Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Chapter 08 – Data
Protection, Privacy and Freedom
IT5104 - Professional Issues in IT
OpenArc Campus – BIT Sem V – PIIT
Release (Transferring, Publishing…etc)
Freedom of Information
Why it came?
Very large amount of data about individuals was being
unacceptable purposes which were not the intention when the
data was collected.
Unauthorized people could access such data and that the data
might be out dated, incomplete or just plain wrong.
At the beginning, the law for this matter was designed to protect
organizations. But evolutionary gone to a wider concern.
Ex : Bank Balance, Medical History, Vote in Election…etc
But for security measures there can be situations, such as telephone
tapping and email monitoring by employers as well as security
services of the state.
Do governments also entitled to keep their information
information to their citizens. But there is a pressure from public for
more open governments and for legislations that guarantee freedom
Protection and Privacy are two different concepts but goes like
as the same.
Terminology of UK Data protection Act 1998
Collected with the intention to process and
information or just to keep as a record.
Legal or natural person who determines why or how
personal data is processed.
Anyone who processes personal data on behalf of the
Data which relates to a living person who can be
indentified from that data. (Possibly taken together with
other information the data controller is likely to have. It
can be include, expressions of opinion about the person
and indications of the intentions of the data controller or
any other person, toward the individual.)
Individual who is the subject of personal data
Personal data relating to the racial or ethnic origin of data
memberships of societies, physical or mental health,
marital life, or whether they have committed or alleged to
have committed any criminal offence.
Obtaining, recording or holding the information/data or
carrying out any operations on it.
In the act Data Processing also means
• Organization, adaptation or alteration of the information/data
• Retrieval, consultation or use of the information/data
dissemination or otherwise making available
• Alignment, combination, blocking, erasure or destruction of the
1998 UK Data Protection Act lays down 8 principles which
apply to the collection and processing of personal data of any
sort. Data Controller is responsible for ensuring that these
principles are complied with in respect of all the personal
data, for which they are responsible.
Data Protection Principles
1) Personal data shall be processed fairly and lawfully.
If the data subject doesn’t give their consent, data can only be
processed if the data controller is under a legal or statutory
obligation for which the processing is necessary.
It is necessary to inform the users of a website explicitly if it
employs cookies and must give users the opportunity of refusing it.
2) Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose
or those purposes.
3) Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes for which
they are processed.
Requiring to declare marital status when joining to a public library.
Shops demanding to know customers' addresses for an order even
the order do not require a delivery service.
4) Personal data shall be accurate and, where necessary,
kept up to date.
Doctors have great difficulty in maintaining up-to-date data
about their patients' addresses.
Personal data processed for any purpose or purposes
shall not be kept for longer than is necessary for that
purpose or those purposes.
• At the time data captured, it needed to be defined how long each
item of personal data needs to be kept.
• There need to be procedures to ensure that all data is erased at
the appropriate time, and this must include erasure from backup
• There can be situations to keep some personal data for an
Personal data shall be processed in accordance with
the rights of data subjects.
Appropriate technical and organizational measures
shall be taken against unauthorized or unlawful processing
of personal data and against accidental loss or destruction
of, or damage to, personal data.
This implies the need for access control (through passwords or
other means), backup procedures, integrity checks on the data,
And there also need to be authorized personnel who have access
to manage these things.
Personal data shall not be transferred to a country or
territory outside the region unless that country or territory
ensures an adequate level of protection for the rights and
freedom of data subjects in relation to the processing of
Data subjects have the right to know whether a data controller
held data relating to them. Also they have right to see those data,
and the right to have those data erased or corrected if it is
Data subjects have the right to receive:
A description of the personal data being held;
An explanation of the purpose why it is being held
A description of the people/organizations to which it may be
An clear statement of the specific data held about them;
A description of the source of the data.
Rights of Data Subjects
Data subjects have the right:
To prevent processing likely to cause damage and distress;
To prevent processing for the purposes of direct marketing;
To have compensation in case of damage caused by processing
of personal data in violation of the principles of the Act.
There may be exceptions such like
Examination candidates do not have the right of access to their
marks until after the results of the examinations have been
Disclosing the information may result in infringing someone
Disclosing may be threat to national security.
All these rights apply to data that is held electronically and, in
some cases, to data that is held in manual file systems.
If however, the data is processed automatically and is likely to be
used as the sole basis for taking a decision relating to data
Loan), they have the right to be informed by the data controller, of
the logic involved in taking that decision. They can also demand
that a decision relating to them that has been taken on full
automatic process should be reconsidered on some other way.
Government security services and law enforcement authorities
can only intercept, monitor and investigate electronic data in
Organizations that provide computer and telephone services
(this includes not only ISPs and other telecommunications
service providers but also most employers) can monitor and
record communications without the consent of the users of the
service in some circumstances.
Organizations intercepting communications in this way are under
an obligation to make all reasonable efforts to inform users that
such interception may take place.
Every citizen does have rights of access to information held by
bodies in the public sector such like Parliament, government
departments, health authorities, universities, schools, etc.
But there may be exceptions in situations such disclosures may
avoided due to public interest.
Public authorities are advised to adopt schemes for publication of
Freedom of information does not mean that people can access
others’ personal information.
Freedom of Information
• Threat of individual privacy due to Large Centralized Data
• Abuse of information management due to Data Matching.
• Unauthorized Traceability of operations performed via online
• Navigation Trails (Browser Cookies)
• Capturing Information about the way individuals use the
internet and build profiles of their habits for marketing purpose
• Jurisdiction for trans-border data flow ? (ex: WikiLeaks)
The Impact of the Internet