Malicious software that makes data or systems unusable until the victim makes a payment.
See also: Wannacry.
See Records Management.
The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposal of records. Also known as Records Information Management or RIM.
Continued storage and maintenance of records for as long as they are required by the creating or holding organisation until their eventual disposal, according to their administrative, financial and historical evaluation.
Organisations usually have a records retention policy and some records will have legally imposed retention periods.
Identification and assessment of hazards, based on the type of hazard, the likelihood of it occurring and the potential effect of this on individuals, organisations or the environment.
A network device which sends data packets from one network to another based on the destination address. May also be called a gateway.
Secure physical location or agreed set of administrative arrangements within the organisation to ensure confidential personal information is ommunicated safely and securely. It is a safeguard for confidential information which enters or leaves the organisation whether this is by fax, post or other means. Any members of staff handling confidential information, whether paper based or electronic, must adhere to the safe haven principles.
Using electronic or physical destruction methods to securely erase or remove data from memory.
This is a short-hand term that refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002.
The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be transferred to an applicant without the discloser being in breach of the common law duty of confidentiality.
In practice, this means that the person responsible for the information (the data controller) can, if they wish, disclose the information to the applicant without being in breach of the common law duty of confidentiality. They must still comply with all other relevant legal obligations e.g. the GDPR and the Data Protection Act 2018.
Approval also provides reassurance that that the person(s) receiving the information has undergone an independent review of their purposes and governance arrangements.
The SIRO is a senior person in an organisation responsible for managing information risk to information assets.
Any incident involving actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals.
See Senior Information Risk Officer.
Manipulating people into carrying out specific actions, or divulging information, that's of use to an attacker.
A targeted form of phishing, where the email is designed to look as if it's from a person the recipient knows and/or trusts.
Article 9 of the GDPR prohibits the processing of personal data revealing
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
and the processing of
- genetic data, biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person's sex life or sexual orientation
except under a number of conditions and exceptions detailed in the regulation.
See also 'criminal record data'
Characters other than alphanumeric (qv) characters i.e. ! @ $ % & + ? * etc. A term used in connection with passwords. By expanding the number of different characters that are used in a password there are more possible permutations and it becomes somewhat more difficult to determine.
The NCSC however now recommends the use of three random words rather than long, complex and meaningless character-based passwords on grounds of usability and memorability.
The GDPR gives data subjects a set of rights
- Article 15 - Right of access
- Article 16 - Right of rectification
- Article 17 - Right to erasure ('right to be forgotten')
- Article 18 - Right to restriction of processing
- Article 20 - Right to data portability
- Article 21 - Right to object (to processing)
- Article 22 - Right not to be subject to a decision based solely on automated processing, including profiling