Information security briefly
Information security plays a key role in enforcing data protection. It means protecting data and information systems from unauthorised access. Among other things, the term refers to the technical and organisational measures taken to ensure the confidentiality and integrity of data, the usability of systems and the enforcement of data subjects’ rights.
Traditionally, the purpose of information security measures has been to provide appropriate protection for data, information systems and services by ensuring that risks associated with confidentiality, integrity and accessibility are identified and addressed. In practice, this means, for example, that data and information systems can only be accessed by authorised users, and outside users are not able to process, edit or delete data. Even authorised users may only access data and systems when it is necessary for them to perform their job duties. Data, systems and services must be reliable, fit for purpose and up to date. Data may not be accidentally disclosed, changed or destroyed due to malfunction, malware, hardware or software failure, or other accidents, incidents or failures.
The term used nowadays is digital security, a broad term encompassing the protection of information as a whole.
Data protection is the process of protecting personal data. Data protection is a fundamental right and safeguards the rights and freedoms of data subjects when their personal data is processed. Data processing laws set out the principles for the lawful processing of personal data. The processing of personal data must always be based on law.
Under the EU’s General Data Protection Regulation (GDPR), the term ‘personal data’ is broadly defined as all information relating to an identified or identifiable natural person. Natural persons are considered identifiable, if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, an opinion, a job title, image or audio, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
The GDPR imposes heightened requirements on processing activities and personal data that by their nature involve a high risk to the rights and freedoms of data subjects. At the University, data is classified into one of four sensitivity levels.