chapter 08 – data protection, privacy and freedom of information - bit it5104
DESCRIPTION
Lecture Materials of BIT External IT5104 - Professional Issues in IT 2013/2014 conducted at OSBTTRANSCRIPT
Chapter 08 – Data Protection,
Privacy and Freedom of
Information
IT5104 - Professional Issues in IT
OpenArc Campus – BIT Sem V – PIIT 1
• Storage
• Processing
• Retention
• Release (Transferring, Publishing…etc)
• Protection
• Privacy
• Freedom of Information
DATA
&
INFORMATION
2
Why it came?
• Very large amount of data about individuals was being
collected and stored in computers and then used for
unacceptable purposes which were not the intention when the
data was collected.
• Unauthorized people could access such data and that the data
might be out dated, incomplete or just plain wrong.
At the beginning, the law for this matter was designed to protect
individuals, against the misuse of personal data by large
organizations. But evolutionary gone to a wider concern.
3
People are entitled to keep personal information
private.
Ex : Bank Balance, Medical History, Vote in Election…etc
But for security measures there can be situations, such as telephone
tapping and email monitoring by employers as well as security
services of the state.
Do governments also entitled to keep their information
private?
Governments are traditionally reluctant to release
information to their citizens. But there is a pressure from public for
more open governments and for legislations that guarantee freedom
of information.
4
Data Protection
Protection and Privacy are two different concepts but goes like
as the same.
Terminology of UK Data protection Act 1998
Data Collected with the intention to process and create
information or just to keep as a record.
Data Controller Legal or natural person who determines why or how
personal data is processed.
Data Processor Anyone who processes personal data on behalf of the data
controller.
5
Personal Data Data which relates to a living person who can be
indentified from that data. (Possibly taken together with
other information the data controller is likely to have. It
can be include, expressions of opinion about the person
and indications of the intentions of the data controller or
any other person, toward the individual.)
Data Subject Individual who is the subject of personal data
Sensitive
Personal Data
Personal data relating to the racial or ethnic origin of data
subjects. Their political opinions, religious beliefs,
memberships of societies, physical or mental health,
marital life, or whether they have committed or alleged to
have committed any criminal offence.
Processing Obtaining, recording or holding the information/data or
carrying out any operations on it.
6
In the act Data Processing also means
• Organization, adaptation or alteration of the information/data
• Retrieval, consultation or use of the information/data
• Disclosure of the information/data by transmission,
dissemination or otherwise making available
• Alignment, combination, blocking, erasure or destruction of the
information/data
7
Data Protection Principles
1998 UK Data Protection Act lays down 8 principles which
apply to the collection and processing of personal data of any
sort. Data Controller is responsible for ensuring that these
principles are complied with in respect of all the personal data,
for which they are responsible.
8
1) Personal data shall be processed fairly and lawfully.
If the data subject doesn’t give their consent, data can only be
processed if the data controller is under a legal or statutory
obligation for which the processing is necessary.
ex:
It is necessary to inform the users of a website explicitly if it
employs cookies and must give users the opportunity of refusing it.
9
2) Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose
or those purposes.
10
3) Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes for which
they are processed.
Ex:
Requiring to declare marital status when joining to a public library.
Shops demanding to know customers' addresses for an order even
the order do not require a delivery service.
11
4) Personal data shall be accurate and, where necessary,
kept up to date.
Doctors have great difficulty in maintaining up-to-date data about
their patients' addresses.
12
5) Personal data processed for any purpose or purposes
shall not be kept for longer than is necessary for that
purpose or those purposes.
•At the time data captured, it needed to be defined how long each
item of personal data needs to be kept.
•There need to be procedures to ensure that all data is erased at
the appropriate time, and this must include erasure from backup
copies.
•There can be situations to keep some personal data for an
indefinite period such like university records of graduating
students.13
6) Personal data shall be processed in accordance with
the rights of data subjects.
14
7) Appropriate technical and organizational measures
shall be taken against unauthorized or unlawful processing
of personal data and against accidental loss or destruction
of, or damage to, personal data.
This implies the need for access control (through passwords or
other means), backup procedures, integrity checks on the data,
etc.
And there also need to be authorized personnel who have access
to manage these things.
15
8) Personal data shall not be transferred to a country or
territory outside the region unless that country or
territory ensures an adequate level of protection for the
rights and freedom of data subjects in relation to the
processing of personal data.
16
Rights of Data Subjects
Data subjects have the right to know whether a data controller held
data relating to them. Also they have right to see those data, and
the right to have those data erased or corrected if it is inaccurate.
Data subjects have the right to receive:
• A description of the personal data being held;
• An explanation of the purpose why it is being held
• A description of the people/organizations to which it may be
disclosed;
• An clear statement of the specific data held about them;
• A description of the source of the data.
17
Data subjects have the right:
• To prevent processing likely to cause damage and distress;
• To prevent processing for the purposes of direct marketing;
• To have compensation in case of damage caused by processing
of personal data in violation of the principles of the Act.
There may be exceptions such like
• Examination candidates do not have the right of access to their
marks until after the results of the examinations have been
published.
• Disclosing the information may result in infringing someone
else's rights.
• Disclosing may be threat to national security.18
All these rights apply to data that is held electronically and, in
some cases, to data that is held in manual file systems.
If however, the data is processed automatically and is likely to be
used as the sole basis for taking a decision relating to data subjects
(for example, deciding whether to grant them a Loan), they have
the right to be informed by the data controller, of the logic involved
in taking that decision. They can also demand that a decision
relating to them that has been taken on full automatic process
should be reconsidered on some other way.
19
Privacy
Government security services and law enforcement authorities
can only intercept, monitor and investigate electronic data in
certain specified situations such as when preventing and
detecting crime.
Organizations that provide computer and telephone services
(this includes not only ISPs and other telecommunications
service providers but also most employers) can monitor and
record communications without the consent of the users of the
service in some circumstances.
Organizations intercepting communications in this way are under
an obligation to make all reasonable efforts to inform users that
such interception may take place.
20
Freedom of Information
Every citizen does have rights of access to information held by
bodies in the public sector such like Parliament, government
departments, health authorities, universities, schools, etc.
But there may be exceptions in situations such disclosures may
avoided due to public interest.
Public authorities are advised to adopt schemes for publication of
information. (1919)
Freedom of information does not mean that people can access
others’ personal information.
21
• Threat of individual privacy due to Large Centralized Data
Banks.
• Abuse of information management due to Data Matching.
• Unauthorized Traceability of operations performed via online
services.
• Navigation Trails (Browser Cookies)
• Capturing Information about the way individuals use the internet
and build profiles of their habits for marketing purpose or
blackmail.
• Jurisdiction for trans-border data flow ? (ex: WikiLeaks)
The Impact of the Internet22