68:["$","div",null,{"className":"mt-16 space-y-8","children":[false,["$","div",null,{"className":"grid w-full gap-4 rounded-2xl bg-muted p-8 sm:grid-cols-2","children":[["$","div",null,{"className":"flex flex-col items-center text-center sm:items-start sm:text-left","children":[["$","span",null,{"className":"font-bold text-accent-primary-foreground text-sm uppercase tracking-wide","children":"Flashcards"}],["$","p",null,{"className":"truncate-3 h3 mt-2 mb-2 font-title","children":"Remember key concepts with flashcards"}],["$","p",null,{"className":"text-muted-foreground","children":[20," flashcards"]}],["$","$L38",null,{"className":"mt-auto block pt-4","href":"./flashcards","children":["$","button",null,{"className":"inline-flex items-center justify-center font-medium ring-offset-background transition-all focus-visible:outline-none focus-visible:ring-2 disabled:cursor-not-allowed disabled:opacity-50 w-fit px-4 py-2 rounded-2xl focus-visible:ring-accent-primary-foreground/50 bg-foreground! text-background!","ref":"$undefined","children":["Practice flashcards"," ",["$","svg",null,{"stroke":"currentColor","fill":"none","strokeWidth":"2","viewBox":"0 0 24 24","strokeLinecap":"round","strokeLinejoin":"round","className":"-mr-1 ml-1 text-2xl opacity-60","children":["$undefined",[["$","line","0",{"x1":"7","y1":"17","x2":"17","y2":"7","children":[]}],["$","polyline","1",{"points":"7 7 17 7 17 17","children":[]}]]],"style":{"color":"$undefined"},"height":"1em","width":"1em","xmlns":"http://www.w3.org/2000/svg"}]]}]}]]}],["$","div",null,{"className":"flex items-center justify-center","children":["$","div",null,{"className":"relative aspect-4/3 w-[280px]","children":[["$","div",null,{"className":"-translate-x-1/2 -translate-y-1/2 -rotate-9 absolute top-1/2 left-1/2 aspect-4/3 w-[240px] rounded-2xl border-2 border-border bg-background shadow-md"}],["$","div",null,{"className":"-translate-x-1/2 -translate-y-1/2 absolute top-1/2 left-1/2 flex aspect-4/3 w-[240px] items-center justify-center rounded-2xl border-2 border-border bg-background p-4 shadow-md","children":["$","$L6a",null,{"className":"truncate-3 max-h-full text-center font-medium text-base leading-5 md:text-lg","children":"What is **multi-factor authentication (MFA)**?"}]}]]}]}]]}],["$","$L6b",null,{"topicLessonData":{"version":"v2","lessonId":"2032b604-57fc-4aa5-88ef-9fdabf592e27","cards":[{"id":"card-1","type":"content","order":1,"title":"What counts as personal data and why privacy matters","blocks":[{"id":"block-1","content":"Any information that can identify an individual directly (for example name) or indirectly (for example a unique ID that can be linked back to them).\n\nPersonal data includes obvious identifiers (name, address, email) and also sensitive records (medical history, finances). Privacy matters because loss of control over personal data can lead to identity theft, fraud, and harm to reputation."},{"id":"block-2","content":"Even “non-obvious” data can identify someone when combined, for example date of birth + postcode + gender.\n\nThis is why data privacy often focuses on what can be inferred from a dataset, not just what is explicitly stored."},{"id":"block-3","content":"Assuming “we did not store names” means the dataset is not personal. If individuals can still be identified, it is still personal data.\n\nRemoving names is not the same as anonymising data; other fields (or combinations of fields) can still allow re-identification."}]},{"id":"card-2","type":"flashcard","cards":[{"id":"fc-1","back":"Any information that can identify an individual directly or indirectly.","front":"Personal data"},{"id":"fc-2","back":"A common term for identifiers that can be linked to a specific person (often overlaps with “personal data”).","front":"PII (personally identifiable information)"},{"id":"fc-3","back":"The individual the personal data is about.","front":"Data subject"},{"id":"fc-4","back":"The organization that collects/stores/uses the personal data and is responsible for protecting it.","front":"Data holder (data controller/organization)"}],"order":2,"skippable":true},{"id":"card-3","hint":"Think “could this identify a person if combined with other data?”","type":"mcq","order":3,"options":[{"id":"a","text":"A list of average class test scores with no student-level rows","isCorrect":false},{"id":"b","text":"A unique customer ID that can be linked to names in another company table","isCorrect":true},{"id":"c","text":"The school’s public holiday calendar","isCorrect":false},{"id":"d","text":"A weather forecast for tomorrow","isCorrect":false}],"question":"Which is the best example of personal data?","explanation":"A unique ID becomes personal data if it can be linked back to an individual (directly or via other data).","correctOptionId":"b"},{"id":"card-4","type":"content","image":{"alt":"Illustration representing privacy, security, and data integrity concepts","src":"https://pub-images.revisiondojo.com/notes/cf7f2f8b-d209-41a2-a6ac-9c6282c140bc.jpeg"},"order":4,"title":"Privacy vs security vs integrity (related but not the same)","blocks":[{"id":"block-1","content":"These three terms are closely related in real-world incidents, but they refer to different goals. **Privacy** is about appropriate collection and use of personal data, giving individuals control over their information, and protecting them from misuse or unnecessary exposure."},{"id":"block-2","content":"**Security** focuses on protecting systems and data from threats such as unauthorized access, malware, and phishing. **Integrity** focuses on the accuracy and consistency of data—ensuring it is not changed incorrectly, accidentally, or without authorization. In a scenario, security often describes *how an incident happens*, while privacy and integrity describe *what kinds of harm occur*."},{"id":"block-3","content":"A university database breach can be a security failure (weak access control), a privacy failure (exposed personal data), and an integrity risk (attackers might change grades).\n\nIn exams, define each term clearly before applying it to a scenario.\n\nIt’s common for a single event to involve more than one of these, so be explicit about which aspect you are referring to."}]},{"id":"card-5","type":"flashcard","cards":[{"id":"fc-1","back":"Control and appropriate use of personal data (consent, purpose, sharing).","front":"Privacy"},{"id":"fc-2","back":"Protection against threats like hacking, phishing, and malware.","front":"Security"},{"id":"fc-3","back":"Data remains accurate, consistent, and unaltered without authorization.","front":"Integrity"}],"order":5,"skippable":true},{"id":"card-6","type":"content","image":{"alt":"Diagram illustrating defence in depth with multiple security layers for protecting personal data","src":"https://pub-images.revisiondojo.com/notes/507f94a5-6285-4db0-80ae-5b1f1cb6fa23.jpeg"},"order":6,"title":"Defence in depth: combining methods (not just one)","blocks":[{"id":"block-1","content":"Protecting personal data usually uses multiple layers:\n\n- Encryption (so stolen data is unreadable)\n- Access control (so only authorized people can reach it)\n- Strong authentication (so accounts are harder to take over)\n- Audits and monitoring (so suspicious access is detected)\n- Anonymization (so shared datasets do not identify individuals)"},{"id":"block-2","content":"“We encrypted the database, so we are safe.” Encryption helps, but attackers can still steal accounts, misuse privileges, or access decrypted data through the application."},{"id":"block-3","content":"\n## Two different risks, two different protections\n\n### Encryption at rest\nProtects stored data (for example on disks, backups, database files). If a laptop or server drive is stolen, the files should not be readable without keys.\n\n### Encryption in transit\nProtects data moving across networks. Typically achieved using secure communication protocols (for example HTTPS/TLS) so eavesdroppers cannot read or modify traffic easily.\n\n### Practical implementation examples (conceptual, but real-world)\n- Web apps commonly rely on TLS for data in transit (browser to server).\n- Databases and storage systems often provide “storage encryption” features for data at rest.\n- Many systems use a key management service (KMS) so encryption keys are controlled and rotated securely.\n"}]},{"id":"card-7","hint":"Think about what happens after a user successfully logs in.","type":"mcq","order":7,"options":[{"id":"a","text":"Encryption prevents all phishing attacks automatically","isCorrect":false},{"id":"b","text":"Encryption removes the need for access control","isCorrect":false},{"id":"c","text":"Authorized users and applications can still access decrypted data, and stolen accounts can bypass encryption","isCorrect":true},{"id":"d","text":"Encryption always makes data anonymous","isCorrect":false}],"question":"Why is encryption by itself not sufficient to protect personal data?","explanation":"Encryption protects data content, but if attackers gain valid access (for example stolen credentials) they can still read data via normal systems.","correctOptionId":"c"},{"id":"card-8","type":"content","order":8,"title":"Access control, RBAC, and least privilege","blocks":[{"id":"block-1","content":"Rules that determine who can access which data and what actions they can perform (read, write, delete).\n\nA common approach is RBAC (role-based access control): permissions are assigned to roles (doctor, receptionist, finance) rather than individually to every user. This simplifies administration and helps keep permissions consistent across users who perform similar tasks."},{"id":"block-2","content":"A key principle is least privilege: give each user the minimum access needed to do their job. This reduces the damage from mistakes and limits the impact if an account is compromised, because unnecessary permissions are not available to be abused."},{"id":"block-3","content":"\nA hospital system might allow doctors to read and update patient records, but reception staff can only view appointment times and basic contact details.\n"},{"id":"block-4","content":"Below is pseudocode showing RBAC plus audit logging:\n\n```text\nFUNCTION canAccess(user, action, resource):\n role <- user.role\n RETURN permissions[role].contains(action, resource)\n\nFUNCTION readRecord(user, recordID):\n IF canAccess(user, \"READ\", \"PATIENT_RECORD\") = false:\n logEvent(\"DENY\", user.id, \"PATIENT_RECORD\", recordID, currentTime())\n RETURN \"ACCESS DENIED\"\n\n logEvent(\"ALLOW\", user.id, \"PATIENT_RECORD\", recordID, currentTime())\n RETURN database.getPatientRecord(recordID)\n```\n\nExam tip: Always mention both prevention (access control) and detection (logging/monitoring) when asked how to protect personal data."}]},{"id":"card-9","hint":"Think “job function”, not “identity”.","type":"fill_blank","order":9,"blanks":[{"id":"word","isMath":false,"options":["role","password","IP address","age"],"correctAnswer":"role","acceptableAnswers":["role"]}],"sentence":"In role-based access control (RBAC), permissions are assigned based on a user’s {{blank:word}}.","useAIValidation":false},{"id":"card-10","hint":"Each technique targets a different part of the risk.","type":"match","order":10,"pairs":[{"id":"pair-1","term":"Encryption","match":"Makes data unreadable without the key"},{"id":"pair-2","term":"Access control","match":"Restricts who can read/change data"},{"id":"pair-3","term":"MFA (multi-factor authentication)","match":"Requires more than one proof of identity"},{"id":"pair-4","term":"Anonymization","match":"Removes or masks identifiers so people cannot be identified"},{"id":"pair-5","term":"Audit logs","match":"Record access actions for later review and detection"}]},{"id":"card-11","type":"content","order":11,"title":"Anonymization and its limits","blocks":[{"id":"block-1","content":"Anonymization removes or masks identifiers so individuals cannot be identified from the dataset. This is useful when sharing data for research or analytics.\n\nThe goal is to reduce the risk that a record can be tied back to a specific person, while still keeping the data useful for analysis."},{"id":"block-2","content":"However, anonymization can fail if:\n- the dataset keeps rare attributes (easy to single out)\n- it can be linked with other datasets (re-identification)\n\nThese risks increase when data contains quasi-identifiers (attributes that are not unique on their own, but become identifying when combined)."},{"id":"block-3","content":"\nRemoving names but keeping full date of birth and postcode can still identify many people when compared with other public records.\n\n\nData minimization helps privacy: only collect and keep the data you actually need for the stated purpose."}]},{"id":"card-12","hint":"Look for combinations that can single out a person.","type":"mcq","order":12,"options":[{"id":"a","text":"Names removed, but full date of birth and postcode kept for each person","isCorrect":true},{"id":"b","text":"Names removed and ages grouped into ranges (for example 20-29)","isCorrect":false},{"id":"c","text":"Only overall averages are shared (no person-level records)","isCorrect":false},{"id":"d","text":"Data is summarized into counts per city, not individuals","isCorrect":false}],"question":"Which situation has the highest risk of re-identification (so privacy is weakest)?","explanation":"Full date of birth plus postcode can uniquely identify many people, especially when linked with other datasets.","correctOptionId":"a"},{"id":"card-13","type":"content","order":13,"title":"Audits, monitoring, and accountability","blocks":[{"id":"block-1","content":"Regular audits and monitoring help detect weaknesses and suspicious behavior. They provide visibility into how systems are actually being used, so security issues can be identified early and investigated with evidence."},{"id":"block-2","content":"Common monitoring practices include:\n- reviewing access logs for unusual patterns (for example repeated denied access, bulk downloads)\n- alerting on “impossible travel” logins (far apart locations in short time)\n- checking that accounts match current staff roles (remove access when someone changes jobs)"},{"id":"block-3","content":"An organization must take responsibility for protecting data and for responding properly if something goes wrong.\n\nOnly focusing on external attackers. Insider threats (misuse by authorized staff) are a major risk in large systems."}]},{"id":"card-14","hint":"Stop the damage early, then investigate and improve.","type":"ordering","items":[{"id":"item-1","content":"Detect and confirm unusual activity (alerts/logs)"},{"id":"item-2","content":"Contain the incident (disable accounts, isolate systems)"},{"id":"item-3","content":"Assess impact (what data, how many people, what risk)"},{"id":"item-4","content":"Notify appropriate parties (as required by policy/law)"},{"id":"item-5","content":"Remediate (patch, reset credentials, improve controls)"},{"id":"item-6","content":"Review and improve (post-incident lessons learned)"}],"order":14,"isTimed":false,"instruction":"Put these steps in a sensible order for responding to a suspected personal-data breach.","correctOrder":["item-1","item-2","item-3","item-4","item-5","item-6"],"timeLimitSeconds":0},{"id":"card-15","type":"content","order":15,"title":"Legal and ethical responsibilities (DPA, GDPR, Computer Misuse Act)","blocks":[{"id":"block-1","content":"Organizations that hold personal data have legal and ethical duties to protect it and use it fairly. These responsibilities apply across the full data lifecycle: collection, storage, processing, sharing, and deletion."},{"id":"block-2","content":"Key ideas often tested:\n- Consent and purpose limitation (use data only for the stated reason)\n- Transparency (be clear about collection and sharing)\n- Security safeguards (reasonable protection measures)\n- Penalties and consequences for mishandling data"},{"id":"block-3","content":"The Computer Misuse Act (in many curricula) focuses on making unauthorized access and data theft a criminal offense. This links legal responsibility to actions like hacking, accessing systems without permission, or modifying data without authorization."},{"id":"block-4","content":"$6c"}]},{"id":"card-16","hint":"Ask “is it a system feature, a people/process control, or a duty/rights issue?”","type":"categorization","items":[{"id":"item-1","image":"","content":"Encrypting database backups","correctCategoryId":"cat-1"},{"id":"item-2","image":"","content":"Multi-factor authentication (MFA)","correctCategoryId":"cat-1"},{"id":"item-3","image":"","content":"Role-based access control (RBAC)","correctCategoryId":"cat-1"},{"id":"item-4","image":"","content":"Staff training on phishing and data handling","correctCategoryId":"cat-2"},{"id":"item-5","image":"","content":"Removing access when employees change roles","correctCategoryId":"cat-2"},{"id":"item-6","image":"","content":"Regular audits and log reviews","correctCategoryId":"cat-2"},{"id":"item-7","image":"","content":"Getting informed consent before collecting data","correctCategoryId":"cat-3"},{"id":"item-8","image":"","content":"Being transparent about how data is shared","correctCategoryId":"cat-3"},{"id":"item-9","image":"","content":"Not selling/disclosing data without permission","correctCategoryId":"cat-3"}],"order":16,"isTimed":false,"categories":[{"id":"cat-1","name":"Technical","color":"#58cc02"},{"id":"cat-2","name":"Organizational","color":"#1cb0f6"},{"id":"cat-3","name":"Legal/Ethical","color":"#ff9600"}],"instruction":"Classify each item as primarily Technical, Organizational, or Legal/Ethical.","timeLimitSeconds":0},{"id":"card-17","hint":"A simple center icon (database) with surrounding rings is enough.","type":"drawing","order":17,"prompt":"Draw a “defence in depth” diagram for personal data in a database. Include at least 4 layers/controls (for example encryption, access control, MFA, logging/monitoring, anonymization). Show which controls protect data “at rest” and which protect data “in transit”.","aspectRatio":"3:2","backgroundType":"blank","evaluationCriteria":"Includes a clear data store, at least 4 correctly labeled controls, and correct placement of “at rest” vs “in transit” protections."},{"id":"card-18","type":"multi-question","order":18,"isTimed":false,"questions":[{"id":"mq-1","isTimed":true,"options":[{"id":"a","text":"Encryption at rest","isCorrect":true},{"id":"b","text":"Strong passwords only","isCorrect":false},{"id":"c","text":"Faster internet","isCorrect":false}],"question":"Which method helps most if a stolen hard drive contains a copy of the database?","timeLimitSeconds":15},{"id":"mq-2","isTimed":true,"options":[{"id":"a","text":"A staff member exports student records for personal gain","isCorrect":true},{"id":"b","text":"A storm causes a power outage","isCorrect":false},{"id":"c","text":"A printer runs out of ink","isCorrect":false}],"question":"Which is an example of an insider threat?","timeLimitSeconds":15},{"id":"mq-3","isTimed":true,"options":[{"id":"a","text":"Data is accurate and not improperly altered","isCorrect":true},{"id":"b","text":"Data loads quickly","isCorrect":false},{"id":"c","text":"Data is colorful","isCorrect":false}],"question":"What does “integrity” focus on?","timeLimitSeconds":15},{"id":"mq-4","isTimed":true,"options":[{"id":"a","text":"Detect and investigate access and changes","isCorrect":true},{"id":"b","text":"Make files smaller","isCorrect":false},{"id":"c","text":"Replace encryption","isCorrect":false}],"question":"What is the main purpose of audit logs?","timeLimitSeconds":15},{"id":"mq-5","isTimed":true,"options":[{"id":"a","text":"The individual agrees after being informed how data will be used","isCorrect":true},{"id":"b","text":"The company decides secretly","isCorrect":false},{"id":"c","text":"Any data online is free to use","isCorrect":false}],"question":"Which statement best matches “consent”?","timeLimitSeconds":15},{"id":"mq-6","isTimed":true,"options":[{"id":"a","text":"Combining sources can reveal identities through linkage","isCorrect":true},{"id":"b","text":"It always deletes duplicates","isCorrect":false},{"id":"c","text":"It guarantees anonymization","isCorrect":false}],"question":"Why can data integration increase privacy risk?","timeLimitSeconds":15},{"id":"mq-7","isTimed":true,"options":[{"id":"a","text":"Computer Misuse Act","isCorrect":true},{"id":"b","text":"Holiday Act","isCorrect":false},{"id":"c","text":"Road Traffic Act","isCorrect":false}],"question":"Which law area is most directly about criminalizing unauthorized access to systems?","timeLimitSeconds":15}]}],"cardCount":18}}]]}]