Privacy and Civil Liberties
45
Chapter 9 - Privacy and Civil Liberties IT 5105 – Professional Issues in IT Upekha Vandebona [email protected] Regulations Abroad [USA and EU] Ref : George W. Reynolds, “Ethics in Information Technology” , 5 th Edition.
-
Upload
upekha-vandebona -
Category
Education
-
view
184 -
download
0
Transcript of Privacy and Civil Liberties
Chapter 9 - Privacy and Civil Liberties
IT 5105 – Professional Issues in IT Upekha Vandebona
Regulations Abroad [USA and EU]
Ref : George W. Reynolds, “Ethics in Information Technology” , 5th Edition.
Privacy Violations for Making DecisionsHire a job candidate (Specifically in IT
industry)Consumers’ purchasing habits and
financial condition for target marketing efforts to consumers who are most likely to buy their products and services.
Privacy Violations for Making Decisions - Defending Arguments
Organizations also need basic information about customers to serve them better.
It is hard to imagine an organization having productive relationships with its customers without having data about them.
Right to Privacy/ Information Privacy Information privacy is the combination
of communications privacy (the ability to
communicate with others without those communications being monitored by other persons or organizations)
data privacy (the ability to limit access to one’s personal data by other individuals and organizations in order to exercise a substantial degree of control over that data and its use).
Areas
Financial Data, Health Information,Children’s Personal Data, Fair Information Practices,Electronic Surveillance, and Access to
Government Records. ***
Financial Data Individuals must reveal much of their
personal financial data in order to take advantage of the wide range of financial products and services available.
To access many of these financial products and services, individuals must use a personal logon name, password, account number, or PIN.
The inadvertent loss or disclosure of this personal financial data carries a high risk of loss of privacy and potential financial loss.
Gramm-Leach-Bliley Act (1999) - USA
GLBA or Financial Services Modernization Act.
Three key rules that affect personal privacy
Implications after the law was passed.
1) Financial Privacy Rule
This rule established mandatory guidelines for the collection and disclosure of personal financial information by financial organizations.
Under this provision, financial institutions must provide a privacy notice to each consumer that explains what data about the consumer is gathered, with whom that data is shared, how the data is used, and how the data is protected.
1) Financial Privacy Rule
The notice must also explain the consumer’s right to opt out to refuse to give the institution the right to collect
and share personal data with unaffiliated parties. Anytime a company’s privacy policy is changed,
customers must be contacted again and given the right to opt out.
The privacy notice must be provided to the consumer at the time the consumer relationship is formed and once each year thereafter.
1) Financial Privacy Rule
Customers who take no action automatically opt in and give financial institutions the right to share personal data, such as annual earnings, net worth, employers, personal investment information, loan amounts, and Social Security numbers, to other financial institutions.
2) Safeguards Rule
This rule requires each financial institution to document a data security plan describing the company’s preparation and plans for the ongoing protection of clients’ personal data.
3) Pretexting Rule
This rule addresses attempts by people to access personal information without proper authority by such means as impersonating an account holder or phishing.
GLBA encourages financial institutions to implement safeguards against pretexting.
Health Information
The use of electronic medical records and the subsequent interlinking and transferring of this electronic information among different organizations has become widespread.
Individuals fear intrusions into their health data by employers, schools, insurance firms, law enforcement agencies, and even marketing firms looking to promote their products and services.
HIPPA - Health Insurance Portability Act - USA -1996
To improve the portability and continuity of health insurance coverage; to reduce fraud, waste, and abuse in health insurance and healthcare delivery; and to simplify the administration of health insurance.
HIPPA - Health Insurance Portability Act
Requires healthcare organizations to employ standardized electronic transactions, codes, and identifiers to enable them to fully digitize medical records, thus making it possible to exchange medical data over the Internet.
Privacy Under the HIPAA Provisions Healthcare providers must obtain written
consent from patients prior to disclosing any information in their medical records.
Thus, patients need to sign a HIPAA disclosure form each time they are treated at a hospital, and such a form must be kept on file with their primary care physician.
In addition, healthcare providers are required to keep track of everyone who receives information from a patient’s medical file.
Privacy Under the HIPAA ProvisionsHealthcare companies must appoint a
privacy officer to develop privacy policies and procedures as well as train employees on how to handle sensitive patient data.
These actions must address the potential for unauthorized access to data by outside hackers as well as the more likely threat of internal misuse of data.
Privacy Under the HIPAA ProvisionsHIPAA assigns responsibility to
healthcare organizations, as the originators of individual medical data, for certifying that their business partners also comply with HIPAA security and privacy rules.
Children’s Personal Data
Facts How much hours teens spend on surfing the
web per week? Does parents have the idea what they are
looking at online? High percentage of teens have received an
online request for personal information. High percentage of children have been
approached online by a stranger.
Children’s Personal Data
Many people feel that there is a need to protect children from being exposed to inappropriate material and online predators; becoming the target of harassment; divulging personal data; and becoming involved in gambling or other inappropriate behavior.
To date, only a few laws have been implemented to protect children online.
How does this conflict with freedom of expression?
FERPA - Family Educational Rights and Privacy Act (1974) - USA
Assigns certain rights to parents regarding their children’s educational records.
These rights transfer to the student once the student reaches the age of 18 or if he or she attends a school beyond the high school level.
Under FERPA, the presumption is that a student’s records are private and not available to the public without the consent of the student.
FERPA - Family Educational Rights and Privacy Act (1974) - USA
These rights include the right to access educational records
maintained by a school; the right to demand that educational records
be disclosed only with student consent; the right to amend educational records; and the right to file complaints against a school
for disclosing educational records in violation of FERPA
COPPA - Children’s Online Privacy Protection Act (1998) - USA
As an attempt to give parents control over the collection, use, and disclosure of their children’s personal information; it does not cover the dissemination of information to children.
Any Web site that caters to children must offer comprehensive privacy policies, notify parents or guardians about its data collection practices, and receive parental consent before collecting any personal information from children under 13 years of age.
COPPA - Children’s Online Privacy Protection Act (1998) - USA
The law has had a major impact and has required many companies to spend hundreds of thousands of dollars to make their sites compliant; other companies eliminated preteens as a target audience.
Fair Information Practices
Fair information practices is a term for a set of guidelines that govern the collection and use of personal data.
Various organizations as well as countries have developed their own set of such guidelines and call them by different names.
Fair Information Practices
The overall goal of such guidelines is to stop the unlawful storage of personal data, eliminate the storage of inaccurate personal data, and prevent the abuse or unauthorized disclosure of such data.
Fair Information Practices
For some organizations and countries, a key issue is the flow of personal data across national boundaries (transborder data flow).
Fair information practices are important because they form the underlying basis for many national laws addressing data privacy and data protection issues.
European Union Data Protection Directive (1995)
Requires any company doing business within the borders of the countries comprising the European Union to implement a set of privacy directives on the fair and appropriate use of information.
Basically, this directive requires member countries to ensure that data transferred to non-European Union (EU) countries is protected.
European Union Data Protection Directive (1995)
It also bars the export of data to countries that do not have data privacy protection standards comparable to those of the EU.
For example, in 2012, the European Commission approved New Zealand as a country that provides “adequate protection” of personal data under the directive so that personal information from Europe may flow freely to New Zealand.
EU Data Protection Directive Rules
Notice—An individual has the right to know if his or her personal data is being collected, and any data must be collected for clearly stated, legitimate purposes.
Choice—An individual has the right to elect not to have his or her personal data collected.
Use—An individual has the right to know how personal data will be used and the right to restrict its use.
Security—Organizations must “implement appropriate technical and organizations measures” to protect personal data, and the individual has the right to know what these measures are.
Correction—An individual has the right to challenge the accuracy of the data and to provide corrected data.
Enforcement—An individual has the right to seek legal relief through appropriate channels to protect privacy rights.
What is the Sri Lankan Context?
MCQ
The purpose of the Bill of Rights was to;a) grant additional powers to the
governmentb) identify exceptions to specific portions
of the Constitutionc) identify additional rights of individualsd) identify requirements for being a “good”
citizen
MCQ
In USA under the provisions of ___________, healthcare providers must obtain written consent from patients prior to disclosing any information in their medical records.a) HIPAAb) COPPAc) Computer Crimes Act No. 24 of 2007d) FERPAe) ADA Section 508
MCQ
According to the Children’s Online Privacy Protection Act, a Web site that caters to children must:a) offer comprehensive privacy policiesb) notify parents or guardians about its data
collection practicesc) receive parental consent before collecting
any personal information from preteensd) all of the above
MCQ
In USA, ________ is a federal law that assigns certain rights to parents regarding their children’s educational records.a) HIPAAb) COPPAc) Computer Crimes Act No. 24 of 2007d) FERPAe) ADA Section 508
MCQ
Which of the following identifies the numbers dialed for outgoing calls?a) pen registerb) wiretapc) trap and traced) all of the above
True / False ?
Sri Lanka has a single, overarching national data privacy policy. True or False?
The European philosophy of addressing privacy concerns employs strict government regulation, including enforcement by a set of commissioners; it differs greatly from the U.S. philosophy of having no federal privacy policy. True or False?
Fill Blanks
A(n)____________ is a text file that a Web site can download to a visitor’s hard drive to identify visitors on subsequent visits.
Short Answers
What is a pen register?
Justify
Are surveillance cameras worth the cost in terms of resources and loss of privacy, given the role that they play in deterring or solving crimes?
Do you feel that information systems to fight terrorism should be developed and used even if they infringe the privacy rights of ordinary citizens?
Mail me the justification if anyone interested to answer
Justify
Why do employers monitor workers? Do you think they have the right to do so?
Mail me the justification if anyone interested to answer
What Would You Do? - Scenario 1You are a recent college graduate with
only a year of experience with your employer. You were recently promoted to Head of Administration of email services.
You are quite surprised to receive a phone call at home on a Saturday from the Chief Financial Officer of the firm asking that you immediately delete all email from all email servers, including the archive and back-up servers, that is older than six months.
What Would You Do? - Scenario 1 He states that the reason for his request is that there
have been an increasing number of complaints about the slowness of email services. In addition, he says he is concerned about the cost of storing so much email.
This does not sound right to you because you recently have taken several measures that have speeded up email services.
An alarm goes off when you recall muted conversations in the lunchroom last week about an officer of the company passing along inside trade information to an outsider.
What do you say to the Chief Financial Officer? Why?
What Would You Do? - Scenario 2 You are a new brand manager for a product line of
gardening equipments. You are considering collecting information from various organizations about the people who are going to retiring from their service. The information which includes list of names and their mailing addresses, places of living, lands owned, email addresses, annual income received, and highest level of education achieved.
You could use the data to identify likely purchasers of your gardening equipments, and you could then send those people emails announcing the new product line and touting its many features.
List the advantages and disadvantages of such a marketing strategy. Would you recommend this means of promotion in this instance? Why or why not?
What Would You Do? - Scenario 3 Your company is rolling out a training
program to ensure that everyone is familiar with the company’s Internet usage policy.
As a member of the Human Resources Department, you have been asked to develop a key piece of the training relating to why this policy is needed.
What kind of concerns can you expect your audience to raise? How can you deal with this anticipated resistance to the policy?
