Lesson video

Hello, my name is Mrs. Holbrook and welcome to Computing.

I'm so pleased you've decided to join me for the lesson today.

In today's lesson, we are going to be looking at the importance of data privacy and how data privacy is maintained by regulations.

Welcome to today's lesson from the unit Databases and SQL.

This lesson is called Data and Privacy.

And by the end of today's lesson, you'll be able to explain how data privacy is maintained in databases and identify regulations that protect personal information.

Shall we make a start? We will be exploring these key words throughout today's lesson.

Let's take a look at them now.

Anonymization.

Anonymization, the process of removing or changing personal information in a dataset so that individuals can no longer be identified.

Privacy.

Privacy, the right to keep your personal life private.

Look out for these key words throughout today's lesson.

Today's lesson is split into two sections.

We'll start by explaining how data privacy is maintained, and then we'll move on to recognise how regulations protect privacy.

Let's make a start by explaining how data privacy is maintained.

Databases are designed to store large volumes of data.

This data could hold sensitive and personal information about individuals.

Aisha says, I didn't like the idea of my personal information being held in lots of databases.

I'm sure lots of other people feel that way too, Aisha.

Imagine your personal details such as your address, school records, medical data are stored in a database.

What could go wrong if that data was exposed or misused? Maybe pause the video whilst you have a think.

Ah, the class have some responses.

Sam says, somebody could use my bank details to open bank accounts, apply for credit cards, or pretend to be me.

Alex says, if my private data becomes public, it could be embarrassing.

Sofia says, future employers, schools, or others might judge me unfairly based on my private information.

These are all really good points.

There are a number of methods that can be used to protect data held in databases.

These methods include, user access controls, data encryption, regular audits, and data anonymization.

Let's have a look at each of one of these in turn.

User access controls limit who can view, edit, or delete specific data in a database.

Each user is assigned a role, for example, admin, staff, or guest, and those roles have different levels of permission.

Setting appropriate permissions will help to prevent unauthorised access to sensitive or important data.

Database management systems or DBMS allow restrictions to be specified down to the individual record or even field level.

For example, a receptionist might only be able to access names and contact information, whilst a doctor could view the medical records.

The general rule is that a user should be given the lowest level of access needed to do their job.

In this way, there is less opportunity for the accidental loss of data and fewer accounts to investigate if a system is compromised.

Time to check your understanding.

What is the main purpose of setting user access controls in a database? Is it A, to speed up data processing, B, to allow everyone equal access to all data, C, to limit access to sensitive data based on user roles, or D, to permanently delete outdated user accounts? Pause the video whilst you think about your answer.

Did you select C? Well done.

The main purpose of setting user access controls in a database is to limit access to sensitive data based on user roles.

Encryption is the process of converting readable data into cypher text that only authorised systems or users can decipher.

When data is stored or sent over a network, it's encrypted using an algorithm and a key.

Only someone with the correct key can decrypt and understand the data.

Even if hackers access the database, encrypted data is unreadable to them protecting sensitive information like passwords, credit card numbers, or health records.

Audits are scheduled checks of how data is stored, accessed, and protected within a system.

Auditors review database activity logs, user access patterns, and security settings to identify risks, unauthorised access attempts, or outdated privacy measures.

Audits help organisations stay compliant with data protection laws like GDPR or The Data Protection Act, and ensure security practises are working effectively.

For example, if a user changes jobs, their access rights should be reviewed and updated if necessary.

When a user leaves an organisation, their access rights must be removed.

Data anonymization is the process of removing or altering personal identifiers from data, so individuals cannot be identified.

Names, addresses, ID numbers, or other identifiable details are removed or replaced with codes.

For example, instead of storing John Smith, Age 15, the database might store User123, Age 15.

Anonymized data can be safely used for research, analysis or sharing without compromising individual privacy.

It reduces the risk of harm if data is leaked or accessed without permission.

Time to check your understanding.

Select all of the measures which can be used by an organisation to maintain data privacy in a database.

A, set access levels.

B, encrypt data.

C, backup data daily.

And D, conduct regular audits.

Pause the video whilst you think about your answer.

A, C, and D are all measures which can be used by an organisation to maintain data privacy in a database.

Backups are essential if there's a loss of data following a security breach, but they do not maintain data privacy in a database.

Okay, we're moving on to our first task of today's lesson, Task A.

I'd like you to list three methods used to maintain data privacy in a database.

For each method, explain how it works and why it is important.

Pause the video whilst you complete the task.

How did you get on with the task? Well done.

Let's have a look at a sample answer together.

By setting user access controls only certain people can see or change data based on their role.

This stops unauthorised users from accessing private information and prevents accidental loss of data.

Data can be encrypted with an encryption algorithm.

This converts readable data that everyone can see to encrypted data that only people with a decryption key can access.

This protects information even if it's stolen.

Audits happen when experts check the database regularly to find any security problems or unauthorised access attempts.

This helps keep data safe and secure and helps an organisation update their security settings if required.

Remember, if you would like to pause your video now and add any detail to your response, you can do that now.

So we've explained how data privacy is maintained.

Let's now move on to recognise how regulations protect privacy.

Data theft is when someone takes your data without your permission.

Companies are responsible for keeping the data they have stored about you safe and to protect your privacy.

For example, your personal data should not be left visible or given to others to see.

Personal data could be stored on a computer or on paper.

In today's digital world, our personal data is collected and used by many organisations, from businesses to government agencies.

Companies must follow rules on how our data is stored and used.

If they fail to follow the law, there are consequences.

Regulations are laws that tell organisations how they must handle personal data to keep it safe and private.

They set rules for collecting, storing, and sharing information.

For example, regulations often require companies to, seek permission before collecting personal data, keep data secure using measures like encryption and access controls, limit use of data to only what it was agreed for, allow people to see or delete their own data if they want, report data breaches quickly if personal information is exposed.

In the UK there are four key documents that protect privacy.

The Human Rights Act Article 8 of 1998, The Data Protection Act of 2018, the Investigatory Powers Act of 2016, and the General Data Protection Regulation or GDPR of 2018.

We will look now at how these laws protect our privacy.

The Data Protection Act of 2018 is a piece of legislation passed by Parliament.

All organisations and people using and storing personal data must comply with the principles of the Data Protection Act.

There are seven principles of the Data Protection Act that companies must follow.

Let's have a look at these seven principles now.

Data must be used fairly, openly, and in accordance with the law.

Used for a specific or stated reason.

Used only in a way that is necessary and sufficient for the purpose for which it was collected.

Accurate and up to date.

Only kept for as long as needed.

Protected against loss, damage, and unauthorised access.

The company controlling the data is responsible for and must show they meet all other principles.

Anyone who has had data collected and stored about them is a data subject.

As a data subject, you have the right to find out what personal data a company stores about you and ask for specific actions to be completed.

You have the right to, ask them what data is being used, ask what data is being stored, ask them to update your data, ask for the data to be deleted, stop a company from processing your data, transfer your data to another organisation.

Time to check your understanding.

The Data Protection Act requires that personal data should only be used for, A, any purpose the organisation chooses, B, the specific purpose it was collected for, C, marketing only, or D, selling to third parties.

Pause the video whilst you think about your answer to the question.

Did you select B? Well done.

The Data Protection Act requires that personal data should only be used for the specific purpose it was collected for.

Article 8 of the Human Right Act states, "Everyone has the right to respect for his private and family life, his home, and his correspondence." This is known as the right to privacy.

Article 8 of the Human Rights Act means you are protected from.

Your communication being monitored, including phone tapping, the monitoring of emails and internet use, and CCTV.

Your home being searched or put under surveillance.

Your personal information such as your sexuality or medical history being disclosed to other people without your consent.

Losing your rights.

You may lose some or all of these protections if it is a matter of public safety or if you have broken the law.

Do you think this is fair? The Investigatory Powers Act 2016.

The Investigatory Powers Act 2016, also known as Snooper's Charter, sets out rules that law enforcement must follow when collecting data on people they suspect to have committed a crime.

It also sets out the requirements of private companies that collect data on citizens so that they can help law enforcement.

The Investigatory Powers Act 2016 enables law enforcement to intercept the online communication of a person if it is, one, in the interest of national security, two, in the interest of the economic well-being of the UK, or three, in support of the prevention or detection of serious crime.

It also requires online communication companies to keep records of communications for up to a year so that they can give them to law enforcement, and bans companies from using or developing communication tools, that prevent law enforcement from accessing such communications, for example, encryption tools.

Time to check your understanding.

Match the UK privacy laws with their definitions.

So the laws are Article 8 of the Human Rights Act, the Data Protection Act, and the Investigatory Powers Act.

The definitions are.

This law governs the ability of law enforcement to infringe on citizens' right to privacy.

This law gives citizens the right to privacy.

Your personal information cannot be disclosed to other people without your consent.

This law governs how the data of UK citizens can be collected, stored, or shared.

Pause the video here whilst you matched the law to the description.

How did you get on? Did you manage to match the law to the definition? Well done.

Article 8 of the Human Rights Act is this law gives citizens the right to privacy.

Your personal information cannot be disclosed to other people without your consent.

The Data Protection Act, this law governs how the data of UK citizens can be collected, stored, and shared.

Investigatory Powers Act, this law governs the ability of law enforcement to infringe on citizens' right to privacy.

Do you have the right to privacy? In practise, which of the following rights do you think you have, and which rights do you think you are being denied? The right to be informed on data breaches.

Right to informed consent before data is collected.

Freedom from surveillance.

Right to access data held about you by an organisation.

Right to be forgotten by requiring a company to delete the data they have on you.

The right to keep your private life private.

Maybe pause the video whilst you think about each of these.

When do we forfeit our rights? Do you think you've ever given up your rights to privacy? When you sign up for a website such as a shopping website, or an app such as a social networking site, you have to sign a terms and conditions document.

The terms and conditions document contains a privacy policy that outlines what the company will do with your data.

For example, what data they will collect, how they will use it, and who they will sell it to.

The terms and conditions may require you to forfeit rights such as your ability to withdraw consent from certain parties accessing your data, or make it harder for you to access your rights because you have lost track of who knows what about you.

Okay, we are moving on to our last task of today's lesson.

Choose one data protection regulation and answer the following questions, focusing on how it applies to databases in particular.

So for part one, name the regulation.

For part two, state the rules from the regulation that help protect personal data stored in a database.

For part three, explain why these rules are important when managing personal data in a database.

For example, what are the risks if they're not followed? And then finally, for part four, give a real life example of a database situation where a regulation helps protect someone's privacy.

Pause the video whilst you complete the task.

How did you get on? Let's have a look at a sample answer together.

In this example, we've chosen the Data Protection Act, but remember, you may well have chosen one of the other laws in the lesson.

The Data Protection Act is a UK law that protects people's personal information and privacy.

The Data Protection Act states that data must be used for a specific purpose, only necessary data should be collected, and access must be controlled to prevent unauthorised access.

Without these rules, personal data could be misused, shared with the wrong people, or stolen.

The rules help keep data private and safe, especially when stored digitally, for example in a database.

In a school database, the Data Protection Act ensures that only authorised staff are allowed to access students' personal data.

For example, a member of the catering team may be able to see a student's name and catering account balance, but they would not be able to see their grades or address information.

Did you have a similar response? Remember, if you'd like to add any detail to your responses, you can pause the video now.

Okay, we've come to the end of today's lesson, Data and Privacy, and you've done a fantastic job, so well done.

Let's summarise what we've learned together in today's lesson.

Databases are designed to store large volumes of data.

This data could hold sensitive and personal information about individuals.

There are a number of methods that can be used to protect data held in databases.

These methods include user access controls, data encryption, regular audits, and data anonymization.

Regulations are laws that tell organisations how they must handle personal data to keep it safe and private.

I hope you've enjoyed today's lesson and I hope you'll join me again soon.

Bye.