Lecture Materials of BIT External IT5104 - Professional Issues in IT 2013/2014 conducted at OSBT

1. Chapter 08 – Data
Protection, Privacy and Freedom
of Information
IT5104 - Professional Issues in IT
OpenArc Campus – BIT Sem V – PIIT
1

2. •
Storage
•
Processing
•
Retention
•
Release (Transferring, Publishing…etc)
D
A
T
A
&
I
N
F
O
R
M
A
T
I
O
N
•
Protection
•
Privacy
•
Freedom of Information
2

3. Why it came?
•
Very large amount of data about individuals was being
collected
and
stored
in
computers
and
then
used
for
unacceptable purposes which were not the intention when the
data was collected.
•
Unauthorized people could access such data and that the data
might be out dated, incomplete or just plain wrong.
At the beginning, the law for this matter was designed to protect
individuals,
against
the
misuse
of
personal
data
by
large
organizations. But evolutionary gone to a wider concern.
3

4. People
are
entitled
to
keep
personal
information
private.
Ex : Bank Balance, Medical History, Vote in Election…etc
But for security measures there can be situations, such as telephone
tapping and email monitoring by employers as well as security
services of the state.
Do governments also entitled to keep their information
private?
Governments
are
traditionally
reluctant
to
release
information to their citizens. But there is a pressure from public for
more open governments and for legislations that guarantee freedom
of information.
4

5. Protection and Privacy are two different concepts but goes like
as the same.
Terminology of UK Data protection Act 1998
Data
Collected with the intention to process and
create
information or just to keep as a record.
Data Controller
Legal or natural person who determines why or how
personal data is processed.
Data Processor
Anyone who processes personal data on behalf of the
data controller.
Data Protection
5

6. Personal Data
Data which relates to a living person who can be
indentified from that data. (Possibly taken together with
other information the data controller is likely to have. It
can be include, expressions of opinion about the person
and indications of the intentions of the data controller or
any other person, toward the individual.)
Data Subject
Individual who is the subject of personal data
Sensitive
Personal data relating to the racial or ethnic origin of data
Personal Data
subjects.
Their
political
opinions,
religious
beliefs,
memberships of societies, physical or mental health,
marital life, or whether they have committed or alleged to
have committed any criminal offence.
Processing
Obtaining, recording or holding the information/data or
carrying out any operations on it.
6

7. In the act Data Processing also means
• Organization, adaptation or alteration of the information/data
• Retrieval, consultation or use of the information/data
• Disclosure
of
the
information/data
by
transmission,
dissemination or otherwise making available
• Alignment, combination, blocking, erasure or destruction of the
information/data
7

8. 1998 UK Data Protection Act lays down 8 principles which
apply to the collection and processing of personal data of any
sort. Data Controller is responsible for ensuring that these
principles are complied with in respect of all the personal
data, for which they are responsible.
Data Protection Principles
8

9. 1) Personal data shall be processed fairly and lawfully.
If the data subject doesn’t give their consent, data can only be
processed if the data controller is under a legal or statutory
obligation for which the processing is necessary.
ex:
It is necessary to inform the users of a website explicitly if it
employs cookies and must give users the opportunity of refusing it.
9

10. 2) Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose
or those purposes.
10

11. 3) Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes for which
they are processed.
Ex:
Requiring to declare marital status when joining to a public library.
Shops demanding to know customers' addresses for an order even
the order do not require a delivery service.
11

12. 4) Personal data shall be accurate and, where necessary,
kept up to date.
Doctors have great difficulty in maintaining up-to-date data
about their patients' addresses.
12

13. 5)
Personal data processed for any purpose or purposes
shall not be kept for longer than is necessary for that
purpose or those purposes.
• At the time data captured, it needed to be defined how long each
item of personal data needs to be kept.
• There need to be procedures to ensure that all data is erased at
the appropriate time, and this must include erasure from backup
copies.
• There can be situations to keep some personal data for an
indefinite
period
such
like
university
records
of
graduating
students.
13

14. 6)
Personal data shall be processed in accordance with
the rights of data subjects.
14

15. 7)
Appropriate technical and organizational measures
shall be taken against unauthorized or unlawful processing
of personal data and against accidental loss or destruction
of, or damage to, personal data.
This implies the need for access control (through passwords or
other means), backup procedures, integrity checks on the data,
etc.
And there also need to be authorized personnel who have access
to manage these things.
15

16. 8)
Personal data shall not be transferred to a country or
territory outside the region unless that country or territory
ensures an adequate level of protection for the rights and
freedom of data subjects in relation to the processing of
personal data.
16

17. Data subjects have the right to know whether a data controller
held data relating to them. Also they have right to see those data,
and the right to have those data erased or corrected if it is
inaccurate.
Data subjects have the right to receive:
•
A description of the personal data being held;
•
An explanation of the purpose why it is being held
•
A description of the people/organizations to which it may be
disclosed;
•
An clear statement of the specific data held about them;
•
A description of the source of the data.
Rights of Data Subjects
17

18. Data subjects have the right:
•
To prevent processing likely to cause damage and distress;
•
To prevent processing for the purposes of direct marketing;
•
To have compensation in case of damage caused by processing
of personal data in violation of the principles of the Act.
There may be exceptions such like
•
Examination candidates do not have the right of access to their
marks until after the results of the examinations have been
published.
•
Disclosing the information may result in infringing someone
else's rights.
•
Disclosing may be threat to national security.
18

19. All these rights apply to data that is held electronically and, in
some cases, to data that is held in manual file systems.
If however, the data is processed automatically and is likely to be
used as the sole basis for taking a decision relating to data
subjects
(for
example,
deciding
whether
to
grant
them
a
Loan), they have the right to be informed by the data controller, of
the logic involved in taking that decision. They can also demand
that a decision relating to them that has been taken on full
automatic process should be reconsidered on some other way.
19

20. Government security services and law enforcement authorities
can only intercept, monitor and investigate electronic data in
certain
specified
situations
such
as
when
preventing
and
detecting crime.
Organizations that provide computer and telephone services
(this includes not only ISPs and other telecommunications
service providers but also most employers) can monitor and
record communications without the consent of the users of the
service in some circumstances.
Organizations intercepting communications in this way are under
an obligation to make all reasonable efforts to inform users that
such interception may take place.
Privacy
20

21. Every citizen does have rights of access to information held by
bodies in the public sector such like Parliament, government
departments, health authorities, universities, schools, etc.
But there may be exceptions in situations such disclosures may
avoided due to public interest.
Public authorities are advised to adopt schemes for publication of
information. (1919)
Freedom of information does not mean that people can access
others’ personal information.
Freedom of Information
21

22. • Threat of individual privacy due to Large Centralized Data
Banks.
• Abuse of information management due to Data Matching.
• Unauthorized Traceability of operations performed via online
services.
• Navigation Trails (Browser Cookies)
• Capturing Information about the way individuals use the
internet and build profiles of their habits for marketing purpose
or blackmail.
• Jurisdiction for trans-border data flow ? (ex: WikiLeaks)
The Impact of the Internet
22