Discussing about privacy related issues in the areas of Financial Data, Health Information and Children’s Personal Data with identifying regulations in USA and EU. Also it focus on Fair Information Practices.
1. Chapter 9 - Privacy and Civil
Liberties
IT 5105 – Professional Issues in IT
Upekha Vandebona
upe.vand@gmail.com
Regulations Abroad [USA and EU]
Ref : George W. Reynolds, “Ethics in Information Technology” , 5th Edition.
2. Privacy Violations for Making Decisions
Hire a job candidate (Specifically in IT
industry)
Consumers’ purchasing habits and financial
condition for target marketing efforts to
consumers who are most likely to buy their
products and services.
3. Privacy Violations for Making Decisions -
Defending Arguments
Organizations also need basic information
about customers to serve them better.
It is hard to imagine an organization having
productive relationships with its customers
without having data about them.
4. Right to Privacy/ Information Privacy
Information privacy is the combination of
communications privacy (the ability to
communicate with others without those
communications being monitored by other
persons or organizations)
data privacy (the ability to limit access to
one’s personal data by other individuals and
organizations in order to exercise a substantial
degree of control over that data and its use).
5. Areas
Financial Data,
Health Information,
Children’s Personal Data,
Fair Information Practices,
Electronic Surveillance, and Access to
Government Records. ***
6. Financial Data
Individuals must reveal much of their personal
financial data in order to take advantage of the
wide range of financial products and services
available.
To access many of these financial products and
services, individuals must use a personal logon
name, password, account number, or PIN.
The inadvertent loss or disclosure of this personal
financial data carries a high risk of loss of privacy
and potential financial loss.
7. Gramm-Leach-Bliley Act (1999) - USA
GLBA or Financial Services Modernization
Act.
Three key rules that affect personal privacy
Implications after the law was passed.
8. 1) Financial Privacy Rule
This rule established mandatory guidelines for
the collection and disclosure of personal
financial information by financial
organizations.
Under this provision, financial institutions
must provide a privacy notice to each
consumer that explains what data about the
consumer is gathered, with whom that data
is shared, how the data is used, and how the
data is protected.
9. 1) Financial Privacy Rule
The notice must also explain the consumer’s
right to opt out
to refuse to give the institution the right to collect
and share personal data with unaffiliated parties.
Anytime a company’s privacy policy is changed,
customers must be contacted again and given
the right to opt out.
The privacy notice must be provided to the
consumer at the time the consumer relationship
is formed and once each year thereafter.
10. 1) Financial Privacy Rule
Customers who take no action automatically
opt in and give financial institutions the
right to share personal data, such as annual
earnings, net worth, employers, personal
investment information, loan amounts, and
Social Security numbers, to other financial
institutions.
11. 2) Safeguards Rule
This rule requires each financial institution
to document a data security plan describing
the company’s preparation and plans for
the ongoing protection of clients’ personal
data.
12. 3) Pretexting Rule
This rule addresses attempts by people to
access personal information without proper
authority by such means as impersonating
an account holder or phishing.
GLBA encourages financial institutions to
implement safeguards against pretexting.
13. Health Information
The use of electronic medical records and the
subsequent interlinking and transferring of this
electronic information among different
organizations has become widespread.
Individuals fear intrusions into their health
data by employers, schools, insurance firms,
law enforcement agencies, and even
marketing firms looking to promote their
products and services.
14. HIPPA - Health Insurance Portability Act -
USA -1996
To improve the portability and continuity of
health insurance coverage; to reduce fraud,
waste, and abuse in health insurance and
healthcare delivery; and to simplify the
administration of health insurance.
15. HIPPA - Health Insurance Portability Act
Requires healthcare organizations to
employ standardized electronic
transactions, codes, and identifiers to
enable them to fully digitize medical
records, thus making it possible to
exchange medical data over the Internet.
16. Privacy Under the HIPAA Provisions
Healthcare providers must obtain written
consent from patients prior to disclosing any
information in their medical records.
Thus, patients need to sign a HIPAA disclosure
form each time they are treated at a hospital,
and such a form must be kept on file with
their primary care physician.
In addition, healthcare providers are required
to keep track of everyone who receives
information from a patient’s medical file.
17. Privacy Under the HIPAA Provisions
Healthcare companies must appoint a
privacy officer to develop privacy policies
and procedures as well as train employees
on how to handle sensitive patient data.
These actions must address the potential
for unauthorized access to data by outside
hackers as well as the more likely threat of
internal misuse of data.
18. Privacy Under the HIPAA Provisions
HIPAA assigns responsibility to healthcare
organizations, as the originators of
individual medical data, for certifying that
their business partners also comply with
HIPAA security and privacy rules.
19. Children’s Personal Data
Facts
How much hours teens spend on surfing the
web per week?
Does parents have the idea what they are
looking at online?
High percentage of teens have received an
online request for personal information.
High percentage of children have been
approached online by a stranger.
20. Children’s Personal Data
Many people feel that there is a need to
protect children from being exposed to
inappropriate material and online predators;
becoming the target of harassment; divulging
personal data; and becoming involved in
gambling or other inappropriate behavior.
To date, only a few laws have been
implemented to protect children online.
How does this conflict with freedom of
expression?
21. FERPA - Family Educational Rights and
Privacy Act (1974) - USA
Assigns certain rights to parents regarding
their children’s educational records.
These rights transfer to the student once
the student reaches the age of 18 or if he
or she attends a school beyond the high
school level.
Under FERPA, the presumption is that a
student’s records are private and not
available to the public without the consent
of the student.
22. FERPA - Family Educational Rights and
Privacy Act (1974) - USA
These rights include
the right to access educational records
maintained by a school;
the right to demand that educational records
be disclosed only with student consent;
the right to amend educational records; and
the right to file complaints against a school for
disclosing educational records in violation of
FERPA
23. COPPA - Children’s Online Privacy
Protection Act (1998) - USA
As an attempt to give parents control over the
collection, use, and disclosure of their
children’s personal information; it does not
cover the dissemination of information to
children.
Any Web site that caters to children must offer
comprehensive privacy policies, notify parents
or guardians about its data collection
practices, and receive parental consent before
collecting any personal information from
children under 13 years of age.
24. COPPA - Children’s Online Privacy
Protection Act (1998) - USA
The law has had a major impact and has
required many companies to spend
hundreds of thousands of dollars to make
their sites compliant; other companies
eliminated preteens as a target audience.
25. Fair Information Practices
Fair information practices is a term for a
set of guidelines that govern the collection
and use of personal data.
Various organizations as well as countries
have developed their own set of such
guidelines and call them by different
names.
26. Fair Information Practices
The overall goal of such guidelines is to
stop the unlawful storage of personal data,
eliminate the storage of inaccurate
personal data, and prevent the abuse or
unauthorized disclosure of such data.
27. Fair Information Practices
For some organizations and countries, a key
issue is the flow of personal data across
national boundaries (transborder data
flow).
Fair information practices are important
because they form the underlying basis for
many national laws addressing data privacy
and data protection issues.
28. European Union Data Protection Directive
(1995)
Requires any company doing business within
the borders of the countries comprising the
European Union to implement a set of
privacy directives on the fair and
appropriate use of information.
Basically, this directive requires member
countries to ensure that data transferred to
non-European Union (EU) countries is
protected.
29. European Union Data Protection Directive
(1995)
It also bars the export of data to countries
that do not have data privacy protection
standards comparable to those of the EU.
For example, in 2012, the European
Commission approved New Zealand as a
country that provides “adequate
protection” of personal data under the
directive so that personal information from
Europe may flow freely to New Zealand.
30. EU Data Protection Directive Rules
Notice—An individual has the right to know if his or her
personal data is being collected, and any data must be
collected for clearly stated, legitimate purposes.
Choice—An individual has the right to elect not to have his or
her personal data collected.
Use—An individual has the right to know how personal data will
be used and the right to restrict its use.
Security—Organizations must “implement appropriate technical
and organizations measures” to protect personal data, and the
individual has the right to know what these measures are.
Correction—An individual has the right to challenge the
accuracy of the data and to provide corrected data.
Enforcement—An individual has the right to seek legal relief
through appropriate channels to protect privacy rights.
32. MCQ
The purpose of the Bill of Rights was to;
a) grant additional powers to the government
b) identify exceptions to specific portions of
the Constitution
c) identify additional rights of individuals
d) identify requirements for being a “good”
citizen
33. MCQ
In USA under the provisions of ___________,
healthcare providers must obtain written
consent from patients prior to disclosing any
information in their medical records.
a) HIPAA
b) COPPA
c) Computer Crimes Act No. 24 of 2007
d) FERPA
e) ADA Section 508
34. MCQ
According to the Children’s Online Privacy
Protection Act, a Web site that caters to
children must:
a) offer comprehensive privacy policies
b) notify parents or guardians about its data
collection practices
c) receive parental consent before collecting any
personal information from preteens
d) all of the above
35. MCQ
In USA, ________ is a federal law that
assigns certain rights to parents regarding
their children’s educational records.
a) HIPAA
b) COPPA
c) Computer Crimes Act No. 24 of 2007
d) FERPA
e) ADA Section 508
36. MCQ
Which of the following identifies the
numbers dialed for outgoing calls?
a) pen register
b) wiretap
c) trap and trace
d) all of the above
37. True / False ?
Sri Lanka has a single, overarching national
data privacy policy. True or False?
The European philosophy of addressing
privacy concerns employs strict government
regulation, including enforcement by a set
of commissioners; it differs greatly from
the U.S. philosophy of having no federal
privacy policy. True or False?
38. Fill Blanks
A(n)____________ is a text file that a Web
site can download to a visitor’s hard drive
to identify visitors on subsequent visits.
40. Justify
Are surveillance cameras worth the cost in
terms of resources and loss of privacy,
given the role that they play in deterring or
solving crimes?
Do you feel that information systems to
fight terrorism should be developed and
used even if they infringe the privacy rights
of ordinary citizens?
Mail me the justification if anyone interested to answer
41. Justify
Why do employers monitor workers? Do you
think they have the right to do so?
Mail me the justification if anyone interested to answer
42. What Would You Do? - Scenario 1
You are a recent college graduate with only
a year of experience with your employer.
You were recently promoted to Head of
Administration of email services.
You are quite surprised to receive a phone
call at home on a Saturday from the Chief
Financial Officer of the firm asking that you
immediately delete all email from all email
servers, including the archive and back-up
servers, that is older than six months.
43. What Would You Do? - Scenario 1
He states that the reason for his request is that
there have been an increasing number of
complaints about the slowness of email services. In
addition, he says he is concerned about the cost of
storing so much email.
This does not sound right to you because you
recently have taken several measures that have
speeded up email services.
An alarm goes off when you recall muted
conversations in the lunchroom last week about an
officer of the company passing along inside trade
information to an outsider.
What do you say to the Chief Financial Officer?
Why?
44. What Would You Do? - Scenario 2
You are a new brand manager for a product line of
gardening equipments. You are considering collecting
information from various organizations about the people
who are going to retiring from their service. The
information which includes list of names and their
mailing addresses, places of living, lands owned, email
addresses, annual income received, and highest level of
education achieved.
You could use the data to identify likely purchasers of
your gardening equipments, and you could then send
those people emails announcing the new product line
and touting its many features.
List the advantages and disadvantages of such a
marketing strategy. Would you recommend this means
of promotion in this instance? Why or why not?
45. What Would You Do? - Scenario 3
Your company is rolling out a training program
to ensure that everyone is familiar with the
company’s Internet usage policy.
As a member of the Human Resources
Department, you have been asked to develop
a key piece of the training relating to why this
policy is needed.
What kind of concerns can you expect your
audience to raise? How can you deal with this
anticipated resistance to the policy?
Editor's Notes
, including credit cards, checking and savings accounts, loans, payroll direct deposit, and brokerage accounts.
Individuals should be concerned about how this personal data is protected by businesses and other organizations and whether or not it is shared with other people or companies.
Is a bank deregulation law. Repealed Glass-Steagall law.
Glass-Steagall prohibited any one institution from offering investment, commercial banking, and insurance services; individual companies were only allowed to offer one of those types of financial service products.
GLBA enabled such entities to merge.
After the law was passed, financial institutions resorted to mass mailings to contact
their customers with privacy-disclosure forms. As a result, many people received a dozen
or more similar-looking forms—one from each financial institution with which they did
business. However, most people did not take the time to read the long forms, which were
printed in small type and full of legalese. Rather than making it easy for customers to opt
out, the documents required that consumers send one of their own envelopes to a specific
address and state in writing that they wanted to opt out—all this rather than sending a
simple prepaid postcard that allowed customers to check off their choice. As a result,
most customers threw out the forms without grasping their full implications and thus, by
default, agreed to opt in to the collection and sharing of their personal data.
Individuals are rightly concerned about the erosion of privacy of data concerning their health.
(billing agents, insurers, debt collectors, research firms, government agencies, and charitable organizations)
c
a
d
d
a
F
T
Email Deletion Policy - Verbal? Approvals?
1 year experience/ recent promotion
Inform relevant parties - No allegation