Your SlideShare is downloading. ×
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104


Published on

Lecture Materials of BIT External IT5104 - Professional Issues in IT 2013/2014 conducted at OSBT

Lecture Materials of BIT External IT5104 - Professional Issues in IT 2013/2014 conducted at OSBT

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Chapter 08 – Data Protection, Privacy and Freedom of Information IT5104 - Professional Issues in IT OpenArc Campus – BIT Sem V – PIIT 1
  • 2. • Storage • Processing • Retention • Release (Transferring, Publishing…etc) D A T A & I N F O R M A T I O N • Protection • Privacy • Freedom of Information 2
  • 3. Why it came? • Very large amount of data about individuals was being collected and stored in computers and then used for unacceptable purposes which were not the intention when the data was collected. • Unauthorized people could access such data and that the data might be out dated, incomplete or just plain wrong. At the beginning, the law for this matter was designed to protect individuals, against the misuse of personal data by large organizations. But evolutionary gone to a wider concern. 3
  • 4. People are entitled to keep personal information private. Ex : Bank Balance, Medical History, Vote in Election…etc But for security measures there can be situations, such as telephone tapping and email monitoring by employers as well as security services of the state. Do governments also entitled to keep their information private? Governments are traditionally reluctant to release information to their citizens. But there is a pressure from public for more open governments and for legislations that guarantee freedom of information. 4
  • 5. Protection and Privacy are two different concepts but goes like as the same. Terminology of UK Data protection Act 1998 Data Collected with the intention to process and create information or just to keep as a record. Data Controller Legal or natural person who determines why or how personal data is processed. Data Processor Anyone who processes personal data on behalf of the data controller. Data Protection 5
  • 6. Personal Data Data which relates to a living person who can be indentified from that data. (Possibly taken together with other information the data controller is likely to have. It can be include, expressions of opinion about the person and indications of the intentions of the data controller or any other person, toward the individual.) Data Subject Individual who is the subject of personal data Sensitive Personal data relating to the racial or ethnic origin of data Personal Data subjects. Their political opinions, religious beliefs, memberships of societies, physical or mental health, marital life, or whether they have committed or alleged to have committed any criminal offence. Processing Obtaining, recording or holding the information/data or carrying out any operations on it. 6
  • 7. In the act Data Processing also means • Organization, adaptation or alteration of the information/data • Retrieval, consultation or use of the information/data • Disclosure of the information/data by transmission, dissemination or otherwise making available • Alignment, combination, blocking, erasure or destruction of the information/data 7
  • 8. 1998 UK Data Protection Act lays down 8 principles which apply to the collection and processing of personal data of any sort. Data Controller is responsible for ensuring that these principles are complied with in respect of all the personal data, for which they are responsible. Data Protection Principles 8
  • 9. 1) Personal data shall be processed fairly and lawfully. If the data subject doesn’t give their consent, data can only be processed if the data controller is under a legal or statutory obligation for which the processing is necessary. ex: It is necessary to inform the users of a website explicitly if it employs cookies and must give users the opportunity of refusing it. 9
  • 10. 2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 10
  • 11. 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Ex: Requiring to declare marital status when joining to a public library. Shops demanding to know customers' addresses for an order even the order do not require a delivery service. 11
  • 12. 4) Personal data shall be accurate and, where necessary, kept up to date. Doctors have great difficulty in maintaining up-to-date data about their patients' addresses. 12
  • 13. 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • At the time data captured, it needed to be defined how long each item of personal data needs to be kept. • There need to be procedures to ensure that all data is erased at the appropriate time, and this must include erasure from backup copies. • There can be situations to keep some personal data for an indefinite period such like university records of graduating students. 13
  • 14. 6) Personal data shall be processed in accordance with the rights of data subjects. 14
  • 15. 7) Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This implies the need for access control (through passwords or other means), backup procedures, integrity checks on the data, etc. And there also need to be authorized personnel who have access to manage these things. 15
  • 16. 8) Personal data shall not be transferred to a country or territory outside the region unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data. 16
  • 17. Data subjects have the right to know whether a data controller held data relating to them. Also they have right to see those data, and the right to have those data erased or corrected if it is inaccurate. Data subjects have the right to receive: • A description of the personal data being held; • An explanation of the purpose why it is being held • A description of the people/organizations to which it may be disclosed; • An clear statement of the specific data held about them; • A description of the source of the data. Rights of Data Subjects 17
  • 18. Data subjects have the right: • To prevent processing likely to cause damage and distress; • To prevent processing for the purposes of direct marketing; • To have compensation in case of damage caused by processing of personal data in violation of the principles of the Act. There may be exceptions such like • Examination candidates do not have the right of access to their marks until after the results of the examinations have been published. • Disclosing the information may result in infringing someone else's rights. • Disclosing may be threat to national security. 18
  • 19. All these rights apply to data that is held electronically and, in some cases, to data that is held in manual file systems. If however, the data is processed automatically and is likely to be used as the sole basis for taking a decision relating to data subjects (for example, deciding whether to grant them a Loan), they have the right to be informed by the data controller, of the logic involved in taking that decision. They can also demand that a decision relating to them that has been taken on full automatic process should be reconsidered on some other way. 19
  • 20. Government security services and law enforcement authorities can only intercept, monitor and investigate electronic data in certain specified situations such as when preventing and detecting crime. Organizations that provide computer and telephone services (this includes not only ISPs and other telecommunications service providers but also most employers) can monitor and record communications without the consent of the users of the service in some circumstances. Organizations intercepting communications in this way are under an obligation to make all reasonable efforts to inform users that such interception may take place. Privacy 20
  • 21. Every citizen does have rights of access to information held by bodies in the public sector such like Parliament, government departments, health authorities, universities, schools, etc. But there may be exceptions in situations such disclosures may avoided due to public interest. Public authorities are advised to adopt schemes for publication of information. (1919) Freedom of information does not mean that people can access others’ personal information. Freedom of Information 21
  • 22. • Threat of individual privacy due to Large Centralized Data Banks. • Abuse of information management due to Data Matching. • Unauthorized Traceability of operations performed via online services. • Navigation Trails (Browser Cookies) • Capturing Information about the way individuals use the internet and build profiles of their habits for marketing purpose or blackmail. • Jurisdiction for trans-border data flow ? (ex: WikiLeaks) The Impact of the Internet 22