Chapter 08 – Data Protection,

Privacy and Freedom of

Information

IT5104 - Professional Issues in IT

OpenArc Campus – BIT Sem V – PIIT 1

• Storage

• Processing

• Retention

• Release (Transferring, Publishing…etc)

• Protection

• Privacy

• Freedom of Information

DATA

&

INFORMATION

2

Why it came?

• Very large amount of data about individuals was being

collected and stored in computers and then used for

unacceptable purposes which were not the intention when the

data was collected.

• Unauthorized people could access such data and that the data

might be out dated, incomplete or just plain wrong.

At the beginning, the law for this matter was designed to protect

individuals, against the misuse of personal data by large

organizations. But evolutionary gone to a wider concern.

3

People are entitled to keep personal information

private.

Ex : Bank Balance, Medical History, Vote in Election…etc

But for security measures there can be situations, such as telephone

tapping and email monitoring by employers as well as security

services of the state.

Do governments also entitled to keep their information

private?

Governments are traditionally reluctant to release

information to their citizens. But there is a pressure from public for

more open governments and for legislations that guarantee freedom

of information.

4

Data Protection

Protection and Privacy are two different concepts but goes like

as the same.

Terminology of UK Data protection Act 1998

Data Collected with the intention to process and create

information or just to keep as a record.

Data Controller Legal or natural person who determines why or how

personal data is processed.

Data Processor Anyone who processes personal data on behalf of the data

controller.

5

Personal Data Data which relates to a living person who can be

indentified from that data. (Possibly taken together with

other information the data controller is likely to have. It

can be include, expressions of opinion about the person

and indications of the intentions of the data controller or

any other person, toward the individual.)

Data Subject Individual who is the subject of personal data

Sensitive

Personal Data

Personal data relating to the racial or ethnic origin of data

subjects. Their political opinions, religious beliefs,

memberships of societies, physical or mental health,

marital life, or whether they have committed or alleged to

have committed any criminal offence.

Processing Obtaining, recording or holding the information/data or

carrying out any operations on it.

6

In the act Data Processing also means

• Organization, adaptation or alteration of the information/data

• Retrieval, consultation or use of the information/data

• Disclosure of the information/data by transmission,

dissemination or otherwise making available

• Alignment, combination, blocking, erasure or destruction of the

information/data

7

Data Protection Principles

1998 UK Data Protection Act lays down 8 principles which

apply to the collection and processing of personal data of any

sort. Data Controller is responsible for ensuring that these

principles are complied with in respect of all the personal data,

for which they are responsible.

8

1) Personal data shall be processed fairly and lawfully.

If the data subject doesn’t give their consent, data can only be

processed if the data controller is under a legal or statutory

obligation for which the processing is necessary.

ex:

It is necessary to inform the users of a website explicitly if it

employs cookies and must give users the opportunity of refusing it.

9

2) Personal data shall be obtained only for one or more

specified and lawful purposes, and shall not be further

processed in any manner incompatible with that purpose

or those purposes.

10

3) Personal data shall be adequate, relevant and not

excessive in relation to the purpose or purposes for which

they are processed.

Ex:

Requiring to declare marital status when joining to a public library.

Shops demanding to know customers' addresses for an order even

the order do not require a delivery service.

11

4) Personal data shall be accurate and, where necessary,

kept up to date.

Doctors have great difficulty in maintaining up-to-date data about

their patients' addresses.

12

5) Personal data processed for any purpose or purposes

shall not be kept for longer than is necessary for that

purpose or those purposes.

•At the time data captured, it needed to be defined how long each

item of personal data needs to be kept.

•There need to be procedures to ensure that all data is erased at

the appropriate time, and this must include erasure from backup

copies.

•There can be situations to keep some personal data for an

indefinite period such like university records of graduating

students.13

6) Personal data shall be processed in accordance with

the rights of data subjects.

14

7) Appropriate technical and organizational measures

shall be taken against unauthorized or unlawful processing

of personal data and against accidental loss or destruction

of, or damage to, personal data.

This implies the need for access control (through passwords or

other means), backup procedures, integrity checks on the data,

etc.

And there also need to be authorized personnel who have access

to manage these things.

15

8) Personal data shall not be transferred to a country or

territory outside the region unless that country or

territory ensures an adequate level of protection for the

rights and freedom of data subjects in relation to the

processing of personal data.

16

Rights of Data Subjects

Data subjects have the right to know whether a data controller held

data relating to them. Also they have right to see those data, and

the right to have those data erased or corrected if it is inaccurate.

Data subjects have the right to receive:

• A description of the personal data being held;

• An explanation of the purpose why it is being held

• A description of the people/organizations to which it may be

disclosed;

• An clear statement of the specific data held about them;

• A description of the source of the data.

17

Data subjects have the right:

• To prevent processing likely to cause damage and distress;

• To prevent processing for the purposes of direct marketing;

• To have compensation in case of damage caused by processing

of personal data in violation of the principles of the Act.

There may be exceptions such like

• Examination candidates do not have the right of access to their

marks until after the results of the examinations have been

published.

• Disclosing the information may result in infringing someone

else's rights.

• Disclosing may be threat to national security.18

All these rights apply to data that is held electronically and, in

some cases, to data that is held in manual file systems.

If however, the data is processed automatically and is likely to be

used as the sole basis for taking a decision relating to data subjects

(for example, deciding whether to grant them a Loan), they have

the right to be informed by the data controller, of the logic involved

in taking that decision. They can also demand that a decision

relating to them that has been taken on full automatic process

should be reconsidered on some other way.

19

Privacy

Government security services and law enforcement authorities

can only intercept, monitor and investigate electronic data in

certain specified situations such as when preventing and

detecting crime.

Organizations that provide computer and telephone services

(this includes not only ISPs and other telecommunications

service providers but also most employers) can monitor and

record communications without the consent of the users of the

service in some circumstances.

Organizations intercepting communications in this way are under

an obligation to make all reasonable efforts to inform users that

such interception may take place.

20

Freedom of Information

Every citizen does have rights of access to information held by

bodies in the public sector such like Parliament, government

departments, health authorities, universities, schools, etc.

But there may be exceptions in situations such disclosures may

avoided due to public interest.

Public authorities are advised to adopt schemes for publication of

information. (1919)

Freedom of information does not mean that people can access

others’ personal information.

21

• Threat of individual privacy due to Large Centralized Data

Banks.

• Abuse of information management due to Data Matching.

• Unauthorized Traceability of operations performed via online

services.

• Navigation Trails (Browser Cookies)

• Capturing Information about the way individuals use the internet

and build profiles of their habits for marketing purpose or

blackmail.

• Jurisdiction for trans-border data flow ? (ex: WikiLeaks)

The Impact of the Internet22