IS4542 Seminar 4

1
IS4542 Seminar 4

• Data and Personal Privacy

2
Key Questions

• What is personal data? And what is not?
• How is this related to you as IS Professionals
  (not just as individuals)?
• Organisations have data protection officers, data
  protection/access policies, and have to ensure
  that they act in accordance with the law
• Why is data accuracy so important?

3
Privacy What is it?

• Can anyone give me a universal definition
  something that everyone will agree about?
• Do you think that privacy may vary according to
• Culture?
• Politics?
• Personal preference?
• Do we have a right to privacy?
• Is the right absolute?
• Are there any restrictions or conditions to
  privacy?

4
Privacy

• The right to be left alone Warren and Brandeis
  (1890) Harvard Law Review, (193), pp. 193-220.
• Privacy is necessary if we are also to have
  freedom of speech, association, movement, etc
• Privacy and respect for people as autonomous,
  free, rational beings

5
Privacy Roger Clarke

• Privacy is the interest that individuals have in
  sustaining a 'personal space', free from
  interference by other people and organisations.
• Privacy of the person against compulsory blood
  testing, immunisation, etc.
• Privacy of personal behaviour inc. sex,
  politics, religion at home, work,
• Privacy of personal communications i.e. no
  monitoring
• Privacy of personal data control over data use
  (held by you or not)

6
Privacy

• How is Private Information Collected?
• Reading your newsgroups postings.
• Finding you in the Internet Directory.
• Making your browser record information about you.
• Recording what your browsers say about you
• Reading your e-mail address
• Web-site Self Registration
• On-line shopping

7
But

• There may often be competing and conflicting
  interests
• If you have AIDS, do you have a right to prevent
  other people from knowing this?
• If you have been to prison for child-abuse, does
  society have the right to know? And to prevent
  you from being responsible for children again?
• Do employees have the right to privacy?
• Does a domestic helper have the right to privacy?

8
Information Privacy

• is the interest an individual has in
  controlling, or at least significantly
  influencing, the handling of data about
  themselves.
• Go to this web site for much, much more detail
  http//www.anu.edu.au/people/Roger.Clarke/DV/Intro
  .html

9
Legislative Options

• Data protection legislation has been set up in
  many countries to control the collection,
  storage, use and disclosure of personal data by
  means of computers.
• Europe 1970s and 1980s
• Hong Kong 1996
• China???

10
Data Protection Legislation in Hong Kong

• Protecting the data of living individuals
• Protecting against unauthorised access
• Providing access rights
• Protecting Transborder Data Flows

11
The Personal Data (Privacy) Ordinance - the
Ordinance

• Six Data Protection Principles
• Privacy Commissioner
• Officer in charge of data protection matters
  under the Ordinance.
• Privacy Advisory Committee
• Committee consists of qualified and experienced
  personnel to assist the Commissioner.
• Declarations on personal data collection and use
  submitted to the Commissioner by data users

12
Six Data Protection Principles

• Principle 1 - purpose and manner of collection of
  personal data
• Must be lawful and fair information about
  collection
• Principle 2 - accuracy and duration of retention
  of personal data
• Principle 3 - use of personal data
• use only as specified when collected

13
Principles cont'd

• Principle 4 - security of personal data
• Principle 5 - information about data held and
  access policies to be generally available - what
  they have and what they do with it
• Principle 6 - access to personal data
• data subjects have rights of access and
  correction

14
Implications of the Ordinance

• Information about data held has to be registered
  with the PCO - metadata
• People who have access to the data must be
  trained in security measures
• Proper security measures should be implemented -
  to prevent unauthorised access, loss or
  destruction
• Procedures for subject access to data -
  validation, authorisation, issuing, ...

15
Privacy

• How is Private Information Collected?
• Reading your newsgroups postings.
• Finding you in the Internet Directory.
• Making your browser record information about you.
• Recording what your browsers say about you
• Reading your e-mail address
• Web-site Self Registration
• On-line shopping

16
Privacy

• Non-compliance with an enforcement notice served
  by the Privacy Commissioners Office (PCO)
• 50,000 fine
• 2 years imprisonment
• Contravening the Ordinance can also result in
  civil proceeding claiming damages

17
Privacy

• Exemptions
• Data held for domestic or recreational purposes
  general exemption
• Certain employment related personal data
  exempted from subject access
• Competing public or social interests, e.g.
  security, defense, international relations,
  prevention detection of crime, tax data, news,
  health exempted from subject access and use
  limitation

18
Privacy

• Privacy Commissioners Office
• http//www.pco.org.hk/info
• Code of practice
• Guidelines on various subjects
• SPAM
• Preparing On-line Personal Information Collection
  (PIC) Statements and Privacy Policy Statements
  (PPS)
• Personal Data Privacy and the Internet
• Internet Surfing with Privacy in Mind

19
Consequences I

• Any new data protection legislation will
• Add new administration overheads to organisations
• Increase government bureaucracy
• Place an extra burden on the Police, Justice
  Dept, ICAC,

20
Consequences II

• Provoke useful questions like -
• What is data protection?
• How can we implement data protection measures?
• Require public education and promotion
• But, doing so will
• Protect Hong Kong's international trade
• Strengthen Hong Kong's international position

21
Consequences III

• BUT!
• What about HK's trade with China - where there
  are no such laws?
• If your company's data is compromised in HK, the
  law will protect you.
• In China, it may be quite a different story
• Therefore, at minimum, the company needs to be
  aware...
• European laws are even more strict
• Data on PDAs is also covered

22
But many companies, especially SMEs need data to
market effectively!

• Well, how about
• A centrally run and regulated data bank which
  licenses and controls data users?
• Data subjects can sell their data at a price of
  their choice
• The data bank regulates appropriate uses of the
  data.
• See Laudon, K.C. (1996) Markets and Privacy,
  Communications of the ACM, (39)9, pp. 92-104.

23
Solutions?

• An Information Banking System
• Data subjects can "sell" their data to a bank
• Data users can "buy" data from a bank
• All transactions via an Information eXchange
• Regulation and Protection
• All data users must be registered with IX
• Including email addresses?

24
The PDA Problem

• 2/3 of PDA users do not have adequate security
• 1/3 dont even use password controls
• Security awareness is generally low
• Physical theft/loss of PDAs is high
• Did you ever lose your mobile phone/PDA?

25
PDAs

• Stolen PDAs are an excellent source of corporate
  data
• Business names, account numbers, passwords,
  spreadsheets, documents, PINs,
• None of which is password protected!!!

26
The Spam Problem

• 65 of email is spam (80 of mine)
• US govt is finally cracking down
• Spam has millions of small victims who are
  inconvenienced
• Few big victims but 65 is a huge strain on
  network resources
• Spam leads to other, more serious, crimes
  identify theft, credit card fraud, bank drains

27
The Nigerian Scam

• You get an email that says someone in Nigeria
  wants to give you US35 million.
• You need to give them your acct details so that
  they can transfer the money
• Soon your acct is empty!
• Many of these scams originate in HK a Nigerian
  man was arrested earlier this year.

28
The Banking Scam

• Dear Citibank UK Customer!
•  
• For security purposes your account has been
  randomly chosen for verification. To verify your
  account information we are asking you to provide
  us with all the data we are requesting. Otherwise
  we will not be able to verify your identity and
  access to your account will be denied. Please
  click on the link below to get to the Citibank UK
  secure page and verify your account details.
  After verification you will be redirected to the
  Citibank UK home page. Thank you.
• https//cukehb3.cd.citibank.co.uk/HomeBankingSecur
  e/Pers/StartSession.asp

29
Electronic Monitoring

• Electronic Monitoring is another kind of privacy
  invasion.
• Capture and analysis of "data" to measure the
  work (not) performed by employees.
• Video, Audio, Keystroke, Website, Screen-,...
• Automation of employee control.

30
Arguments in Favour of EM

• Employers always have the broad rights of
  observation and record keeping of employees'
  performance, EM is just an extension of those
  rights.
• EM helps to increase productivity
• EM produces more accurate cost accounting

31
More advantages...

• EM improves management of people
• no bias
• fair performance expectations
• improves performance appraisal
• provides data quickly and frequently

32
Criticisms of EM

• EM is an invasion of employee privacy.
• The monitoring is continuous
• everything an employee does, from regular work to
  toilet breaks, is (or can be) timed to the
  second.
• Employees have no control over or knowledge of,
  when and how monitoring takes place.

33

• More Criticisms
• EM erodes trust and loyalty between employees and
  employer.
• EM increases stress on the employees and leads to
  stress-related health problems.
• EM leads to management expectation of a
  machine-established work pace, excessive
  production quotas and work speed-ups.

34
More Criticisms

• EM leads to over-dependence on quantifiable data
  as a measure of employee performance, eliminating
  softer, qualitative aspects of a job.
• EM can result in lower morale, increased turnover
  and absenteeism, and consequent poor customer
  service.

35
Is EM Professional Behaviour?

• Considering those arguments in favour of and
  against EM, can you find a professional
  justification for EM?
• Don't think in terms of profit, productivity,
  privacy, etc.
• Think "professionally".
• What should an unbiased professional do?

36
TeleEye

• CityU Enterprises is somewhat famous for a
  product developed by the EE department
• TeleEye
• A camera linked to a phone line and back to your
  office
• To monitor factories, buildings, homes
• or people.
• It is very small and unobtrusive
• Is it only a product? Are there ethical issues?