SlideShare uma empresa Scribd logo

An ethical approach to data privacy protection

N
Nicha Tatsaneeyapan

An ethical approach to data privacy protection

Marketing
1 de 9
Baixar para ler offline
ISACA JOURNAL VOL 6 1 • Accuracy and completeness when collecting data about a person or persons (corporations included) by technology • Availability of data content, and the data subject’s legal right to access; ownership • The rights to inspect, update or correct these data Data privacy is also concerned with the costs if data privacy is breached, and such costs include the so- called hard costs (e.g., financial penalties imposed by regulators, compensation payments in lawsuits such as noncompliance with contractual principles) and the soft costs (e.g., reputational damage, loss of client trust). Though different cultures put different values on privacy or make it impossible to define a stable, universal value, there is broad consensus that privacy does have an intrinsic, core and social value. Hence, a privacy approach that embraces the law, ethical principles, and societal and environmental concerns is possible despite the complexity of and difficulty in upholding data privacy. Data Privacy Protection Indeed, protecting data privacy is urgent and complex. This protection is necessary because of the ubiquity of the technology-driven and information-intensive environment. Technology- driven and information-intensive business operations are typical in contemporary corporations. The benefits of this trend are that, among other things, the marketplace is more transparent, consumers are better informed and trade practices are more fair. The downsides include socio-techno risk, which originates with technology and human users (e.g., identity theft, information warfare, phishing scams, cyberterrorism, extortion), and the creation of more opportunities for organized and sophisticated cybercriminals to exploit. This risk results in information protection being propelled to the top of the corporate management agenda. The need for data privacy protection is also urgent due to multidirectional demand. Information protection becomes an essential information security Privacy, trust and security are closely intertwined, as are law and ethics. Privacy preservation and security provisions rely on trust (e.g., one will allow only those whom one trusts to enter one’s zone of inaccessibility; one will not feel secure unless one trusts the security provider). Violation of privacy constitutes a risk, thus, a threat to security. Law provides a resolution when ethics cannot (e.g., ethics knows that stealing is wrong; the law punishes thieves); ethics can provide context to law (e.g., law allows trading for the purpose of making a profit, but ethics provides input into ensuring trade is conducted fairly). Privacy breaches disturb trust and run the risk of diluting or losing security; it is a show of disrespect to the law and a violation of ethical principles. Data privacy (or information privacy or data protection) is about access, use and collection of data, and the data subject’s legal right to the data. This refers to: • Freedom from unauthorized access to private data • Inappropriate use of data feature feature An Ethical Approach to Data Privacy Protection Wanbil W. Lee, DBA, FBCS, FHKCS, FHKIE, FIMA Is principal director of Wanbil Associates, founder and president of The Computer Ethics Society, and cofounder and Life Fellow of the Hong Kong Computer Society. He serves on committees of several professional bodies, editorial boards and government advisory committees. He has held professorial and adjunct appointments in a number of universities. His expertise is in information systems, and he has a strong interest in information security management, information systems audit and ethical computing. Wolfgang Zankl, Ph.D. Is a professor of private and comparative law at the University of Vienna (Austria) and associate lecturer for social media law at the Quadriga University (Berlin, Germany). He founded and runs the European Center for E-commerce and Internet Law (e-center.eu) and is a board member of The Computer Ethics Society. Henry Chang, CISM, CIPT, CISSP , DBA, FBCS Is an adjunct associate professor at the Law and Technology Centre, the University of Hong Kong. Chang is an appointed expert to the Identity Management and Privacy Technologies Working Group (SC27 WG5) of the International Organization for Standardization (ISO). His research interests are in technological impact on privacy, accountability and Asia privacy laws. ©2016 ISACA. All rights reserved. www.isaca.org
ISACA JOURNAL VOL 6 2 Methods for Data Privacy Protection The method is modeled on a framework originally perceived and developed to provide a fresh view to decision makers and is based on the following three major instruments: • The International Data Privacy Principles (IDPPs)1 for establishing and maintaining data privacy policies, operating standards and mitigation measures • Hong Kong’s Data Protection Principles of personal data (DPPs)2 for reinforcing those policies, standards and guidelines • The hexa-dimension metric operationalization framework3 for executing policies, standards and guidelines International Data Privacy Principles Data privacy can be achieved through technical and social solutions. Technical solutions include safeguarding data from unauthorized or accidental access or loss. Social solutions include creating acceptability and awareness among customers about whether and how their data are being used, and doing so in a transparent and confidential way. Employees must commit to complying with corporate privacy rules, and organizations should instruct them in how to actively avoid activities that may compromise privacy. Next to technical and social solutions, the third element of achieving privacy is complying with data protection laws and regulations, which involves two issues. The first concern is that legal regulation is slow and, thus, unable to keep function to help develop and implement strategies to ensure that data privacy policies, standards, guidelines and processes are appropriately enhanced, communicated and complied with, and effective mitigation measures are implemented. The policies or standards need to be technically efficient, economically/financially sound, legally justifiable, ethically consistent and socially acceptable since many of the problems commonly found after implementation and contract signing are of a technical and ethical nature, and information security decisions become more complex and difficult. Data privacy protection is complex due to socio- techno risk, a new security concern. This risk occurs with the abuse of technology that is used to store and process data. For example, taking a company universal serial bus (USB) device home for personal convenience runs the risk of breaching a company regulation that no company property shall leave company premises without permission. That risk becomes a data risk if the USB contains confidential corporate data (e.g., data about the marketing strategy, personnel performance records) or employee data (e.g., employee addresses, dates of birth). The risk of taking the USB also includes theft or loss. Using technology in a manner that is not consistent with ethical principles creates ethical risk, another new type of risk. In the previous example, not every staff member would take the company USB home, and those who decide to exploit the risk of taking the USB may do so based on their own sense of morality and understanding of ethical principles. The ethical risk (in addition to technical risk and financial risk) arises when considering the potential breach of corporate and personal confidentiality. This risk is related partly to technology (the USB) and partly to people (both the perpetrator and the victims) and is, therefore, a risk of a technological-cum-social nature—a socio-techno risk. Hence, taking home a USB is a vulnerability that may lead to a violation of data privacy. However, the problem of data privacy is not unsolvable. The composite approach alluded to earlier that takes into consideration the tangible physical and financial conditions and intangible measures against logical loopholes, ethical violations, and social desirability is feasible, and the method suggested in this article, which is built on a six-factor framework, can accomplish this objective. ©2016 ISACA. All rights reserved. www.isaca.org Data privacy can be achieved through technical and social solutions.
ISACA JOURNAL VOL 6 3 between what is given and what is received. That philosophy explains why companies such as Google or Facebook, for whose services the customer does not pay, have the right to use personal data. In other words, that tradeoff—data for services— is the balance.4 The consumer being less protected when receiving free services is a basic element of the European E-Commerce Directive, which does not apply to services that are offered free of charge. But this consideration is only a first step. Applied to a modern data environment, a balance also has to be struck in relation to other parameters relevant to contractual aspects of data privacy. Since data are a contract matter, it is important to consider what kind of personal data are in consideration (e.g., sensitive and nonsensitive data have to be distinguished and treated differently), and since contracts are concluded by mutual consent, the extent of such consent also has to be taken into account. For example, does consent have to be declared explicitly or is accepting the terms of use sufficient? The IDPPs approach takes into consideration the Asian, European, US and international data protection standards and focuses on personal data, but can apply to corporate data as well. These principles suggest that the three parameters (payment, consent and data category) should be balanced and combined with the previously mentioned, Asian, European, US and international up with the rapid developments of information technology. Legal solutions are usually at least one step behind technological developments. Data privacy by electronic means should, therefore, be based not only on traditional jurisdiction, but also on soft law, i.e., self-binding policies such as the existing data privacy principles. Soft law may be more effective than hard law. The reactions of disappointed customers, especially when those reactions are spread by social media, and the fact that noncompliance with corporate governance may result in unfair competition and/or liability toward affected customers (unfair competition by not complying with self-binding policies/liability toward customers by breach of contract) will often be more effective than mere fines or penalties. The second problem of data protection has to do with the fact that these regulations are not internationally harmonized, causing severe complications (especially between the United States and the European Union) on a cross-border basis, which is the rule rather than the exception in modern business. To make data privacy rules work in a global environment, the principles outlined in this article consider US standards (e.g., the US Federal Trade Commission’s Fair Information Practices), European standards (e.g., Data Protection Directive 95/46/EC and the General Data Protection Regulation [GDPR]), Asian regulations (e.g., Hong Kong Personal Data Privacy Ordinance [PDPO]) and international benchmarks (e.g., the Organization for Economic Co-operation and Development [OECD] Privacy Framework Basic Principles). This article also considers the fact that common data privacy regulations, especially in Europe, tend to focus on a traditional human rights approach, neglecting the fact that nowadays, data are usually given away voluntarily upon contractual agreement. When using sites such as Google, Baidu, Amazon, Alibaba or Facebook, users agree with the terms and conditions of these companies. Data privacy should consider not only mere data protection, but also contractual principles, among which one of the oldest and most fundamental is do ut des, meaning a contract in which there is a certain balance ©2016 ISACA. All rights reserved. www.isaca.org Common data privacy regulations, especially in Europe, tend to focus on a traditional human rights approach, neglecting the fact that nowadays, data are usually given away voluntarily.
ISACA JOURNAL VOL 6 4 11. Do not transfer personal data to countries with inadequate or unknown data protection standards unless the customer is informed about these standards being inadequate or unknown and agrees to such a transfer. 12. In the case of a contract between the company and the customer in which the customer commits to pay for services or goods: – Inform the costumer individually and as soon as reasonably possible in the event of a data breach. – Inform the customer upon request about which specific data are stored, and delete such data upon request unless applicable laws or regulations require the company to continue storing such data. – Do not use or divulge content-related personal data. – Do not use or divulge any other personal data without the customer’s explicit, separate and individual consent. – Do not store, use or divulge any customer data, unless applicable laws or regulations require the company to continue storing such data. standards, putting them into a set of privacy rules. Organizations in compliance with international data privacy standards should commit to the following 13 IDPPs:5 1. Comply with national data protection or privacy law, national contract law, and other legal requirements or regulations relating to data privacy. 2. Comply with current security standards to protect stored personal data from illegitimate or unauthorized access or from accidental access, processing, erasure, loss or use. 3. Implement an easily perceptible, accessible and comprehensible privacy policy with information on who is in charge of data privacy and how this person can be individually contacted, why and which personal data are collected, how these data are used, who will receive these data, how long these data are stored, and whether and which data will be deleted or rectified upon request. 4. Instruct employees to comply with such privacy policies and avoid activities that enable or facilitate illegitimate or unauthorized access in terms of IDPPs. 5. Do not use or divulge any customer data (except for statistical analysis and when the customer’s identity remains anonymous), unless the company is obliged to do so by law or the customer agrees to such use or circulation. 6. Do not collect customer data if such collection is unnecessary or excessive. 7. Use or divulge customer data in a fair way and only for a purpose related to activities of the company. 8. Do not outsource customer data to third parties unless they also comply with standards comparable to these IDPPs. 9. Announce data breaches relating to sensitive data. 10. Do not keep personal data for longer than necessary. ©2016 ISACA. All rights reserved. www.isaca.org
ISACA JOURNAL VOL 6 5 take on the same principles-based approach. For example, the UK’s Data Protection Act uses eight DPPs,8 Australia’s Privacy Act has 13 privacy principles,9 and the Canadian Personal Information Protection and Electronic Documents Act has 10 principles.10 For the purpose of illustration, the remaining part of this article will use Hong Kong’s PDPO, enacted in 1995 and Asia’s first privacy law, to highlight the salient points on how ethical considerations are built within the implementation of privacy legislation that is compatible with the OECD Privacy Guidelines. The Six Data Protection Principles of PDPO An explanation of the DPPs is provided by the Hong Kong,11 Office of the Privacy Commissioner for Personal Data, and can be summarized as: 1. Data Collection and Purpose Principle: • Personal data must be collected in a lawful and fair way for a purpose directly related to a function/activity of the data user (i.e., those who collect personal data). 13. In the absence of a contract between the company and the customer in which the customer commits to pay for services or goods: – Inform the customer as soon as reasonably possible in the event of data breaches. – Inform the customer upon request what types of sensitive data are stored and delete such data upon request when such data are outdated, unless applicable laws or regulations require the company to continue storing such data. – Do not use or divulge sensitive data without the customer’s explicit, separate and individual consent. The Hong Kong Personal Data Privacy Ordinance The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Privacy Guidelines)6 are often the standard that data protection laws of many countries reference.7 The OECD Privacy Guidelines have eight basic principles: 1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle Being a framework with the aim of providing guidelines to jurisdictions to enact their own privacy laws, the definitions of these principles are at a high level deliberately. When these high-level principles are converted to national laws, many jurisdictions ©2016 ISACA. All rights reserved. www.isaca.org
ISACA JOURNAL VOL 6 6 relativistic judgement will, in turn, be influenced by the society’s acceptable behavior and value, i.e., its collective ethical belief. • DPP2 states that collected personal data are not to be kept for longer than is necessary. As there is also an element of judgment on necessity, it can be argued on utilitarian grounds that there could be an ethical dilemma in deciding on a short retention period that is protective of the individuals or a longer period that is protective of the interests (commercial or otherwise) of the organization that collects the personal data. • DPP3 states that data use that is not directly related to the original purpose may be carried out only with the consent of the individual. This may be translated as respecting the wishes of the individuals. Even if the organization thinks that the changed use would be beneficial to individuals, the organization has no right to take away the individual’s free will and choice. • DPP4 states that organizations should implement reasonable security protection on the collected personal data to prevent data leakage. While leaving aside the decision on how many resources and how much effort an organization should use to protect the personal data collected, DPP4 asks organizations to balance the resources and effort against the likely harm to individuals. • Data subjects (i.e., individuals from whom personal data are collected) must be notified of the purpose and the classes of persons to whom the data may be transferred. • Data collected should be necessary, but not excessive. 2. Accuracy and Retention Principle—Personal data must be accurate and should not be kept for a period longer than is necessary to fulfill the purpose for which they are used. 3. Data Use Principle—Personal data must be used for the purpose for which the data are collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject. 4. Data Security Principle—A data user needs to take reasonably practical steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use, while taking into account the harm that would affect the individual should there be a breach. 5. Openness Principle­ ­­ —A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data are used. 6. Data Access and Correction Principle—Data subjects must be given access to their personal data and allowed to make corrections if the data are inaccurate. The PDPO is principle-based and is not a piece of prescriptive law. Knowing the underlying ethical considerations for each principle will help an organization to better understand the spirit and the letter of the law when developing a compliance program. In particular, ethical relevance is clearly evident in the implications of PDPO privacy protection principles: • DPP1 explains that the collection of personal data must be fair and that personal data collected should not be excessive. Whether the collection is fair and excessive will have to be assessed under the circumstance. Given that fairness and excessiveness for one person may not be the same for another person, there is, inevitably, a judgment involved in the assessment. That ©2016 ISACA. All rights reserved. www.isaca.org Knowing the underlying ethical considerations for each principle will help an organization to better understand the spirit and the letter of the law.
ISACA JOURNAL VOL 6 7 in enforcing those rules or standards; they rely purely on the moral obligation of the stakeholders concerned, because violation by itself does not, in general, attract any criminal charges in the legal sense. However, despite the good intention and official adoption, the code by itself cannot guarantee more ethical behavior, and auxiliary measures must be in force to operationalize the rules and standards effectively. Organizations of all varieties might have some kind of code of practice in place. However, the extant codes invariably tend to focus on technical, financial and legal issues and are insufficient when considering the ethical, social and ecological concerns that rapidly emerge and ascend to the top of corporate and IT management agendas. Different organizations have their own unique policies and a unique code of conduct; there can be no universal recipe, only a general guideline. As a general guideline for designing a code of conduct, the hexa-dimension framework is recommended. This framework comprises two major components: the theoretical hexa- dimension metric for measuring legal validity, social desirability, ecological sustainability, ethical acceptability, technical effectiveness and financial In 2010, ethical considerations related to data protection played a major role in testing existing laws. The Octopus card is an “electronic wallet” that many Hong Kong residents use for daily transportation and everyday purchases. In 2010, it was discovered that Octopus Cards Limited, the company that owned the cards, was selling card owners’ loyalty membership to insurance companies for direct marketing purposes. As a result of public outcry, the privacy commissioner investigated and concluded that while the sales of customer records was not prohibited by the law at the time, the company failed to make a meaningful effort to seek consent from customers when it informed them of this data use in a privacy policy statement. The company denied contravening the law, but accepted that its actions felt short of customer expectations. Two major officers of the company stepped down during the investigation.12, 13 The heightened public awareness of personal data rights that arose in the wake of the incident changed expectations of organizational behavior. No longer will people accept companies doing only the bare minimum required by law; they must also act ethically. The chief executive officer (CEO) who took over Octopus Cards Limited after the incident captured the new expectations succinctly: “We need to do not just [what is] legal, but what is right.”14 The Hexa-dimension Code of Conduct A code of conduct serves a variety of functions, one of the most important of which is to serve as a guide for stakeholders based on a set of rules and standards. Despite official adoption, company policies and standards, which tend to be difficult for stakeholders, including employees to absorb, are not easy to enforce effectively and are probably ignored in the end. A code of conduct, if formulated and articulated well, should serve to communicate the policies and standards to stakeholders in a relatable way. While such codes may serve to deter potential offensive actions, they are limited ©2016 ISACA. All rights reserved. www.isaca.org
ISACA JOURNAL VOL 6 8 viability (the six requirements/factors) and a scheme for operationalizing the framework. The operationalization scheme is carried out in three major steps including: • Identify the relevant critical factors depending on the target end users (corporatewide or a functional unit or nature of operation). For example, environmental impact is critical for a mining company or a factory, but could probably be skipped for an information security unit. • Secure the support of the board of directors with respect to corporate policy aspects and the supporting infrastructures that include the organization’s human resources (HR) management, legal, finance, and information and communications technology functional units with respect to technical support and reference. An appraisal of ethical consistency in conduct should be included during annual performance reviews (by HR). • Determine a schedule for quantifying the elements of each factor for measuring, prioritizing and balancing the factors. The attributes/factors with help determine the steps to be taken to measure the effectiveness. If properly and appropriately formulated and articulated, the code can be useful in disseminating the policies and standards throughout the organization and beyond, thus cultivating corporatewide ethical, professional conduct. While a code may deter potential offensive actions, it is limited in enforcing the rules or standards. The limitation exists because the code can rely only on the stakeholders’ sense of morality because violation of the code does not entail any criminal charges. Auxiliary measures must be put in place to arrive at desirable results, such as executive actions that provide rewards and impose punishment (e.g., discussing the hexa-dimensional code of conduct during an annual performance appraisal when those being appraised are asked to exemplify that their assigned duties were carried out in a manner consistent with data privacy protection policies, i.e., not breaking the law; not harmful to individuals and society at large; not wasteful of the resources available including the computer facilities, the workforce, the budget; and not harming the environment). Conclusion Information security professionals are in urgent need of effective and pragmatic guidance for developing data privacy protection standards for two major reasons. The first is that the information security function in a technology-driven information-intensive environment becomes more complicated due to new risk (e.g., socio-techno risk); the second is that data privacy protection becomes a primary concern to information security management as privacy infringement occurs frequently and attracts wide coverage in the media. Viewing privacy from the perspective of ethics can help enterprises establish and improve their code of conduct. Considering privacy from an ethical point of view and establishing a code of conduct makes all individuals in an organization, not just security personnel, accountable for protecting valuable data. Endnotes 1 Zankl, W.; The International Data Privacy Principles, presented at Harvard University, Cambridge, Massachusetts, USA, October 2014, www.e-center.eu/static/files/moscow- dataprivacy-handout-russian.pdf ©2016 ISACA. All rights reserved. www.isaca.org While a code may deter potential offensive actions, it is limited in enforcing the rules or standards.
ISACA JOURNAL VOL 6 9 2 The Personal Data (Privacy) Ordinance, Chapter 486 , https://www.pcpd.org.hk/english/ files/pdpo.pdf and https://www.pcpd.org. hk/english/data_privacy_law/ordinance_at_a_ Glance/ordinance.html 3 Lee, W. W.; “A Hexa-dimension Metric for Designing Code of Ethical Practice,” Encyclopedia of Information Science and Technology, 4th Edition, July 2017 4 It has been argued that companies using, for instance, their Internet platforms for advertising purposes are already being paid by the advertisers so there is no need for further payment with data. This point of view neglects the fact that do ut des refers to a balance between quid pro quo of the contracting parties and not between these parties and third parties. That is why readers have to pay for magazines despite the publisher receiving payments from third parties (advertisers). 5 Op cit, Zankl 6 Organization for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, www.oecd.org/sti/ieconomy/cdguidelinesonthe protectionofprivacyandtransborderflowsof personaldata.htm 7 Greenleaf, G; “Global Data Privacy Laws 2015: 109 Countries, with European Laws Now a Minority,” 133 Privacy Laws Business International Report, February 2015, p. 14-17 8 Information Commissioner’s Office, Data Protection Principles, United Kingdom, https://ico.org.uk/for-organisations/guide-to- data-protection/data-protection-principles/ 9 Office of the Austrailian Information Commissioner, Australian Privacy Principles, https://oaic.gov.au/privacy-law/privacy-act/ australian-privacy-principles 10 Office of the Privacy Commissioner of Canada, PIPEDA Fair Information Principles, September 2011, https://www.priv.gc.ca/en/ privacy-topics/privacy-laws-in-canada/the- personal-information-protection-and-electronic- documents-act-pipeda/p_principle/ 11 Office of the Privacy Commissioner for Personal Data, Six Data Protection Principles, Hong Kong, https://www.pcpd.org.hk/english/data- privacy_lau/6_data_protection/principles.html 12 Ng, J.; “Octopus CEO Resigns Over Data Sale,” The Wall Street Journal, 4 August 2010, https://www.pcpd.org.hk/english/data_privacy_ law/6_data_protection_principles/principles.html 13 Chong, D.; “Second Octopus Boss Quits Amid Scandal,” The Standard, 20 October 2010, www.thestandard.com.hk/news_detail.asp?pp_ cat=30art_id=104016sid=29979255con_ type=1d_str=20101020sear_year=2010 14 Cheung, S.; “The Challenges of Personal Data Privacy in A New Era,” International Conference on Privacy Protection in Corporate Governance, 11 February 2014, https://www.pcpd.org.hk/ privacyconference2014/programme.html ©2016 ISACA. All rights reserved. www.isaca.org

Recomendados

Review questions
Review questionsReview questions
Review questionsAnura Kumara
 
Chapter 1
Chapter 1Chapter 1
Chapter 1anas_desa
 
Mis ethical social
Mis ethical socialMis ethical social
Mis ethical socialuniversity of education,Lahore
 
Information system ethics
Information system ethicsInformation system ethics
Information system ethicsKriscila Yumul
 
Ethical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemEthical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemFaHaD .H. NooR
 
Ethical Issues related to Information System Design and Use
Ethical Issues related to Information System Design and UseEthical Issues related to Information System Design and Use
Ethical Issues related to Information System Design and Useuniversity of education,Lahore
 
Chapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsChapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsSammer Qader
 
Social & Ethical Issues in Information Systems
Social & Ethical Issues in Information SystemsSocial & Ethical Issues in Information Systems
Social & Ethical Issues in Information Systemsuniversity of education,Lahore
 

Recomendados

Review questions
Review questionsReview questions
Review questionsAnura Kumara
 
Chapter 1
Chapter 1Chapter 1
Chapter 1anas_desa
 
Mis ethical social
Mis ethical socialMis ethical social
Mis ethical socialuniversity of education,Lahore
 
Information system ethics
Information system ethicsInformation system ethics
Information system ethicsKriscila Yumul
 
Ethical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemEthical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemFaHaD .H. NooR
 
Ethical Issues related to Information System Design and Use
Ethical Issues related to Information System Design and UseEthical Issues related to Information System Design and Use
Ethical Issues related to Information System Design and Useuniversity of education,Lahore
 
Chapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsChapter 4 Ethical and Social Issues in Information Systems
Chapter 4 Ethical and Social Issues in Information SystemsSammer Qader
 
Social & Ethical Issues in Information Systems
Social & Ethical Issues in Information SystemsSocial & Ethical Issues in Information Systems
Social & Ethical Issues in Information Systemsuniversity of education,Lahore
 
Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...Tonmoy zahid Rishad
 
4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issues4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issuesRownel Cerezo Gagani
 
Information ethics
Information ethicsInformation ethics
Information ethicsomercomail
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacysalehnia
 
Information security
Information securityInformation security
Information securityInformation Services, Aberystwyth University
 
Data set module 4
Data set module 4Data set module 4
Data set module 4Data-Set
 
102 Chapter 4 Pt 2
102 Chapter 4 Pt 2102 Chapter 4 Pt 2
102 Chapter 4 Pt 2manpreet04
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systemsProf. Othman Alsalloum
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Information Ethics
Information EthicsInformation Ethics
Information EthicsUMaine
 
The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...Rabelani Dagada
 
اخلاقيات الثاني
اخلاقيات الثانياخلاقيات الثاني
اخلاقيات الثانيBunayan ALdosari
 
Gr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and UseGr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and Useuniversity of education,Lahore
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Ethical issues-extra
Ethical issues-extraEthical issues-extra
Ethical issues-extraProf(Dr)Vijayendra Gupta
 
Information ethics & intro to information security
Information ethics & intro to information securityInformation ethics & intro to information security
Information ethics & intro to information securityUMaine
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Data Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdfData Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdfKarpagam Institute
 

Mais conteúdo relacionado

Mais procurados

Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...Tonmoy zahid Rishad
 
4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issues4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issuesRownel Cerezo Gagani
 
Information ethics
Information ethicsInformation ethics
Information ethicsomercomail
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacysalehnia
 
Data set module 4
Data set module 4Data set module 4
Data set module 4Data-Set
 
102 Chapter 4 Pt 2
102 Chapter 4 Pt 2102 Chapter 4 Pt 2
102 Chapter 4 Pt 2manpreet04
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systemsProf. Othman Alsalloum
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Information Ethics
Information EthicsInformation Ethics
Information EthicsUMaine
 
The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...Rabelani Dagada
 
اخلاقيات الثاني
اخلاقيات الثانياخلاقيات الثاني
اخلاقيات الثانيBunayan ALdosari
 
Gr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and UseGr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and Useuniversity of education,Lahore
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Information ethics & intro to information security
Information ethics & intro to information securityInformation ethics & intro to information security
Information ethics & intro to information securityUMaine
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 

Mais procurados (20)

Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...Ethical and social issues in management information systems for BBA hons pro...
Ethical and social issues in management information systems for BBA hons pro...
 
4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issues4 key technological trends that raise ethical issues
4 key technological trends that raise ethical issues
 
Information ethics
Information ethicsInformation ethics
Information ethics
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
 
Information security
Information securityInformation security
Information security
 
Data set module 4
Data set module 4Data set module 4
Data set module 4
 
102 Chapter 4 Pt 2
102 Chapter 4 Pt 2102 Chapter 4 Pt 2
102 Chapter 4 Pt 2
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systems
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
Information Ethics
Information EthicsInformation Ethics
Information Ethics
 
The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...
 
اخلاقيات الثاني
اخلاقيات الثانياخلاقيات الثاني
اخلاقيات الثاني
 
Gr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and UseGr 3 Societal Issues of Information System Design and Use
Gr 3 Societal Issues of Information System Design and Use
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Ethical issues-extra
Ethical issues-extraEthical issues-extra
Ethical issues-extra
 
Information ethics & intro to information security
Information ethics & intro to information securityInformation ethics & intro to information security
Information ethics & intro to information security
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit i
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher Education
 

Semelhante a An ethical approach to data privacy protection

2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Data Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdfData Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdfKarpagam Institute
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxtodd581
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxglendar3
 
Multi-Dimensional Privacy Protection for Digital Collaborations.
Multi-Dimensional Privacy Protection for Digital Collaborations.Multi-Dimensional Privacy Protection for Digital Collaborations.
Multi-Dimensional Privacy Protection for Digital Collaborations.CSCJournals
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
STUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdfSTUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdf503SaranyaS
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technohoney690131
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docx
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docxRunning head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docx
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docxjeanettehully
 
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCE
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCERIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCE
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCEVARUN KESAVAN
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Angie Miller
 
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONPranav Godse
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 

Semelhante a An ethical approach to data privacy protection (20)

2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Data Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdfData Privacy and Protection in the Digital Age - pdf.pdf
Data Privacy and Protection in the Digital Age - pdf.pdf
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
Multi-Dimensional Privacy Protection for Digital Collaborations.
Multi-Dimensional Privacy Protection for Digital Collaborations.Multi-Dimensional Privacy Protection for Digital Collaborations.
Multi-Dimensional Privacy Protection for Digital Collaborations.
 
Ss
SsSs
Ss
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
STUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdfSTUCOR_CS8792-LL.pdf
STUCOR_CS8792-LL.pdf
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking techno
 
Information security
Information securityInformation security
Information security
 
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docx
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docxRunning head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docx
Running head GOVERNANCE AND ETHICS 1GOVERNANCE AND ETHICS5.docx
 
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCE
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCERIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCE
RIGHT PRACTICES IN DATA MANAGEMENT AND GOVERNANCE
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 

Mais de Nicha Tatsaneeyapan

How To Shift Consumer Behaviors to be more sustainable; a literature review a...
How To Shift Consumer Behaviors to be more sustainable; a literature review a...How To Shift Consumer Behaviors to be more sustainable; a literature review a...
How To Shift Consumer Behaviors to be more sustainable; a literature review a...Nicha Tatsaneeyapan
 
Linkages between extreme stock market and currency returns
Linkages between extreme stock market and currency returnsLinkages between extreme stock market and currency returns
Linkages between extreme stock market and currency returnsNicha Tatsaneeyapan
 
Scenario generation and stochastic programming models for asset liabiltiy man...
Scenario generation and stochastic programming models for asset liabiltiy man...Scenario generation and stochastic programming models for asset liabiltiy man...
Scenario generation and stochastic programming models for asset liabiltiy man...Nicha Tatsaneeyapan
 
Incentives and risk taking in hedge funds
Incentives and risk taking in hedge fundsIncentives and risk taking in hedge funds
Incentives and risk taking in hedge fundsNicha Tatsaneeyapan
 
Loss-aversion and household portfolio choice
Loss-aversion and household portfolio choiceLoss-aversion and household portfolio choice
Loss-aversion and household portfolio choiceNicha Tatsaneeyapan
 
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...Estimating ambiguity preferences and perceptions in multiple prior models: Ev...
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...Nicha Tatsaneeyapan
 
Forecasting the US housing market
Forecasting the US housing marketForecasting the US housing market
Forecasting the US housing marketNicha Tatsaneeyapan
 
Retirement saving with contribution payments and labor income as a benchmark ...
Retirement saving with contribution payments and labor income as a benchmark ...Retirement saving with contribution payments and labor income as a benchmark ...
Retirement saving with contribution payments and labor income as a benchmark ...Nicha Tatsaneeyapan
 
Options and earnings announcements: an empirical study of volatility,trading ...
Options and earnings announcements: an empirical study of volatility,trading ...Options and earnings announcements: an empirical study of volatility,trading ...
Options and earnings announcements: an empirical study of volatility,trading ...Nicha Tatsaneeyapan
 
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...Nicha Tatsaneeyapan
 
Incentives and Risk Taking in Hedge Funds *
Incentives and Risk Taking in Hedge Funds *Incentives and Risk Taking in Hedge Funds *
Incentives and Risk Taking in Hedge Funds *Nicha Tatsaneeyapan
 
The effect of VaR-based risk management on asset prices and the volatility s...
The effect of VaR-based risk management on asset prices and the volatility s...The effect of VaR-based risk management on asset prices and the volatility s...
The effect of VaR-based risk management on asset prices and the volatility s...Nicha Tatsaneeyapan
 
Model Uncertainty and Exchange Rate Forecasting
Model Uncertainty and Exchange Rate ForecastingModel Uncertainty and Exchange Rate Forecasting
Model Uncertainty and Exchange Rate ForecastingNicha Tatsaneeyapan
 
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENT
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENTHIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENT
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENTNicha Tatsaneeyapan
 
Endogenous Price Bubbles in a Multi-Agent System of the Housing Market
Endogenous Price Bubbles in a Multi-Agent System of the Housing MarketEndogenous Price Bubbles in a Multi-Agent System of the Housing Market
Endogenous Price Bubbles in a Multi-Agent System of the Housing MarketNicha Tatsaneeyapan
 
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Nicha Tatsaneeyapan
 
Wage differentials between_foreign_multinationals_
Wage differentials between_foreign_multinationals_Wage differentials between_foreign_multinationals_
Wage differentials between_foreign_multinationals_Nicha Tatsaneeyapan
 
Variations in human resource management in asian countries mnc home country a...
Variations in human resource management in asian countries mnc home country a...Variations in human resource management in asian countries mnc home country a...
Variations in human resource management in asian countries mnc home country a...Nicha Tatsaneeyapan
 
Sterilization costs and exchange rate targeting∗
Sterilization costs and exchange rate targeting∗Sterilization costs and exchange rate targeting∗
Sterilization costs and exchange rate targeting∗Nicha Tatsaneeyapan
 
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Nicha Tatsaneeyapan
 

Mais de Nicha Tatsaneeyapan (20)

How To Shift Consumer Behaviors to be more sustainable; a literature review a...
How To Shift Consumer Behaviors to be more sustainable; a literature review a...How To Shift Consumer Behaviors to be more sustainable; a literature review a...
How To Shift Consumer Behaviors to be more sustainable; a literature review a...
 
Linkages between extreme stock market and currency returns
Linkages between extreme stock market and currency returnsLinkages between extreme stock market and currency returns
Linkages between extreme stock market and currency returns
 
Scenario generation and stochastic programming models for asset liabiltiy man...
Scenario generation and stochastic programming models for asset liabiltiy man...Scenario generation and stochastic programming models for asset liabiltiy man...
Scenario generation and stochastic programming models for asset liabiltiy man...
 
Incentives and risk taking in hedge funds
Incentives and risk taking in hedge fundsIncentives and risk taking in hedge funds
Incentives and risk taking in hedge funds
 
Loss-aversion and household portfolio choice
Loss-aversion and household portfolio choiceLoss-aversion and household portfolio choice
Loss-aversion and household portfolio choice
 
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...Estimating ambiguity preferences and perceptions in multiple prior models: Ev...
Estimating ambiguity preferences and perceptions in multiple prior models: Ev...
 
Forecasting the US housing market
Forecasting the US housing marketForecasting the US housing market
Forecasting the US housing market
 
Retirement saving with contribution payments and labor income as a benchmark ...
Retirement saving with contribution payments and labor income as a benchmark ...Retirement saving with contribution payments and labor income as a benchmark ...
Retirement saving with contribution payments and labor income as a benchmark ...
 
Options and earnings announcements: an empirical study of volatility,trading ...
Options and earnings announcements: an empirical study of volatility,trading ...Options and earnings announcements: an empirical study of volatility,trading ...
Options and earnings announcements: an empirical study of volatility,trading ...
 
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...
Early Warning Systems for Currency Crises: A Multivariate Extreme Value Appr...
 
Incentives and Risk Taking in Hedge Funds *
Incentives and Risk Taking in Hedge Funds *Incentives and Risk Taking in Hedge Funds *
Incentives and Risk Taking in Hedge Funds *
 
The effect of VaR-based risk management on asset prices and the volatility s...
The effect of VaR-based risk management on asset prices and the volatility s...The effect of VaR-based risk management on asset prices and the volatility s...
The effect of VaR-based risk management on asset prices and the volatility s...
 
Model Uncertainty and Exchange Rate Forecasting
Model Uncertainty and Exchange Rate ForecastingModel Uncertainty and Exchange Rate Forecasting
Model Uncertainty and Exchange Rate Forecasting
 
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENT
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENTHIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENT
HIGH-PERFORMANCE COMPUTING FOR ASSET-LIABILITY MANAGEMENT
 
Endogenous Price Bubbles in a Multi-Agent System of the Housing Market
Endogenous Price Bubbles in a Multi-Agent System of the Housing MarketEndogenous Price Bubbles in a Multi-Agent System of the Housing Market
Endogenous Price Bubbles in a Multi-Agent System of the Housing Market
 
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
 
Wage differentials between_foreign_multinationals_
Wage differentials between_foreign_multinationals_Wage differentials between_foreign_multinationals_
Wage differentials between_foreign_multinationals_
 
Variations in human resource management in asian countries mnc home country a...
Variations in human resource management in asian countries mnc home country a...Variations in human resource management in asian countries mnc home country a...
Variations in human resource management in asian countries mnc home country a...
 
Sterilization costs and exchange rate targeting∗
Sterilization costs and exchange rate targeting∗Sterilization costs and exchange rate targeting∗
Sterilization costs and exchange rate targeting∗
 
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
Comparisons of Foreign Multinationals and Local Firms in Asian Manufacturing...
 

Último

GreenSEO April 2024: Join the Green Web Revolution
GreenSEO April 2024: Join the Green Web RevolutionGreenSEO April 2024: Join the Green Web Revolution
GreenSEO April 2024: Join the Green Web RevolutionWilliam Barnes
 
Social Samosa Guidebook for SAMMIES 2024.pdf
Social Samosa Guidebook for SAMMIES 2024.pdfSocial Samosa Guidebook for SAMMIES 2024.pdf
Social Samosa Guidebook for SAMMIES 2024.pdfSocial Samosa
 
The Science of Landing Page Messaging.pdf
The Science of Landing Page Messaging.pdfThe Science of Landing Page Messaging.pdf
The Science of Landing Page Messaging.pdfVWO
 
Factors-Influencing-Branding-Strategies.pptx
Factors-Influencing-Branding-Strategies.pptxFactors-Influencing-Branding-Strategies.pptx
Factors-Influencing-Branding-Strategies.pptxVikasTiwari846641
 
Unraveling the Mystery of the Hinterkaifeck Murders.pptx
Unraveling the Mystery of the Hinterkaifeck Murders.pptxUnraveling the Mystery of the Hinterkaifeck Murders.pptx
Unraveling the Mystery of the Hinterkaifeck Murders.pptxelizabethella096
 
Marketing Management Presentation Final.pptx
Marketing Management Presentation Final.pptxMarketing Management Presentation Final.pptx
Marketing Management Presentation Final.pptxabhishekshetti14
 
What is Google Search Console and What is it provide?
What is Google Search Console and What is it provide?What is Google Search Console and What is it provide?
What is Google Search Console and What is it provide?riteshhsociall
 
April 2024 - VBOUT Partners Meeting Group
April 2024 - VBOUT Partners Meeting GroupApril 2024 - VBOUT Partners Meeting Group
April 2024 - VBOUT Partners Meeting GroupVbout.com
 
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...How videos can elevate your Google rankings and improve your EEAT - Benjamin ...
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...Benjamin Szturmaj
 
Kraft Mac and Cheese campaign presentation
Kraft Mac and Cheese campaign presentationKraft Mac and Cheese campaign presentation
Kraft Mac and Cheese campaign presentationtbatkhuu1
 
Cost-effective tactics for navigating CPC surges
Cost-effective tactics for navigating CPC surgesCost-effective tactics for navigating CPC surges
Cost-effective tactics for navigating CPC surgesPushON Ltd
 
Brand experience Dream Center Peoria Presentation.pdf
Brand experience Dream Center Peoria Presentation.pdfBrand experience Dream Center Peoria Presentation.pdf
Brand experience Dream Center Peoria Presentation.pdftbatkhuu1
 
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptx
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptxThe Rise of Virtual Influencers: A New Era in Social Media Marketing.pptx
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptxChelsiaD
 
Unraveling the Mystery of The Circleville Letters.pptx
Unraveling the Mystery of The Circleville Letters.pptxUnraveling the Mystery of The Circleville Letters.pptx
Unraveling the Mystery of The Circleville Letters.pptxelizabethella096
 
Google 3rd-Party Cookie Deprecation [Update] + 5 Best Strategies
Google 3rd-Party Cookie Deprecation [Update] + 5 Best StrategiesGoogle 3rd-Party Cookie Deprecation [Update] + 5 Best Strategies
Google 3rd-Party Cookie Deprecation [Update] + 5 Best StrategiesSearch Engine Journal
 

Último (20)

GreenSEO April 2024: Join the Green Web Revolution
GreenSEO April 2024: Join the Green Web RevolutionGreenSEO April 2024: Join the Green Web Revolution
GreenSEO April 2024: Join the Green Web Revolution
 
Social Samosa Guidebook for SAMMIES 2024.pdf
Social Samosa Guidebook for SAMMIES 2024.pdfSocial Samosa Guidebook for SAMMIES 2024.pdf
Social Samosa Guidebook for SAMMIES 2024.pdf
 
The Science of Landing Page Messaging.pdf
The Science of Landing Page Messaging.pdfThe Science of Landing Page Messaging.pdf
The Science of Landing Page Messaging.pdf
 
Turn Digital Reputation Threats into Offense Tactics - Daniel Lemin
Turn Digital Reputation Threats into Offense Tactics - Daniel LeminTurn Digital Reputation Threats into Offense Tactics - Daniel Lemin
Turn Digital Reputation Threats into Offense Tactics - Daniel Lemin
 
Factors-Influencing-Branding-Strategies.pptx
Factors-Influencing-Branding-Strategies.pptxFactors-Influencing-Branding-Strategies.pptx
Factors-Influencing-Branding-Strategies.pptx
 
Unraveling the Mystery of the Hinterkaifeck Murders.pptx
Unraveling the Mystery of the Hinterkaifeck Murders.pptxUnraveling the Mystery of the Hinterkaifeck Murders.pptx
Unraveling the Mystery of the Hinterkaifeck Murders.pptx
 
Marketing Management Presentation Final.pptx
Marketing Management Presentation Final.pptxMarketing Management Presentation Final.pptx
Marketing Management Presentation Final.pptx
 
What is Google Search Console and What is it provide?
What is Google Search Console and What is it provide?What is Google Search Console and What is it provide?
What is Google Search Console and What is it provide?
 
April 2024 - VBOUT Partners Meeting Group
April 2024 - VBOUT Partners Meeting GroupApril 2024 - VBOUT Partners Meeting Group
April 2024 - VBOUT Partners Meeting Group
 
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 4 Gurgaon >༒8448380779 Escort Service
 
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...How videos can elevate your Google rankings and improve your EEAT - Benjamin ...
How videos can elevate your Google rankings and improve your EEAT - Benjamin ...
 
Kraft Mac and Cheese campaign presentation
Kraft Mac and Cheese campaign presentationKraft Mac and Cheese campaign presentation
Kraft Mac and Cheese campaign presentation
 
SEO Master Class - Steve Wiideman, Wiideman Consulting Group
SEO Master Class - Steve Wiideman, Wiideman Consulting GroupSEO Master Class - Steve Wiideman, Wiideman Consulting Group
SEO Master Class - Steve Wiideman, Wiideman Consulting Group
 
Cost-effective tactics for navigating CPC surges
Cost-effective tactics for navigating CPC surgesCost-effective tactics for navigating CPC surges
Cost-effective tactics for navigating CPC surges
 
The Future of Brands on LinkedIn - Alison Kaltman
The Future of Brands on LinkedIn - Alison KaltmanThe Future of Brands on LinkedIn - Alison Kaltman
The Future of Brands on LinkedIn - Alison Kaltman
 
Brand experience Dream Center Peoria Presentation.pdf
Brand experience Dream Center Peoria Presentation.pdfBrand experience Dream Center Peoria Presentation.pdf
Brand experience Dream Center Peoria Presentation.pdf
 
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptx
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptxThe Rise of Virtual Influencers: A New Era in Social Media Marketing.pptx
The Rise of Virtual Influencers: A New Era in Social Media Marketing.pptx
 
Unraveling the Mystery of The Circleville Letters.pptx
Unraveling the Mystery of The Circleville Letters.pptxUnraveling the Mystery of The Circleville Letters.pptx
Unraveling the Mystery of The Circleville Letters.pptx
 
How to Create a Social Media Plan Like a Pro - Jordan Scheltgen
How to Create a Social Media Plan Like a Pro - Jordan ScheltgenHow to Create a Social Media Plan Like a Pro - Jordan Scheltgen
How to Create a Social Media Plan Like a Pro - Jordan Scheltgen
 
Google 3rd-Party Cookie Deprecation [Update] + 5 Best Strategies
Google 3rd-Party Cookie Deprecation [Update] + 5 Best StrategiesGoogle 3rd-Party Cookie Deprecation [Update] + 5 Best Strategies
Google 3rd-Party Cookie Deprecation [Update] + 5 Best Strategies
 

An ethical approach to data privacy protection

  • 1. ISACA JOURNAL VOL 6 1 • Accuracy and completeness when collecting data about a person or persons (corporations included) by technology • Availability of data content, and the data subject’s legal right to access; ownership • The rights to inspect, update or correct these data Data privacy is also concerned with the costs if data privacy is breached, and such costs include the so- called hard costs (e.g., financial penalties imposed by regulators, compensation payments in lawsuits such as noncompliance with contractual principles) and the soft costs (e.g., reputational damage, loss of client trust). Though different cultures put different values on privacy or make it impossible to define a stable, universal value, there is broad consensus that privacy does have an intrinsic, core and social value. Hence, a privacy approach that embraces the law, ethical principles, and societal and environmental concerns is possible despite the complexity of and difficulty in upholding data privacy. Data Privacy Protection Indeed, protecting data privacy is urgent and complex. This protection is necessary because of the ubiquity of the technology-driven and information-intensive environment. Technology- driven and information-intensive business operations are typical in contemporary corporations. The benefits of this trend are that, among other things, the marketplace is more transparent, consumers are better informed and trade practices are more fair. The downsides include socio-techno risk, which originates with technology and human users (e.g., identity theft, information warfare, phishing scams, cyberterrorism, extortion), and the creation of more opportunities for organized and sophisticated cybercriminals to exploit. This risk results in information protection being propelled to the top of the corporate management agenda. The need for data privacy protection is also urgent due to multidirectional demand. Information protection becomes an essential information security Privacy, trust and security are closely intertwined, as are law and ethics. Privacy preservation and security provisions rely on trust (e.g., one will allow only those whom one trusts to enter one’s zone of inaccessibility; one will not feel secure unless one trusts the security provider). Violation of privacy constitutes a risk, thus, a threat to security. Law provides a resolution when ethics cannot (e.g., ethics knows that stealing is wrong; the law punishes thieves); ethics can provide context to law (e.g., law allows trading for the purpose of making a profit, but ethics provides input into ensuring trade is conducted fairly). Privacy breaches disturb trust and run the risk of diluting or losing security; it is a show of disrespect to the law and a violation of ethical principles. Data privacy (or information privacy or data protection) is about access, use and collection of data, and the data subject’s legal right to the data. This refers to: • Freedom from unauthorized access to private data • Inappropriate use of data feature feature An Ethical Approach to Data Privacy Protection Wanbil W. Lee, DBA, FBCS, FHKCS, FHKIE, FIMA Is principal director of Wanbil Associates, founder and president of The Computer Ethics Society, and cofounder and Life Fellow of the Hong Kong Computer Society. He serves on committees of several professional bodies, editorial boards and government advisory committees. He has held professorial and adjunct appointments in a number of universities. His expertise is in information systems, and he has a strong interest in information security management, information systems audit and ethical computing. Wolfgang Zankl, Ph.D. Is a professor of private and comparative law at the University of Vienna (Austria) and associate lecturer for social media law at the Quadriga University (Berlin, Germany). He founded and runs the European Center for E-commerce and Internet Law (e-center.eu) and is a board member of The Computer Ethics Society. Henry Chang, CISM, CIPT, CISSP , DBA, FBCS Is an adjunct associate professor at the Law and Technology Centre, the University of Hong Kong. Chang is an appointed expert to the Identity Management and Privacy Technologies Working Group (SC27 WG5) of the International Organization for Standardization (ISO). His research interests are in technological impact on privacy, accountability and Asia privacy laws. ©2016 ISACA. All rights reserved. www.isaca.org
  • 2. ISACA JOURNAL VOL 6 2 Methods for Data Privacy Protection The method is modeled on a framework originally perceived and developed to provide a fresh view to decision makers and is based on the following three major instruments: • The International Data Privacy Principles (IDPPs)1 for establishing and maintaining data privacy policies, operating standards and mitigation measures • Hong Kong’s Data Protection Principles of personal data (DPPs)2 for reinforcing those policies, standards and guidelines • The hexa-dimension metric operationalization framework3 for executing policies, standards and guidelines International Data Privacy Principles Data privacy can be achieved through technical and social solutions. Technical solutions include safeguarding data from unauthorized or accidental access or loss. Social solutions include creating acceptability and awareness among customers about whether and how their data are being used, and doing so in a transparent and confidential way. Employees must commit to complying with corporate privacy rules, and organizations should instruct them in how to actively avoid activities that may compromise privacy. Next to technical and social solutions, the third element of achieving privacy is complying with data protection laws and regulations, which involves two issues. The first concern is that legal regulation is slow and, thus, unable to keep function to help develop and implement strategies to ensure that data privacy policies, standards, guidelines and processes are appropriately enhanced, communicated and complied with, and effective mitigation measures are implemented. The policies or standards need to be technically efficient, economically/financially sound, legally justifiable, ethically consistent and socially acceptable since many of the problems commonly found after implementation and contract signing are of a technical and ethical nature, and information security decisions become more complex and difficult. Data privacy protection is complex due to socio- techno risk, a new security concern. This risk occurs with the abuse of technology that is used to store and process data. For example, taking a company universal serial bus (USB) device home for personal convenience runs the risk of breaching a company regulation that no company property shall leave company premises without permission. That risk becomes a data risk if the USB contains confidential corporate data (e.g., data about the marketing strategy, personnel performance records) or employee data (e.g., employee addresses, dates of birth). The risk of taking the USB also includes theft or loss. Using technology in a manner that is not consistent with ethical principles creates ethical risk, another new type of risk. In the previous example, not every staff member would take the company USB home, and those who decide to exploit the risk of taking the USB may do so based on their own sense of morality and understanding of ethical principles. The ethical risk (in addition to technical risk and financial risk) arises when considering the potential breach of corporate and personal confidentiality. This risk is related partly to technology (the USB) and partly to people (both the perpetrator and the victims) and is, therefore, a risk of a technological-cum-social nature—a socio-techno risk. Hence, taking home a USB is a vulnerability that may lead to a violation of data privacy. However, the problem of data privacy is not unsolvable. The composite approach alluded to earlier that takes into consideration the tangible physical and financial conditions and intangible measures against logical loopholes, ethical violations, and social desirability is feasible, and the method suggested in this article, which is built on a six-factor framework, can accomplish this objective. ©2016 ISACA. All rights reserved. www.isaca.org Data privacy can be achieved through technical and social solutions.
  • 3. ISACA JOURNAL VOL 6 3 between what is given and what is received. That philosophy explains why companies such as Google or Facebook, for whose services the customer does not pay, have the right to use personal data. In other words, that tradeoff—data for services— is the balance.4 The consumer being less protected when receiving free services is a basic element of the European E-Commerce Directive, which does not apply to services that are offered free of charge. But this consideration is only a first step. Applied to a modern data environment, a balance also has to be struck in relation to other parameters relevant to contractual aspects of data privacy. Since data are a contract matter, it is important to consider what kind of personal data are in consideration (e.g., sensitive and nonsensitive data have to be distinguished and treated differently), and since contracts are concluded by mutual consent, the extent of such consent also has to be taken into account. For example, does consent have to be declared explicitly or is accepting the terms of use sufficient? The IDPPs approach takes into consideration the Asian, European, US and international data protection standards and focuses on personal data, but can apply to corporate data as well. These principles suggest that the three parameters (payment, consent and data category) should be balanced and combined with the previously mentioned, Asian, European, US and international up with the rapid developments of information technology. Legal solutions are usually at least one step behind technological developments. Data privacy by electronic means should, therefore, be based not only on traditional jurisdiction, but also on soft law, i.e., self-binding policies such as the existing data privacy principles. Soft law may be more effective than hard law. The reactions of disappointed customers, especially when those reactions are spread by social media, and the fact that noncompliance with corporate governance may result in unfair competition and/or liability toward affected customers (unfair competition by not complying with self-binding policies/liability toward customers by breach of contract) will often be more effective than mere fines or penalties. The second problem of data protection has to do with the fact that these regulations are not internationally harmonized, causing severe complications (especially between the United States and the European Union) on a cross-border basis, which is the rule rather than the exception in modern business. To make data privacy rules work in a global environment, the principles outlined in this article consider US standards (e.g., the US Federal Trade Commission’s Fair Information Practices), European standards (e.g., Data Protection Directive 95/46/EC and the General Data Protection Regulation [GDPR]), Asian regulations (e.g., Hong Kong Personal Data Privacy Ordinance [PDPO]) and international benchmarks (e.g., the Organization for Economic Co-operation and Development [OECD] Privacy Framework Basic Principles). This article also considers the fact that common data privacy regulations, especially in Europe, tend to focus on a traditional human rights approach, neglecting the fact that nowadays, data are usually given away voluntarily upon contractual agreement. When using sites such as Google, Baidu, Amazon, Alibaba or Facebook, users agree with the terms and conditions of these companies. Data privacy should consider not only mere data protection, but also contractual principles, among which one of the oldest and most fundamental is do ut des, meaning a contract in which there is a certain balance ©2016 ISACA. All rights reserved. www.isaca.org Common data privacy regulations, especially in Europe, tend to focus on a traditional human rights approach, neglecting the fact that nowadays, data are usually given away voluntarily.
  • 4. ISACA JOURNAL VOL 6 4 11. Do not transfer personal data to countries with inadequate or unknown data protection standards unless the customer is informed about these standards being inadequate or unknown and agrees to such a transfer. 12. In the case of a contract between the company and the customer in which the customer commits to pay for services or goods: – Inform the costumer individually and as soon as reasonably possible in the event of a data breach. – Inform the customer upon request about which specific data are stored, and delete such data upon request unless applicable laws or regulations require the company to continue storing such data. – Do not use or divulge content-related personal data. – Do not use or divulge any other personal data without the customer’s explicit, separate and individual consent. – Do not store, use or divulge any customer data, unless applicable laws or regulations require the company to continue storing such data. standards, putting them into a set of privacy rules. Organizations in compliance with international data privacy standards should commit to the following 13 IDPPs:5 1. Comply with national data protection or privacy law, national contract law, and other legal requirements or regulations relating to data privacy. 2. Comply with current security standards to protect stored personal data from illegitimate or unauthorized access or from accidental access, processing, erasure, loss or use. 3. Implement an easily perceptible, accessible and comprehensible privacy policy with information on who is in charge of data privacy and how this person can be individually contacted, why and which personal data are collected, how these data are used, who will receive these data, how long these data are stored, and whether and which data will be deleted or rectified upon request. 4. Instruct employees to comply with such privacy policies and avoid activities that enable or facilitate illegitimate or unauthorized access in terms of IDPPs. 5. Do not use or divulge any customer data (except for statistical analysis and when the customer’s identity remains anonymous), unless the company is obliged to do so by law or the customer agrees to such use or circulation. 6. Do not collect customer data if such collection is unnecessary or excessive. 7. Use or divulge customer data in a fair way and only for a purpose related to activities of the company. 8. Do not outsource customer data to third parties unless they also comply with standards comparable to these IDPPs. 9. Announce data breaches relating to sensitive data. 10. Do not keep personal data for longer than necessary. ©2016 ISACA. All rights reserved. www.isaca.org
  • 5. ISACA JOURNAL VOL 6 5 take on the same principles-based approach. For example, the UK’s Data Protection Act uses eight DPPs,8 Australia’s Privacy Act has 13 privacy principles,9 and the Canadian Personal Information Protection and Electronic Documents Act has 10 principles.10 For the purpose of illustration, the remaining part of this article will use Hong Kong’s PDPO, enacted in 1995 and Asia’s first privacy law, to highlight the salient points on how ethical considerations are built within the implementation of privacy legislation that is compatible with the OECD Privacy Guidelines. The Six Data Protection Principles of PDPO An explanation of the DPPs is provided by the Hong Kong,11 Office of the Privacy Commissioner for Personal Data, and can be summarized as: 1. Data Collection and Purpose Principle: • Personal data must be collected in a lawful and fair way for a purpose directly related to a function/activity of the data user (i.e., those who collect personal data). 13. In the absence of a contract between the company and the customer in which the customer commits to pay for services or goods: – Inform the customer as soon as reasonably possible in the event of data breaches. – Inform the customer upon request what types of sensitive data are stored and delete such data upon request when such data are outdated, unless applicable laws or regulations require the company to continue storing such data. – Do not use or divulge sensitive data without the customer’s explicit, separate and individual consent. The Hong Kong Personal Data Privacy Ordinance The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Privacy Guidelines)6 are often the standard that data protection laws of many countries reference.7 The OECD Privacy Guidelines have eight basic principles: 1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle Being a framework with the aim of providing guidelines to jurisdictions to enact their own privacy laws, the definitions of these principles are at a high level deliberately. When these high-level principles are converted to national laws, many jurisdictions ©2016 ISACA. All rights reserved. www.isaca.org
  • 6. ISACA JOURNAL VOL 6 6 relativistic judgement will, in turn, be influenced by the society’s acceptable behavior and value, i.e., its collective ethical belief. • DPP2 states that collected personal data are not to be kept for longer than is necessary. As there is also an element of judgment on necessity, it can be argued on utilitarian grounds that there could be an ethical dilemma in deciding on a short retention period that is protective of the individuals or a longer period that is protective of the interests (commercial or otherwise) of the organization that collects the personal data. • DPP3 states that data use that is not directly related to the original purpose may be carried out only with the consent of the individual. This may be translated as respecting the wishes of the individuals. Even if the organization thinks that the changed use would be beneficial to individuals, the organization has no right to take away the individual’s free will and choice. • DPP4 states that organizations should implement reasonable security protection on the collected personal data to prevent data leakage. While leaving aside the decision on how many resources and how much effort an organization should use to protect the personal data collected, DPP4 asks organizations to balance the resources and effort against the likely harm to individuals. • Data subjects (i.e., individuals from whom personal data are collected) must be notified of the purpose and the classes of persons to whom the data may be transferred. • Data collected should be necessary, but not excessive. 2. Accuracy and Retention Principle—Personal data must be accurate and should not be kept for a period longer than is necessary to fulfill the purpose for which they are used. 3. Data Use Principle—Personal data must be used for the purpose for which the data are collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject. 4. Data Security Principle—A data user needs to take reasonably practical steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use, while taking into account the harm that would affect the individual should there be a breach. 5. Openness Principle­ ­­ —A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data are used. 6. Data Access and Correction Principle—Data subjects must be given access to their personal data and allowed to make corrections if the data are inaccurate. The PDPO is principle-based and is not a piece of prescriptive law. Knowing the underlying ethical considerations for each principle will help an organization to better understand the spirit and the letter of the law when developing a compliance program. In particular, ethical relevance is clearly evident in the implications of PDPO privacy protection principles: • DPP1 explains that the collection of personal data must be fair and that personal data collected should not be excessive. Whether the collection is fair and excessive will have to be assessed under the circumstance. Given that fairness and excessiveness for one person may not be the same for another person, there is, inevitably, a judgment involved in the assessment. That ©2016 ISACA. All rights reserved. www.isaca.org Knowing the underlying ethical considerations for each principle will help an organization to better understand the spirit and the letter of the law.
  • 7. ISACA JOURNAL VOL 6 7 in enforcing those rules or standards; they rely purely on the moral obligation of the stakeholders concerned, because violation by itself does not, in general, attract any criminal charges in the legal sense. However, despite the good intention and official adoption, the code by itself cannot guarantee more ethical behavior, and auxiliary measures must be in force to operationalize the rules and standards effectively. Organizations of all varieties might have some kind of code of practice in place. However, the extant codes invariably tend to focus on technical, financial and legal issues and are insufficient when considering the ethical, social and ecological concerns that rapidly emerge and ascend to the top of corporate and IT management agendas. Different organizations have their own unique policies and a unique code of conduct; there can be no universal recipe, only a general guideline. As a general guideline for designing a code of conduct, the hexa-dimension framework is recommended. This framework comprises two major components: the theoretical hexa- dimension metric for measuring legal validity, social desirability, ecological sustainability, ethical acceptability, technical effectiveness and financial In 2010, ethical considerations related to data protection played a major role in testing existing laws. The Octopus card is an “electronic wallet” that many Hong Kong residents use for daily transportation and everyday purchases. In 2010, it was discovered that Octopus Cards Limited, the company that owned the cards, was selling card owners’ loyalty membership to insurance companies for direct marketing purposes. As a result of public outcry, the privacy commissioner investigated and concluded that while the sales of customer records was not prohibited by the law at the time, the company failed to make a meaningful effort to seek consent from customers when it informed them of this data use in a privacy policy statement. The company denied contravening the law, but accepted that its actions felt short of customer expectations. Two major officers of the company stepped down during the investigation.12, 13 The heightened public awareness of personal data rights that arose in the wake of the incident changed expectations of organizational behavior. No longer will people accept companies doing only the bare minimum required by law; they must also act ethically. The chief executive officer (CEO) who took over Octopus Cards Limited after the incident captured the new expectations succinctly: “We need to do not just [what is] legal, but what is right.”14 The Hexa-dimension Code of Conduct A code of conduct serves a variety of functions, one of the most important of which is to serve as a guide for stakeholders based on a set of rules and standards. Despite official adoption, company policies and standards, which tend to be difficult for stakeholders, including employees to absorb, are not easy to enforce effectively and are probably ignored in the end. A code of conduct, if formulated and articulated well, should serve to communicate the policies and standards to stakeholders in a relatable way. While such codes may serve to deter potential offensive actions, they are limited ©2016 ISACA. All rights reserved. www.isaca.org
  • 8. ISACA JOURNAL VOL 6 8 viability (the six requirements/factors) and a scheme for operationalizing the framework. The operationalization scheme is carried out in three major steps including: • Identify the relevant critical factors depending on the target end users (corporatewide or a functional unit or nature of operation). For example, environmental impact is critical for a mining company or a factory, but could probably be skipped for an information security unit. • Secure the support of the board of directors with respect to corporate policy aspects and the supporting infrastructures that include the organization’s human resources (HR) management, legal, finance, and information and communications technology functional units with respect to technical support and reference. An appraisal of ethical consistency in conduct should be included during annual performance reviews (by HR). • Determine a schedule for quantifying the elements of each factor for measuring, prioritizing and balancing the factors. The attributes/factors with help determine the steps to be taken to measure the effectiveness. If properly and appropriately formulated and articulated, the code can be useful in disseminating the policies and standards throughout the organization and beyond, thus cultivating corporatewide ethical, professional conduct. While a code may deter potential offensive actions, it is limited in enforcing the rules or standards. The limitation exists because the code can rely only on the stakeholders’ sense of morality because violation of the code does not entail any criminal charges. Auxiliary measures must be put in place to arrive at desirable results, such as executive actions that provide rewards and impose punishment (e.g., discussing the hexa-dimensional code of conduct during an annual performance appraisal when those being appraised are asked to exemplify that their assigned duties were carried out in a manner consistent with data privacy protection policies, i.e., not breaking the law; not harmful to individuals and society at large; not wasteful of the resources available including the computer facilities, the workforce, the budget; and not harming the environment). Conclusion Information security professionals are in urgent need of effective and pragmatic guidance for developing data privacy protection standards for two major reasons. The first is that the information security function in a technology-driven information-intensive environment becomes more complicated due to new risk (e.g., socio-techno risk); the second is that data privacy protection becomes a primary concern to information security management as privacy infringement occurs frequently and attracts wide coverage in the media. Viewing privacy from the perspective of ethics can help enterprises establish and improve their code of conduct. Considering privacy from an ethical point of view and establishing a code of conduct makes all individuals in an organization, not just security personnel, accountable for protecting valuable data. Endnotes 1 Zankl, W.; The International Data Privacy Principles, presented at Harvard University, Cambridge, Massachusetts, USA, October 2014, www.e-center.eu/static/files/moscow- dataprivacy-handout-russian.pdf ©2016 ISACA. All rights reserved. www.isaca.org While a code may deter potential offensive actions, it is limited in enforcing the rules or standards.
  • 9. ISACA JOURNAL VOL 6 9 2 The Personal Data (Privacy) Ordinance, Chapter 486 , https://www.pcpd.org.hk/english/ files/pdpo.pdf and https://www.pcpd.org. hk/english/data_privacy_law/ordinance_at_a_ Glance/ordinance.html 3 Lee, W. W.; “A Hexa-dimension Metric for Designing Code of Ethical Practice,” Encyclopedia of Information Science and Technology, 4th Edition, July 2017 4 It has been argued that companies using, for instance, their Internet platforms for advertising purposes are already being paid by the advertisers so there is no need for further payment with data. This point of view neglects the fact that do ut des refers to a balance between quid pro quo of the contracting parties and not between these parties and third parties. That is why readers have to pay for magazines despite the publisher receiving payments from third parties (advertisers). 5 Op cit, Zankl 6 Organization for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, www.oecd.org/sti/ieconomy/cdguidelinesonthe protectionofprivacyandtransborderflowsof personaldata.htm 7 Greenleaf, G; “Global Data Privacy Laws 2015: 109 Countries, with European Laws Now a Minority,” 133 Privacy Laws Business International Report, February 2015, p. 14-17 8 Information Commissioner’s Office, Data Protection Principles, United Kingdom, https://ico.org.uk/for-organisations/guide-to- data-protection/data-protection-principles/ 9 Office of the Austrailian Information Commissioner, Australian Privacy Principles, https://oaic.gov.au/privacy-law/privacy-act/ australian-privacy-principles 10 Office of the Privacy Commissioner of Canada, PIPEDA Fair Information Principles, September 2011, https://www.priv.gc.ca/en/ privacy-topics/privacy-laws-in-canada/the- personal-information-protection-and-electronic- documents-act-pipeda/p_principle/ 11 Office of the Privacy Commissioner for Personal Data, Six Data Protection Principles, Hong Kong, https://www.pcpd.org.hk/english/data- privacy_lau/6_data_protection/principles.html 12 Ng, J.; “Octopus CEO Resigns Over Data Sale,” The Wall Street Journal, 4 August 2010, https://www.pcpd.org.hk/english/data_privacy_ law/6_data_protection_principles/principles.html 13 Chong, D.; “Second Octopus Boss Quits Amid Scandal,” The Standard, 20 October 2010, www.thestandard.com.hk/news_detail.asp?pp_ cat=30art_id=104016sid=29979255con_ type=1d_str=20101020sear_year=2010 14 Cheung, S.; “The Challenges of Personal Data Privacy in A New Era,” International Conference on Privacy Protection in Corporate Governance, 11 February 2014, https://www.pcpd.org.hk/ privacyconference2014/programme.html ©2016 ISACA. All rights reserved. www.isaca.org