece of legislation that is passed by a legislative body
Acts are created by a legislative body or parliament
Acts address specific areas of legal regulation
Acts can be amended or repealed by subsequent acts
Acts can be enforced through legal penalties, fines, or imprisonment
 Roles of International Laws in
Cybersecurity

Framework for Norms and Expectations:

◦ International laws provide a framework for norms and expectations regarding state behavior in cyberspace.
◦ They establish guidelines for responsible conduct, emphasizing cooperation, transparency, and adherence to established norms.
◦ These norms help prevent cyber conflicts and promote stability in the global digital ecosystem.

Limitations on Use of Force:

◦ International law restricts the use of force in cyberspace.
◦ States are bound by the United Nations Charter, which prohibits the use of force except in self-defense or with Security Council
authorization.
◦ Cyber operations that cause significant harm may violate these principles and trigger international legal consequences.

Protection of Critical Infrastructure:

◦ International laws encourage states to protect critical infrastructure from cyber threats.
◦ The Tallinn Manual, a non-binding document, provides guidance on applying existing international law to cyber operations.
◦ States must safeguard essential services such as energy, transportation, and communication networks.
The United States
Determining the cyber-security regulations that apply to
your business depends on the industry you operate in, the
geographical location of your organization, the location of
your clientele, and other factors.
Who regulates cyber-
security in the USA?
Cybersecurity regulation in the United States is divided
between federal and state laws.
The Federal Trade Commission (FTC) is responsible for
enforcing cybersecurity regulations and legislation at the
federal level.
In addition, the Department of Homeland Security (DHS)
and the National Institute of Standards and Technology
(NIST) also have roles in regulating cyber-security.
Why the United States Cyber Security
Laws and Regulation
The United States cyber security laws and
privacy system is arguably the oldest, most
robust, and most effective in the world.
 Federal Government
Regulation
There are three main federal cyber-security regulations - -
1996 Health Insurance Portability and Accountability Act (HIPAA)
1999 Gramm-Leach-Bliley Act
2002 Federal Information Security Management Act (FISMA)
 The regulation includes 5
titles.
Title I protects medical health insurance for employees and their households.
Title II of HIPAA, called the Administrative Simplification (AS) Provisions, calls for
the established order of country-wide requirements for digital fitness
transactions and country-wide identifiers for providers, fitness plans, and
employers.
Title III establishes suggestions for pre-tax clinical rate claims, T
Title IV establishes suggestions for organization medical health insurance, and T
Title V governs captive lifestyles insurance.
 Federal Information Security
Modernization Act (FISMA)
The Federal Information Security Modernization Act (FISMA) is one of
the cyber security laws in US passed in 2002. It requires federal agencies to
implement security controls to protect their information systems and data.
They aim to ensure that federal agencies have the necessary measures to
protect the confidentiality, integrity, and availability of the information they
collect, store, and use.
They also require agencies to establish an information security program that
includes regular risk assessments, security testing and evaluations, incident
response planning, and continuous monitoring of security controls.
 Cybersecurity Information Sharing Act
(CISA)

The Cybersecurity Information Sharing Act (CISA) is a law passed by the

United States Congress in 2015 that encourages private companies to
share information about cyber threats with the government and
provides liability protections for companies that do so.
CISA aims to improve the sharing of information about cyber threats
between the government and private sector to protect critical
infrastructure and national security from cyber attacks. It allows private
companies to share cyber threat information with the Department of
Homeland Security (DHS) and other federal agencies and also enables
the government to share cyber threat information with private
companies.
 Federal Bureau of
Investigation (FBI)

The Federal Bureau of Investigation (FBI) plays a key role in protecting the United States
from cyber threats and investigating cybercrime. The FBI is responsible for investigating a
wide range of cybercrimes, including hacking, online fraud, identity theft, and the
distribution of child pornography.
One of the main responsibilities of the FBI is to investigate cybercrime and bring criminals
to justice. The FBI has several specialized units that focus on cybercrime, such as the Cyber
Division, which investigates cybercrime and espionage. The FBI also works closely with other
federal, state, and local law enforcement agencies to share information and coordinate
investigations.
The FBI also plays an important role in protecting the United States from cyber threats by
providing threat intelligence and warnings to organizations and individuals. The FBI also
improves organizations’ cybersecurity posture by providing training and technical assistance.
What are the two primary
federal cyber-security
regulations?
The primary law governing cybersecurity in the United States is the
Federal Trade Commission Act (FTCA). This law prohibits deceptive
acts and practices in business, including those related to data
security.

The FTC also enforces the Gramm-Leach-Bliley Act (GLB), which

requires companies to protect the customer data they collect.
Federal Trade Commission
Act (FTCA),
federal legislation that was adopted in the United States in
1914 to create the Federal Trade Commission (FTC) and to
give the U.S. government a full complement of legal tools to
use against anticompetitive, unfair, and deceptive practices
in the marketplace.
The act was thus designed to achieve two related goals: fair
competition between businesses and protection of
consumers against fraudulent business practices.
The Federal Trade
Commission Act
is the primary statute of the Commission. Under this Act, as amended, the Commission is
empowered, among other things, to
(a) prevent unfair methods of competition and unfair or deceptive acts or practices in or
affecting commerce;
(b) seek monetary redress and other relief for conduct injurious to consumers;
(c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and
establishing requirements designed to prevent such acts or practices;
(d) gather and compile information and conduct investigations relating to the organization,
business, practices, and management of entities engaged in commerce; and
(e) make reports and legislative recommendations to Congress and the public.
 The Gramm-Leach-Bliley
Act(GLBA)
requires financial institutions – companies that offer consumers financial products
or services like loans, financial or investment advice, or insurance – to explain their
information-sharing practices to their customers and to safeguard sensitive data.
Three key rules of the GLBA include:
Privacy Rule: Ensuring the protection of consumers' personal financial information.
Safeguards Rule: Requiring the establishment of security measures to prevent data
breaches.
Pretexting Provisions: Prohibiting deceptive methods of obtaining personal financial
information.
Penalties
Gramm-Leach-Bliley Act applies to all penalties for noncompliance, including
fines and imprisonment.
If a financial institution violates GLBA:
The institution will be subject to a civil penalty of not more than $100,000 for
each violation;
Officers and directors of the institution will be subject to, and personally liable
for, a civil penalty of not more than $10,000 for each violation;
The institution and its officers and directors will also be subject to fines in
accordance with Title 18 of the United States Code or imprisonment for not
more than five years, or both.
The Digital Millennium Copyright
Act (DMCA)
was signed into law by 1 President Clinton on October 28, 1998.

The legislation implements 1996 World Intellectual Property

Organization (WIPO) treaties:
the WIPO Copyright Treaty and the WIPO Performances and
Phonograms Treaty.

The DMCA also addresses a number of other significant copyright-

related issues.
Who is protected under the law?

"Customers" are a subclass of consumers who

have a continuing relationship with a financial
institution.
It's the nature of the relationship - not how
long it lasts - that defines whether a person is a
customer or a consumer.
Cybersecurity Regulations in
India

The Information Technology Act, 2000 (IT Act):

◦ India’s first landmark cybersecurity law, the IT Act, addresses various aspects of cybercrime.
◦ It defines offenses related to unauthorized access, data theft, and computer-related fraud.
◦ The IT Act also establishes the framework for digital signatures and electronic records.

The National Cyber Security Policy, 2013 (NCSP):

◦ The NCSP provides strategic guidelines for enhancing India’s cybersecurity posture.
◦ It emphasizes collaboration between government, industry, and academia.
◦ The policy focuses on securing critical infrastructure, promoting research, and building a skilled
workforce.

The Personal Data Protection Bill, 2019 (PDP Bill):

◦ The PDP Bill aims to protect individuals’ personal data.
◦ It outlines principles for data processing, consent, and rights of data subjects.
◦ Once enacted, it will significantly impact how organizations handle personal data.
 Operating in the United States
requires compliance with several laws
dependent upon the state, industry,
and data storage type.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law
that protects patient health information. If you provide cloud hosting services to a
healthcare provider, you must ensure your systems adhere to healthcare
cybersecurity regulations.
The Gramm-Leach-Bliley Act (GLBA) regulates the collection and handling of
financial information. Any organization that collects or stores financial data must
comply with this law.
The Payment Card Industry Data Security Standard (PCI DSS) sets rules for
safeguarding consumer credit card data. Any MSP that processes payment card
data must be compliant with this regulation. Additionally, if you have clients in the
financial services sector, you may be subject to the
New York Department of Financial Services (NYDFS) cybersecurity regulation.
Need of CS laws ?
Technology has grown exponentially over the past two decades. As time goes by,
we continuously benefit from and increase our dependence on technology.
Web applications, drones, mobile applications, industrial automation, machine
learning applications, and other technologies have changed our lives.
But there are immense dangers that these technologies bring us.

Therefore, our governments have introduced cyber-security laws.

Federal law in cyber
Security
The complex federal role in cybersecurity involves both securing
federal systems and assisting in protecting nonfederal systems.

Under current law, all federal agencies have cybersecurity

responsibilities relating to their own systems, and many have sector-
specific responsibilities for critical infrastructure (CI).
There are three main threats
cybersecurity efforts attempt to
mitigate:
Cybercrime: includes single or colluded acts to target systems for financial
gain or to cause disruption.

Cyber-attacks: often involves politically motivated information gathering

Cyber-terrorists: are intended to undermine electronic systems to cause

panic or fear.
What’s the Difference and Which
Standard Do You Need?
What is ISO 27001?
ISO 27001 is an international standard for data protection created
jointly by the International Organization for Standardization and the
International Electrotechnical Commission. This framework outlines
the requirements to establish, maintain, and continually improve an
information security management system (ISMS).
ISO 27001 certification provides customers with third-party
reassurance that the organization has built an ISMS capable of
protecting sensitive data.
While ISO 27001 is popular worldwide, it is most commonly
requested by international customers, especially in Europe.
 SOC 1 vs. SOC 2:
Suppose you are a financial services organization or deal with users’ financial information.
In that case, SOC 1 (Service Organization Control 1) report certifies your capability to
efficiently and securely manage your customers’ financial data.
Any organization that engages in payment processing, loan servicing, and other monetary
transactions needs to get this certificate to document their business processes, and IT controls.

The SOC 1 report focuses on controls ranging from password complexity to authorization
restrictions.
It also undertakes a few tests to identify vulnerabilities. It offers assurances concerning
access to information or databases to restricted and authorized personnel.
 A SOC 1 report consists of five parts, as
explained below:
Opinion Letter – This section includes the report’s scope, the date of the report for Type 1 attestation,
the test period for Type 2 attestation, and the opinion of the auditors.
Management’s Assertion – This is where the management’s statements are mentioned about the
system’s description, control objectives, and the criteria used to make the assertions.
Description of the System – This includes all your policies, processes, and operations that form your
services and affect financial reporting.
Description of Tests of Control & Result of Testing – This section is for the auditors to list the controls
they have tested, the test procedure, and the results.
Other Information – Auditors use this section to mention any essential information not covered in
other areas of the report.
What is SOC 2?

SOC2 report is proof that your organization has procedures

in place to ensure security, integrity, and processing
efficiency when dealing with
sensitive customer information.
audit and requirement are necessary for technology-based
companies that store customer data in the cloud.
SOC 2 is the most common compliance that SaaS
companies need today.
What is SOC 2?
A SOC 2 report attests to the
operating effectiveness of an
organization’s security protocols
and helps establish trust between
service providers and their
customers.
The SOC 2 report requires
you to write down your
security policy and follow it,
which will be requested and reviewed at the time of
auditing.

The AICPA has outlined a set of Trust Service Criteria

or Trust Service Principles to determine the
trustworthiness of an organization’s data handling.
 The five criteria are as follows:

Security:
Safeguard data and systems against unauthorized access or any form of tampering activities
Availability:
Seamless availability of data and systems for business operations
Processing Integrity:
Accurate processing of data by authorized personnel in a timely manner
Confidentiality:
Appropriate guardrails and authentication mechanisms must be put in place for confidential data
Privacy:
Procedure to efficiently use, retain, and terminate personal information of any personnel
The General Data Protection Regulation (GDPR) International Cyber-security Laws

DR. VIKRAM
DHIMAN
G I TA M
Purpose of GDPR
The General Data Protection Regulation (GDPR) is a robust privacy and security law that has
global implications. Let’s delve into its purpose and significance:

Key Goals and Purpose:

1. Enhancing Control: The GDPR aims to give consumers control over their personal data. Companies are
held responsible for how they handle and treat this information.

2. Simplifying Regulations: It supersedes the previous Data Protection Directive and simplifies
terminology, making it easier for international businesses to comply.

3. Coordinating EU Legal Landscape: By replacing the 1995 directive, the GDPR establishes a single
framework for personal data protection across all EU Member States.
 What are the three main
goals of the GDPR?
The objectives of the GDPR are:

1. Homogeneous protection of personal data across the EU

Member States. The GDPR has coordinated the European
legislation on the use of personal data.
2. Increased accountability. ...
3. A simplified and lighter legal framework on the processing
of personal data.
What is the primary purpose
of the GDPR?
This Regulation protects fundamental rights and
freedoms of natural persons and in particular
their right to the protection of personal data.
What are the 4 key components of
GDPR?
The 4 key components of GDPR are:

1. Data Protection Principles.

2. Rights of Data Subjects.

3. Legal Bases for Data Processing.

4. Responsibilities and Obligations of Data Controllers and Processors.

 Historical Context:
◦ The right to privacy has been part of the European Convention on Human Rights since 1950.

◦ In 1995, the EU introduced the European Data Protection Directive, setting minimum data privacy and
security standards.

◦ As technology evolved, the GDPR emerged to address modern challenges, including breaches and increased
reliance on cloud services.

In summary, the GDPR serves as a comprehensive framework to

safeguard individuals’ privacy rights and promote responsible data
handling in an interconnected world.
 Introduction GDPR
The data protection package aims at making Europe fit for the digital age. More than 90% of
Europeans say they want the same data protection rights across the EU and regardless of where
their data is processed.
Seven
Principle
General Data Protection Regulation (G
DPR) – Official Legal Text (gdpr-info.eu
)
 What is the GDPR
◦ The GDPR is the toughest data protection law worldwide, drafted and passed by the European Union
(EU).
◦ It applies to organizations globally, as long as they collect or target data related to individuals in the
EU.
◦ The regulation came into effect on May 25, 2018.
◦ It imposes strict obligations regarding privacy and security standards, with potential fines reaching
millions of euros for violations1.

It aims to improve consumer protection and general levels of privacy for individuals, includes
mandatory reporting of data protection breaches and has an increased emphasis on gaining
explicit consent to process information.
 Data Protection Bill
The UK will also replace its current Data Protection Act (1998)
in the next few months, incorporating the GDPR
requirements. The Data Protection Bill is currently going
through the relevant parliamentary processes (it has gone
through the House of Lords and is currently in the House of
Commons on its 2nd reading).
The advice from the Information Commissioner’s Office is
that many of the GDPR’s main concepts and principles are
much the same as those in the current Act, and therefore if
we are complying properly with the current law then most of
our approach to compliance will remain valid under the GDPR
and the new Bill, and will give us a starting point to build
from.
However, there are new elements and significant
enhancements, so we will have to do some things for the first
time and some things differently.
The GDPR - new and changed concepts
from the Data Protection Act 1998

• Transparency and consent issues – information to be provided to individuals, and

permissions required from them

• Children and consent for online services

• Data – changes to the definitions of personal and sensitive data

• Breach notification

• Enhanced individual rights

 The GDPR - new and changed
concepts from the Data Protection
Act 1998
• Pseudoanonymisation
This is a new definition which refers to the technique of processing personal data in such a way that it can no
longer be attributed to a specific individual, without the use of additional information which must be kept
separately and be subject to appropriate security to ensure non-attribution. Pseudoanonymised data is still a
form of personal data but its use is encouraged (e.g. for extra security of the data, for historical / scientific
research or for statistical purposes).
• Data Protection by design
Under the GDPR, we have a general obligation to implement technical and organisational measures to show
that we have considered and integrated data protection into our processing activities.
We have to adopt “data protection by design” measures. This means that the requirements of data protection
legislation must be considered at the very start of any project which involves the processing of personal data.
We will need to consider how any new system, or any changes to current systems, will impact on the
individuals whose data we will collect / or we already hold.
e.g. are we changing how / where we store the data, are we sharing the data with third parties that we didn’t
share with previously, are we processing the data differently from previously … ?
Scope of the GDPR
Any / all information relating to an identified or identifiable individual e.g.
◦ Information held in manual form or printed out
◦ Emails, databases, spreadsheets etc.
◦ Photographs on web sites, marketing photographs, ID Cards and Passes;
◦ CCTV images (both central CCTV system and any localised systems / webcams)
◦ Web pages
◦ Information which may be associated with online identifiers provided by devices,
applications, tools and protocols, such as internet protocol addresses, cookie identifiers or
other identifiers.
Definition of Personal Data
The definition of personal data (personal information) is simplified in the GDPR:

 Any information relating to an identified, or identifiable natural person (the data

subject).

What does this mean in practice?

All staff, students, research subjects, alumni, members of the public etc.
where we hold their data – “identified”
Also includes, for example, pseudo anonymous individuals where the
University also holds the additional information to identify them - “identifiable”
 Legitimate Grounds for Processing Personal Data

Necessary for the performance of a contract with the data subject, or to take steps to prepare for a contract
The University needs to enter into an employment contract with you to pay you in accordance with your contract, to
ensure you are subject to it’s policies, regulations and rules and to administer your pension entitlements. These processes
will involve the processing of your personal and special categories data.

Necessary for compliance with a legal obligation

This would be in relation to UK or EU law only and the action undertaken should be foreseeable to those subject to it.
Common law obligations may also be sufficient.
If we’re relying on a legal obligation to process we still need to draw this to the attention of the individuals. For example
the University would need to process data e.g. to check an employee's entitlement to work in the UK, to deduct tax or to
comply with health and safety laws. In our privacy notice, or data collection notice we need to make sure that we
reference all the processing activities undertaken under a legal obligation. Remember using this ground for processing
should be foreseeable to the individual.
 Legitimate Grounds for Processing Personal Data

Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving
consent
This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing
the data, e.g. for medical emergencies. A ground for processing necessary for humanitarian purposes as well (e.g. disaster
responses).

Necessary for the performance of a task carried out in the public interest or as a consequence of an official authority
vested in the institution (“the public task”)
Only where the task is laid out in UK or EU law to which the University is subject.

Necessary for the purposes of legitimate interests pursued by the University

If you are relying on this you need to document your assessment of why the processing is legitimate. Have you considered
the rights and freedoms of data subjects?
 The public task
We can rely on this lawful basis if we need to process personal data:

• ‘in the exercise of official authority’. This covers public functions and powers that are set out in law;
or
• to perform a specific task in the public interest that is set out in law.

We don’t need a specific statutory power to process personal data, but our underlying task, function or power must have
a clear basis in law; The processing must be necessary. If we could reasonably perform our tasks or exercise our powers in
a less intrusive way, this lawful basis does not apply.

Universities are likely to be classified as public authorities, so the public task basis is likely to apply to much of our
processing, depending on the detail of our constitution and legal powers.

For example, we might rely on public task for processing student personal data for teaching and research purposes; but
we may need to rely on a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The university needs to consider its basis carefully – we have to document our decision to help demonstrate compliance
if required. We should be able to specify the relevant task, function or power, and identify its statutory or common law
basis.
 What is a legitimate interest basis for the
University?
The legitimate interest basis for processing would be most appropriate where the University is using individuals’ data in
ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification
for the processing. For example in relation to members of staff the University would rely on the fact that it had legitimate
interest in processing personal data before, during and after the end of the employment relationship to:

• run recruitment and promotion processes;

• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of
an emergency), and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes;
• plan for career development, and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective workforce management;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and to meet
its obligations under health and safety law;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave),
to ensure the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the
pay or other benefits to which they are entitled;
• ensure effective general HR and business administration;
• provide references on request for current or former employees; and
• respond to and defend against legal claims.
 Legitimate Grounds for
Processing Personal Data
Consent
Consent is only one of the legitimate grounds for processing personal data under the GDPR. It should only be
used where an individual is offered a genuine choice to either accept or decline what is being offered without
suffering any detriment. It would not be appropriate to rely on consent if, for example, the individual had no
choice but to use the service or to accept the terms. e.g. access to free wifi only if the user consents to receiving
marketing materials would be unacceptable as the two things are unrelated.
GDPR has a narrower view of what constitutes consent than current legislation. Consent must be a freely given,
specified, informed and unambiguous indication of an individual’s wishes.
There must be some form of clear affirmative action – a “positive opt in”. Consent cannot be inferred from
silence, pre-ticked boxes or inactivity. Implied consent will no longer be an option.
Consent must be as easily revoked as it is given, and therefore clear processes should be in place for individuals to
withdraw consent.
Blanket consent for a number of processing activities is now unlikely to be valid, there needs to be consent
processes for each separate element of data processing
Legitimate Grounds for Processing Personal Data

Things to do now if you are relying on consent to process data:

Identify where you are relying on consent to process personal data / special categories data:
• Review how you collect the consent (information sheets, data collection notices, forms etc.)
• Make sure you are collecting a freely given, specified, informed and unambiguous indication of an
individual’s wishes (what are you telling them?);
• Can you offer individuals the opportunity to consent to certain areas of the processing and utilise a
“positive opt in” – e.g. a tick box process? This could be useful for research projects.
• Consider how individuals can revoke their consent? Is it clear from your documentation / website? It
needs to be as clear as the process you utilised to collect the consent, and individuals should be able to
notify you through the same medium.
• What do you do with consent already collected?
 Special categories of personal data
Special Categories of Data (previously known as “sensitive personal data”) are broadly unchanged from
those listed in the current Data Protection Act. Under the GDPR they are:

• racial or ethnic origin;

• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• data concerning health or sex life and sexual orientation;
• genetic data (new); and
• biometric data where processed to uniquely identify a person (new).
 Grounds for Processing Special Categories of Data

Explicit Consent
The same stringent consent threshold is required as with personal data – freely given, specific, informed and unambiguous
indication of an individual’s wishes.

Necessary for obligations under employment, social security or social protection law, or a collective agreement - This is a wider
definition than within current legislation and is allowed in so far as it is justified by UK or EU law, or by collective agreement.
Providing there are appropriate safeguards for the rights and interests of the individual.

Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent
This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data,
e.g. for medical emergencies

Data made public by the data subject

Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity - This is
a wider definition than within current legislation
 Grounds for Processing Special Categories of Data
Necessary for reasons of substantial public interest
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity
of the employee, medical diagnosis, the provision of health or social care or treatment or management of
health or social care
This provision provides a formal legal justification for regulatory uses of healthcare data in the health and
pharmaceutical sectors, and by providing for the sharing of health data with providers of social care
Necessary for reasons of public interest in the area of public health
Necessary for archiving purposes in the public interest, or scientific and historical research purposes or
statistical purposes
This is a new condition under the GDPR and provides that special categories data can be processed for the
purposes of archiving, research and statistics. Pseudoanonymisation procedures would very likely need to be
considered if we were relying on using this ground for processing.
 Criminal Convictions and Offences
Data in relation to criminal convictions and offences are not categorised as
“sensitive” under the GDPR, which they were under the Data Protection Act 1998
However, they have not lost their sensitivity and the GDPR states that this type of
data can only be processed under the control of an official authority or where
the processing is authorised by UK or EU law, which provides appropriate
safeguards.
There will be a specific section within the Data Protection Bill relating to law
enforcement which will deal with processing for the prevention, detection,
investigation, or prosecution of criminal offences or the execution of criminal
penalties.
 Data Protection Principles
1. Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')
The inclusion of the principle of transparency is a new provision within the GDPR.

2. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes
The current DPA 1998 has similar restrictions on the processing of data. The GDPR provisions include processing for public interest and/or
scientific purposes, widening the scope for further processing. Archiving, scientific / historical research or statistical purposes would not
been seen as incompatible with this purpose. However there would be a need to consider pseudo anonymising the data.

3. Data processed is adequate, relevant and limited to what is necessary

Current DPA 1998 uses the term excessive, the GDPR requirements take the opposite view and only permits processing of data that is
necessary.

4. Data is accurate and, where necessary, kept up to date

There are new rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle
 Data Protection Principles
5. Data should not to be kept longer than is necessary for the purpose
The GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving
purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.

6. Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction

Accountability
The University is responsible for demonstrating that we comply with the six principles
 Data processed lawfully, fairly and in a
transparent manner
Lawfulness
What are your grounds for processing both personal data and special categories data? There are no grounds for “it may be
useful”. Remember consent is only one of the grounds you can rely on there may be others that are relevant. If you are relying
on consent ensure the quality of this consent – does it meet the new requirements?

Fairness
If you are relying on consent it must be a freely given, specified, informed and unambiguous indication of an individual’s
wishes. Ensure there is a form of clear affirmative action – a “positive opt in”. What information are you giving individuals in
order for them to make the choice.

Transparency

The University’s privacy notice will be updated, however consider whether you need your own privacy notice for specific
processing activities. Make sure that any notices you use are comprehensive and clear, written in plain language, in an easily
accessible format.

Where is the information located? Can the individual reasonably be expected to locate the privacy notice, and to make an
informed decision to grant consent (where necessary)? Are you informing the individual why you are collecting the data, and
what grounds you are relying on? (i.e. if you are not relying on consent what are you relying on, make this clear)

Make a decision up front on issues such as archiving so that you can inform the individuals how long you will be keeping their
data for.
 Data obtained for specified, explicit and legitimate
purposes and not further processed in a manner
that is incompatible with those purposes

Purpose Limitation

Decide what your basis is for collecting the personal information / special categories information and make this known to the individuals concerned e.g. in any T&Cs,
on your website, in any literature.

Make sure you consider whether you need to draft your own privacy policy for the processing, or whether you link to the University policy. Have a clear data
collection statement which is explicit with regard to use of the data. This is essential in order to ensure specified, informed and unambiguous consent. Make sure you
include the retention period for the data.

The GDPR also sets out rules on factors to be taken into account to asses whether a new processing purposes fits with the purpose originally communicated to the
individual:

- Is there any link between the original and proposed new purpose?
- The context in which the data was collected
- The nature of the data (is it special category or criminal offence data)
- The possible consequence of the new processing
- The existence of safeguards such as pseudoanonymisation / encryption

Processing for archival purposes in the public interest, for scientific and historical research purpose or statistical purposes should be considered compatible with the
original purpose.
 Data processed is adequate, relevant and
limited to what is necessary

Data minimisation

Only collect and use what you actually need in order to carry out the purpose, and importantly,
only what is compatible with the reasons and purposes which the individuals were informed of,
or the purposes for which you are legally entitled to hold the information.*

*Always refer back to your privacy notice / data collection notice

Importantly don’t collect (or hold) any data “in case it might come in handy”
Data is accurate and, where necessary, kept up to
date
Accuracy

Make sure that any personal data, or special categories data, collected is recorded accurately.

Every reasonable step must be taken to ensure that any data found to be inaccurate is erased or
rectified without delay, and in any event within a month of receiving a request from the
individual.

The individual needs to notify us of any change in their data. However we should also check
periodically to make sure the data is still up to date.
 Data should not to be kept longer than is
necessary for the purpose
Storage Limitation

We cannot hold data which permits identification of individuals any longer than is necessary for the purpose notified to the
individual in our privacy notice / data collection notice etc.

Data can be held for longer as long as this is for the purpose of archiving, or for scientific or historical research, or for
statistical purposes. Remember that when you have archived the data, or if you are using it for scientific /historical research
or for statistical purposes it still comes under the principle requiring appropriate technical and organisational measures to be
in place. Consider pseudoanonymisation at this stage.

Once the purpose for holding the data is no longer valid or the assigned retention date has passed you should not continue to
hold the information (see also principle 6)

We have a legal responsibility to make sure that the information is held securely, and that it is securely disposed of at the end
of the retention period
 Appropriate technical and organisational
measures against unauthorised or unlawful
processing, loss, damage or destruction
Integrity and confidentiality

This principle applies to both personal and special categories data which must be kept secure. The data must be processed in a manner
that ensures appropriate security, including protection against unlawful processing, accidental loss, destruction or damage.

The information must only be available to those with a right to see it. Matters to consider:-

◦ Transferring information from one section / function / department to another, or transferring externally – it’s often essential to do this – but
consider what information actually needs to be transferred, to whom and how is it possible to ensure the confidentiality and the security of the
information. Remember even if we are transferring data it is still our responsibility to ensure its safety.

◦ Information is disclosed to members of staff in order for them to carry out their specific roles. This information should not under any circumstances
be disclosed or handed over to anyone other than those with a need to see it.

◦ Staff must be careful with memory sticks, laptops and other portable media – use encryption / passwords etc. Consult the University’s Information
Security Policy.
 Information Security
Paper records
Appropriate storage for paper / manual records would include:

◦ Locked metal cabinets with keys limited to authorised staff only;

◦ Locked drawer in a desk (or other storage area) with keys limited to authorised staff only;
◦ Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only.

Does your School / Department have a clear desk policy? If not are there any risks to having paperwork out on the desk
overnight / at weekends?

Appropriate disposal for paper / manual records would either be:

◦ Secure disposal via an accredited confidential waste disposal company

Or
◦ Shredding (best practice would suggest use of a cross-cut shredder)
Information Security
Electronic records and Database Systems

◦ Never disclose your password

◦ Ensure your password is robust – change it regularly
◦ Always log off, or lock a workstation before leaving it
◦ When working on confidential work and / or on work involving personal data make sure no one else can read your screen
◦ Protect equipment from physical theft (especially laptops and memory sticks)
◦ Store all data on the University network so that it is backed up regularly
◦ Remember to back up and secure work mobile devices (laptop / phone) as well
◦ When sending emails internally or externally it is essential to check that the appropriate recipient has been selected, before sending
the message
◦ Be careful with attachments – check they are the right ones before pressing “send”. Before forwarding attachments at all check that
the information is not available to the recipient by other secure means e.g. “One Drive”
◦ Particular care is required when forwarding emails, in particular ones with attachments so that information is only sent to people
with a real ‘need to know’.
 Accountability
The University is responsible for and should be able to demonstrate compliance with the six principles.
What does this mean in practice?
1. Adherence to approved policies and codes – how can we measure this?
2. Robust “paper trails” of decisions relating to data processing. Good records management is essential.
3. Staff Training – ensure all staff know about data protection legislation and encourage attendance
4. Where appropriate use Privacy Impact Assessments which is an assessment carried out to identify and
minimise non-compliance risks, especially on “high risk” processing (e.g. substantial processing of special
categories data)
5. Audits of compliance though internal / external auditors
6. Use of Data Protection by Design measures (e.g. use of pseudoanonymisation)
7. Regular reports to the Compliance Task Group
 GDPR: Individual Rights
The right to be informed (privacy notice / data collection notice)
The right of access (subject access request)
The right to rectification (if data is inaccurate or incomplete)
◦ We must respond to a request for rectification of data within a month, if rectification isn’t possible the individual must receive an explanation as to why
that is

The right to erasure (previously known as the right to be forgotten)

◦ This does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing
in specific circumstances:
◦ Where the personal data is no longer necessary for the purpose for which it was originally collected/processed
◦ Where the individual withdraws consent, or objects to the processing and there is no overriding legitimate interest for continuing the processing.
◦ Where the data is being processed on the basis of the University’s legitimate interest, the individual objects, and the University cannot demonstrate that there are overriding
legitimate grounds for the processing
◦ If the information has been shared with others it is the University’s responsibility to inform them of the individuals request for data
erasure.
◦ The right to erasure does not apply
◦ For the exercise of the right of freedom of expression and information;
◦ For compliance with a UK or EU legal obligation
◦ For the performance of a public interest task or exercise of official authority
◦ For public health reasons
◦ For archival, research or statistical purposes
◦ If required for to establish, exercise or defend legal claims
 GDPR: Individual Rights
The right to restrict processing
◦ Where an individual contests the accuracy of the personal data, where an individual has objected to the processing and the organisation is
considering their legal reason for processing, where processing is unlawful and the individual opposes erasure and requests restriction instead,
where the organisation no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
◦ The University can store the data, but cannot process it any further unless the individual consents or the processing is necessary to establish e.g.
a legal claim, to protect another person

The right to data portability

◦ The University must respond within a month. Allows individuals to move, copy or transfer personal data in order to obtain and reuse for their
own purposes across different services. Information must be provided in a structured, commonly used, machine readable form. The right to
data portability does not apply to paper only records.

The right to object

◦ to direct marketing : this is an absolute right
◦ To processing for scientific / historical research / statistical purposes : there must be grounds which specifically relate to the
individuals situation
◦ To processing for legitimate interests / public interest : important that the University is able to justify why we are relying on
these grounds for processing

Rights in relation to automated decision making and profiling

◦ Establishes safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. We must
identify whether any processing operations constitute automated decision making and consider whether appropriate procedures are needed to
deal with the requirements of the GDPR.
The right to be informed

The GDPR requires us to be transparent and to provide accessible information to individuals about how we use their information. The usual way in which to
provide this information is through the use of a “privacy notice”. The term “privacy notice” is used to describe all the different ways in which an organisation can
provide privacy information to individuals – on the web, in any literature etc. The privacy notice needs to be comprehensive.

The starting point of a privacy notice should be:

◦ Who is “Bangor University”; and if it is a specific notice, then it should also include who is the school / department;
◦ What is the University going to do with individuals’ information – the purpose for collecting it
◦ Who will it be shared with – important to include everything;
◦ Details of any transfers outside the EU (as we are an international University this may be relevant);
◦ The retention period for the data (consult the records retention schedule);
◦ The individuals right to access the data and to rectify, erase and restrict its use;
◦ The Complaints process (including to the Information Commissioner’s Office)
◦ Whether there’s a statutory or contractual requirement to provide the data and the consequences of not providing it;
◦ If there is any automated decision making;
◦ What is the source of the data (including if it is from a third party source who they are).

The Privacy Notice must be provided at the point in which the individual hands over the data. We can’t assume because someone engages with one service that
they would be happy for their data to be transferred to another service. If the data isn’t obtained directly from the individual, the University should provide the
Privacy Notice to the individual within a month of receiving the data
 The right of access

Individuals have the right to be told whether the University is processing their personal data, and to receive a copy of that data.
The individual also has the right to be provided with supplemental information about the processing (purpose of processing,
categories of data processed, recipients, retention period, their right to erasure / rectification, the source of the data)

In order to make a request to see / obtain a copy of the information an individual should make a request in writing. Within the
University the request should be made to info-compliance@bangor.ac.uk or by post to Lynette Hunter in Corporate Services.

There is no charge for making the request, and the request must be dealt without delay, and at the latest within one month of
receipt of the request.

Matters to consider
- Can we make data more accessible to individuals so they can see the information themselves without needing to use the right of
access procedure.
- Are we making students aware that they can see and amend data within MyBangor?
- Can we deal with a request for portability of data – which data can be easily exported in structured, machine readable formats?
 Children’s Personal Data in the digital
environment
The GDPR contains new provisions intended to enhance the protection of children’s personal data in the digital environment. In
the GDPR children are identified as those who require specific protection under the regulations.
Will the rules in relation to children affect you?
Proposals in relation to online services would mean children aged 13 years old or above would be able to consent to their data
being processed. For children under 13 years old their parents or guardians would need to consent. Withdrawing consent will also
be simplified for children.
Privacy notices for children
Where services are offered directly to a child, organisations must ensure that the relevant privacy notice is written in a clear, plain
way that a child will understand.

Children’s personal data for all other circumstances

For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency:
"...whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding and the
nature of the consent required. The child must be capable of making a reasonable assessment of the advantages … so the
consent, if given, can be properly and fairly described as true consent”
 Transfer of data outside the European
Union
Transfers of personal data outside the EU continue to be regulated and restricted in certain circumstances. The University
can transfer data outside the European Union where the receiving organisation has provided adequate safeguards.
Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the
transfer.

Examples of adequate safeguards would be:

• a legally binding agreement between public authorities or bodies;
• binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
• standard data protection clauses in the form of template transfer clauses adopted by the Commission;
• standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the
Commission;
• compliance with an approved code of conduct approved by a supervisory authority;
• certification under an approved certification mechanism as provided for in the GDPR;
• contractual clauses agreed authorised by the competent supervisory authority; or
• provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory
authority.
 Transfer of data outside the European
Union

Any current data protection clauses which are put into contracts will need to be updated to ensure they
remain compliant with the GDPR requirements and new data protection legislation.

To do now:

• review and map key international data flows,

• consider what data transfer mechanisms you have in place and whether these will continue to be appropriate,
• review contract clauses to ensure the requirements remain compliant
 Personal or Special Categories Data Breach
The GDPR will introduce a duty on all organisations to report certain types of data breach to the Information
Commissioner’s Office (ICO), and in most cases also to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure
of, or access to, personal data / special categories data.

The University will have to notify the ICO where the breach is likely to result in a risk to the rights and freedoms of
individuals, and must do so within 72 hours.

Failing to notify a breach when required to do so can result in a fine, in addition there will be a significant fine for the
breach itself … up to 10 million Euros or 2 per cent of an organisation’s global turnover.

The University will be expected to keep an Internal Breach Register noting all personal / special categories data breaches
When should we notify the ICO?
We should notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. The individuals themselves will
also need to be notified in most cases.

Whether to notify or not has to be assessed by the University on a case by case basis, and all staff will be made aware of the University’s
internal breach reporting procedures.

Issues to consider when assessing

Would the breach have a significant detrimental effect on the individuals affected – e.g. result in discrimination, damage to reputation, financial
loss, loss of confidentiality, identify theft or any other significant disadvantage?

The ICO guidance states they would expect the following information to be shared:
◦ The nature of the personal data breach including, where possible the categories and approximate number of individuals concerned; and
◦ the categories and approximate number of personal data records concerned;
◦ The name and contact details of the data protection officer or other contact point where more information can be obtained;
◦ A description of the likely consequences of the personal data breach; and
◦ A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the
measures taken to mitigate any possible adverse effects.
 Staff Responsibilities
Staff (including volunteers working at the University, external members of committees and contractors) have a
responsibility to ensure that personal and special categories data:

◦ is kept on a need to know basis, treated sensitively and disposed of securely;

◦ is not disclosed, orally or in writing, intentionally, or accidentally, to any unauthorised member of staff or external third party

If you need to share personal or special categories data with another member of staff, or with an external third party,
make sure that you have satisfied yourself that they have the right to know the information, and if they have that you
have made them aware of the need for confidentiality.

Don’t hesitate to ask questions e.g. “why do you need it”, “what powers do you have to request it”?

Compliance with data protection legislation is both a personal and an organisational responsibility
 Final thoughts ….. Things to do now
1. Raise awareness of the changes with your colleagues, encourage them to attend training
2. Consider what information you hold, and identify your lawful basis for processing the information
3. Look at your Privacy Notices, and include all the required information
4. Are you set up to be able to deal with the changes to individuals’ rights?
5. Make sure you know who handles subject access requests
6. Do you rely on consent to process information, and if so how will you ensure you comply with the more
stringent requirements? Think about what needs doing both for current information and for the future
7. Do children use your services? Consider what information needs to be provided to them
8. Familiarise yourself with the University’s data breach procedure
9. Data Protection by Design – build this into your processes especially with new technology projects
HIPAA 1996

119
 OBJECTIVES
At the end of this session, the participants will be able to:
◦ Define and explain the HIPAA
◦ Identify which information is governed by the HIPAA rule
◦ Define Protected Health Information (PHI)
◦ Explain verification requirements
◦ Explain rules governing obtaining permission to disclose PHI
◦ Discuss the employee’s role if they are aware of a HIPAA violation
 What Is HIPAA?
HIPAA (pronounced hippa) is a federal law.

It’s a set of rules and regulations that affect the health care industry.

They focus on the privacy and security of health care information.

Health care providers must comply, as HIPAA covers:

Health Plans
Health Care Providers
 What Does The Privacy Rule
Say?
Sets rules for how private information can be used.
Keeps clients/participants more informed.
Limits access by others.
Requires client/participant permission.
Allows access by clients/participants.
Requires that rules be followed.
Increases safeguards.
Enforces penalties.
 Individually Identifiable Health
Information
Information about health care or payment for health care, such as:
Why a person is visiting the clinic or center;
The type of treatment a person is receiving; or
The fact that a person is receiving Medicaid.

That:
 Identifies the person; or
 Could possibly identify the person.

Examples of of such information include a client/participant’s name, address, social security number, medical
record number, or photograph.
 Protected Health Information
(PHI)
PHI is all individually identifiable health information in any form:
 Paper
 Verbal
 Electronic

Exceptions:
 Employment records (including employees’ medical information).
 Certain education records.
 PHI
 Protected Health Information can be stored in/on:

Computers File Cabinets Desks/Offices

Disks/CDs Palm Pilots

 Minimum Necessary
Requirements
You are only allowed access to the minimum amount of PHI necessary for you to perform your job duties.

You must only disclose the minimum amount of PHI necessary to satisfy a request.
You must only request the minimum amount of PHI you need at the time.
 Minimum Necessary – Not
Applicable
The minimum necessary rule does not apply to:

 Disclosures to, or requests by, a health care provider for treatment;

 Uses or disclosures made to the client/participant;

 Uses or disclosures that the client authorized;

 Disclosure made to the Secretary of HHS; and

 Disclosures required by law.

 Verification Requirements
Prior to disclosing PHI, you must:

 Verify the identity of the person requesting PHI and the authority of that person to have access to PHI; and

 When required, get some kind of proof from the person making the request.
 Permission To Use or Disclose
PHI?
Client/participant authorization is not needed before you disclose his or her PHI for treatment,
payment, and/or health care operations (TPO) .

For Abuse Reports and Investigations.

Generally, however, you do need specific, written authorization from the client/participant before
you can use or disclose his or her PHI for other reasons (unless specifically permitted by the Privacy
Rule).
 TPO
Treatment

Payment

Health Care Operations (Examples):

 Quality Assessment and Improvement;
 Medical Review and Auditing;
 Planning and Budget
 THINGS TO THINK ABOUT
Situations that often lead to violations of confidentiality
◦ Discussing work with family and friends
◦ Informal discussions with colleagues
◦ Hallway, elevator, lunch break, grocery store
◦ Social gathering
◦ Office parties, etc
◦ Incoming phone calls
◦ Attentive repairman
 Administrative Requirements

Failure to comply with HIPAA is a violation of federal law.

You could even be fined and jailed if you break the law.
 If You See A Problem…
If you see or hear about someone who is in violation of HIPAA requirements and procedures, you
should tell your supervisor.

All reports should be investigated.

 Prohibition on Retaliatory Acts

An employer is bound by law to protect a workforce member from harassment or retaliatory

actions if he or she reports a suspected privacy violation.
 Crime Victims
You are allowed to disclose PHI to law enforcement without the client/participant’s authorization
when:
The PHI disclosed is about the person suspected of a criminal act; and

The PHI disclosed is limited to information relevant to identifying the suspect and the nature of any injury.
 Remember…
 If you are unsure about how to proceed in a certain situation involving PHI,
ask your supervisor.
 Remember…
 Do not discuss any PHI you see or hear while performing your job with anyone unless
necessary!
 Remember…
 There are significant penalties for misuse of PHI.
 Center for Internet Security
(CIS) Critical Security Controls.
Client System Administration
The CIS (Center for Internet Security) Critical
Security Controls are a prioritized set of actions for
cybersecurity that form a defense-in-depth set of
specific and actionable best practices to mitigate
the most common cyber attacks
With the CIS Controls,
You Can...
1. Simplify Your Approach to Threat Protection
2. Comply with Industry Regulations
3. Achieve Essential Cyber Hygiene
4. Translate Information into Action
5. Abide by the Law
Jim Long
Managing Partner - The Long Law Firm, PLLC
We use the CIS Controls to help our clients achieve
compliance with state and federal cybersecurity regulations.
The CIS 18 are prioritized, easy to understand, and extremely
cost-effective for small to mid-size organizations looking to
prove they are secure enough to do business in today’s
marketplace. I highly recommend starting with CIS in
building your cybersecurity program.
Endpoint Protection,
Endpoint Detection and
Response,
Endpoint Protection, Endpoint Detection, and Response
(EPDR) is a layered security solution that combines real-time
monitoring, data analytics, and automated response.

EDR is a second layer of protection that helps security

analysts identify threats and protect the organization. It
complements the preventative nature of Endpoint
Protection Platforms (EPP), which acts as the first line of
defense.
THE END
What are the key principles of GDPR?
How does GDPR affect the handling of personal
data by companies?
What are the rights of individuals under GDPR?
What are the consequences for businesses that
do not comply with GDPR?
How does GDPR impact data transfers outside
the EU and EEA?
What is the primary objective of the ISO/IEC
27001 standard?
How can organizations implement an information
security management system (ISMS) according to
ISO/IEC 27001?
What are the main benefits of obtaining ISO/IEC
27001 certification?
How does the ISO 2700x series help
organizations manage information security risks?
What are the differences between ISO/IEC 27001
and other standards in the ISO 2700x series?
What are the main differences between
SOC 1, SOC 2, and SOC 3 reports?
Why are SOC 2 reports important for
service organizations?
What are the five Trust Services Criteria
covered in SOC 2 reports?
How can SOC 1 reports help businesses
ensure financial reporting accuracy?
What is the purpose of a SOC 3 report, and
who is its intended audience?