case studies: itss 4201 internet insurance and information hiding university of palestine university...
TRANSCRIPT
Case StudiesCase Studies::
ITSS 4201 Internet Insurance and ITSS 4201 Internet Insurance and Information HidingInformation Hiding
University of PalestineUniversity of Palestine Eng. Wisam ZaqootEng. Wisam Zaqoot Feb 2010Feb 2010
-The Data Protection Act 1998 (in UK)The Data Protection Act 1998 (in UK)
-The Freedom of Information Act 2000 (in UK)-The Freedom of Information Act 2000 (in UK) - YouTube vs. media producers- YouTube vs. media producers
Case studiesCase studies::
OverviewOverview General overview of the DPA 1998General overview of the DPA 1998
DefinitionsDefinitions Changes since 1984 ActChanges since 1984 Act Sensitive Personal Data & ConsentSensitive Personal Data & Consent The eight principlesThe eight principles
Freedom of Information Act 2000Freedom of Information Act 2000 Public RightsPublic Rights ExemptionsExemptions Key PointsKey Points
ResourcesResources
What is the Data Protection Act?What is the Data Protection Act? Intended to balance interests of data subjects Intended to balance interests of data subjects
with data controllers.with data controllers. Freedom to process data vs. privacy of Freedom to process data vs. privacy of
individuals.individuals. 1984 act was repealed by the 1998 act.1984 act was repealed by the 1998 act.
DefinitionsDefinitions Personal DataPersonal Data
Expression of opinion, or fact, E-mail address, photos, video footage Expression of opinion, or fact, E-mail address, photos, video footage etc. etc.etc. etc.
Some types are Some types are sensitivesensitive (a special new category). (a special new category). ProcessingProcessing
Reviewing, holding, sorting, deletingReviewing, holding, sorting, deleting Data ControllerData Controller
all of us! Users of dataall of us! Users of data Relevant Filing SystemRelevant Filing System
Readily accessible information about living individualsReadily accessible information about living individuals Information CommissionerInformation Commissioner
New name for Data Protection RegistrarNew name for Data Protection Registrar
Changes Since the 1984 ActChanges Since the 1984 Act
Much broader than the old act. Much broader than the old act. More rights for data subjects.More rights for data subjects. Covers relevant manual filing systems.Covers relevant manual filing systems. New category of data – sensitive data.New category of data – sensitive data. Transitional relief – 23 October 2001, for existing Transitional relief – 23 October 2001, for existing
automated data and 23 October 2007 for manual automated data and 23 October 2007 for manual records. records.
Rules about export of data to non-EEA countries.Rules about export of data to non-EEA countries.
Some Effects on Colleges and Some Effects on Colleges and DepartmentsDepartments
Data subjects are students, staff, alumni, suppliers Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, (sole traders or partnerships), tenants, legal advisers, fellows etc.fellows etc.
Anyone can be a data controllerAnyone can be a data controller Dead people have no rights.Dead people have no rights. Overseas transfers of data – notably to U.S.Overseas transfers of data – notably to U.S. Requirement to ensure data is secure, accurate, Requirement to ensure data is secure, accurate,
sufficient but not excessive.sufficient but not excessive. Can’t hold data longer than is reasonable.Can’t hold data longer than is reasonable.
1. Principles of the act1. Principles of the act
Non-sensitive Personal data must be Non-sensitive Personal data must be processed processed fairlyfairly and and lawfullylawfully and shall not be and shall not be processed unless one of the below is met. processed unless one of the below is met. Consent – Consent – the most importantthe most important ContractContract Legal ObligationLegal Obligation Vital interests of subject (life or death!)Vital interests of subject (life or death!) Public functionsPublic functions Balance of interestBalance of interest
Sensitive Personal DataSensitive Personal Data
Racial or ethnic originRacial or ethnic origin Political opinionsPolitical opinions Religious/similar beliefs (note food!)Religious/similar beliefs (note food!) Trade Union MembershipTrade Union Membership HealthHealth Sexual LifeSexual Life OffencesOffences
Sensitive Personal DataSensitive Personal Data
May only be held if one of the below is met:May only be held if one of the below is met: Explicit and Explicit and informedinformed consent consent Employment LawEmployment Law Vital Interests of SubjectVital Interests of Subject Legal ProceedingsLegal Proceedings Medical Purposes (by medical professionals)Medical Purposes (by medical professionals) Equal opportunities monitoringEqual opportunities monitoring
ConsentConsent
““Freely given specific and Freely given specific and informed informed indication indication of wishes by which the data subject signifies of wishes by which the data subject signifies agreement to personal data relating to him/her agreement to personal data relating to him/her being processed.”being processed.”
Can’t use implied consent – must get forms Can’t use implied consent – must get forms back.back.
Can’t use blanket consent as condition of Can’t use blanket consent as condition of entry.entry.
Fair processingFair processing
Must not intentionally or otherwise deceive Must not intentionally or otherwise deceive or mislead subject as to purpose of data or mislead subject as to purpose of data use/collection.use/collection.
Must identify to subject data Must identify to subject data controller/nominated representative.controller/nominated representative.
Must identify to subject purpose of Must identify to subject purpose of processing data.processing data.
Exceptions are disproportionate effort (direct Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation.marketing not allowed) or legal obligation.
22 . .Principles of the actPrinciples of the act
Data must be obtained only for one or more Data must be obtained only for one or more specified lawful purposes.specified lawful purposes. Must not use data for a new incompatible purpose Must not use data for a new incompatible purpose
without subject’s consent.without subject’s consent. Have a data protection statement explaining what Have a data protection statement explaining what
data will be held and why and get consent from new data will be held and why and get consent from new students/staff as they arrive.students/staff as they arrive.
33 & . & .44 . .Principles of the actPrinciples of the act
Personal data must be adequate, relevant and Personal data must be adequate, relevant and not excessive.not excessive. Must not stock up on data without a reason that Must not stock up on data without a reason that
can be justified – consent!can be justified – consent! Personal data shall be accurate and up-to-date.Personal data shall be accurate and up-to-date.
This is an ongoing requirement and means data This is an ongoing requirement and means data needs to be kept under constant review.needs to be kept under constant review.
55 . .Principles of the actPrinciples of the act
Personal data may not be kept for any longer Personal data may not be kept for any longer than is necessary for its stated purpose(s).than is necessary for its stated purpose(s). This potentially creates a problem with old This potentially creates a problem with old
staff/members data. Development offices beware!staff/members data. Development offices beware! Consent from all new staff/members to keep their Consent from all new staff/members to keep their
data after they have left as this is a different data after they have left as this is a different purpose to keeping it while they are here.purpose to keeping it while they are here.
66 . .Principles of the actPrinciples of the act
Personal data must be processed in Personal data must be processed in accordance with the rights of data subjectsaccordance with the rights of data subjects This means that you cannot do things that This means that you cannot do things that
violate the rights given to data subjects under violate the rights given to data subjects under the new act, especially denying access to data.the new act, especially denying access to data.
Rights of data subjectsRights of data subjects
Must be informed if personal data are being Must be informed if personal data are being processed and given a description of the personal data processed and given a description of the personal data and for what purpose it is being held.and for what purpose it is being held.
May prevent processing for purposes of direct May prevent processing for purposes of direct marketing.marketing.
Right to see algorithms used in automated decision Right to see algorithms used in automated decision making (credit scoring etc.).making (credit scoring etc.).
Compensation, rectification, blocking, destruction.Compensation, rectification, blocking, destruction.
Access rightsAccess rights
Right to have communicated to him/her in an Right to have communicated to him/her in an intelligible form the information constituting the intelligible form the information constituting the data.data.
Right to be informed of logic involved in Right to be informed of logic involved in automated processing.automated processing.
Request must be in writing, fee may be charged Request must be in writing, fee may be charged and identity may be thoroughly checked.and identity may be thoroughly checked.
Access rightsAccess rights
Data may be withheld if disclosure would Data may be withheld if disclosure would disclose data about a third party unless:disclose data about a third party unless: Third party has consented to disclosureThird party has consented to disclosure It is reasonable to comply without the third It is reasonable to comply without the third
party’s consent. party’s consent. Duty of confidentiality, steps taken to seek Duty of confidentiality, steps taken to seek
consent, express refusal of third party.consent, express refusal of third party.
7. Principles of the act7. Principles of the act Technical or organisational measures must Technical or organisational measures must
be taken to prevent unauthorised or be taken to prevent unauthorised or unlawful processing of data and accidental unlawful processing of data and accidental loss, damage or destruction of data.loss, damage or destruction of data. First is related to IT support staff (backups, First is related to IT support staff (backups,
password security etc.) but everyone can help.password security etc.) but everyone can help. Second is about being careful with keys, having Second is about being careful with keys, having
access controls, CCTV monitoring etc.access controls, CCTV monitoring etc. Beware Beware social engineeringsocial engineering!!
8. Principles of the act8. Principles of the act
Personal data may not be transferred overseas Personal data may not be transferred overseas unless the receiving country has an adequate unless the receiving country has an adequate level of protection for it.level of protection for it. US does not.US does not. Putting things on a web site is equal to export of Putting things on a web site is equal to export of
data.data. Transfer is OK if contract is in place with the Transfer is OK if contract is in place with the
abroad party or the subject has consented.abroad party or the subject has consented. Data Protection Commissioner is preparing standard Data Protection Commissioner is preparing standard
contracts.contracts.
The Freedom of Information Act 2000The Freedom of Information Act 2000 The FOI act 2000 gives individuals the right to The FOI act 2000 gives individuals the right to
access information about certain public bodies access information about certain public bodies by two routes:by two routes: Publication SchemePublication Scheme General Right of AccessGeneral Right of Access
There are exemptionsThere are exemptions FOI basically extends subject access rights FOI basically extends subject access rights
given in the DPA 1998given in the DPA 1998 Colleges are separate legal entities so need their Colleges are separate legal entities so need their
own Publication Scheme and proceduresown Publication Scheme and procedures
FOI – Public RightsFOI – Public Rights To be told whether the information exists – known as the To be told whether the information exists – known as the
duty to confirm or deny duty to confirm or deny To receive the information (and, where possible, in the To receive the information (and, where possible, in the
manner requested) manner requested) To receive reasons for a decision to withhold To receive reasons for a decision to withhold
information information All requests must be in “permanent form”All requests must be in “permanent form”
E-mail, Letter, FaxE-mail, Letter, Fax Reply must be sent within 20 working daysReply must be sent within 20 working days
Use vacation auto-reply for contact person if they are awayUse vacation auto-reply for contact person if they are away
FOI – ExemptionsFOI – Exemptions Many exemptions, some absolute, some Many exemptions, some absolute, some
qualified e.g.qualified e.g. Commercial InterestCommercial Interest Law enforcementLaw enforcement Legal Professional PrivilegeLegal Professional Privilege Parliamentary PrivilegeParliamentary Privilege
FOI does not override DPA but DPA is not an FOI does not override DPA but DPA is not an excuse not to comply with FOI requestsexcuse not to comply with FOI requests Interaction is complex!Interaction is complex!
FOI – Vexatious or RepeatedFOI – Vexatious or RepeatedSome people may exploit FOI in a vexatious or repeated manner.Some people may exploit FOI in a vexatious or repeated manner.
Vexatious means:Vexatious means:
clearly does not have any serious purpose or valueclearly does not have any serious purpose or value
is designed to cause disruption or annoyanceis designed to cause disruption or annoyance
has the effect of harassing the public authorityhas the effect of harassing the public authority
can otherwise fairly be characterized as obsessive or manifestly unreasonable.can otherwise fairly be characterized as obsessive or manifestly unreasonable.
Repeated means:Repeated means:
More often than a “reasonable interval”More often than a “reasonable interval”
Needs definingNeeds defining
Requests asking if previously requested information has changed are OKRequests asking if previously requested information has changed are OK
Reply can say when info is next to be updated and a request before then would be Reply can say when info is next to be updated and a request before then would be
“repeated”“repeated”
FOI - Key points to noteFOI - Key points to note Requests can be received by anyone within the organisation and Requests can be received by anyone within the organisation and
do not need to refer to the Freedom of Information Actdo not need to refer to the Freedom of Information Act Requests must be in writing (including e-mail, fax etc)Requests must be in writing (including e-mail, fax etc) Requests must be dealt within 20 working daysRequests must be dealt within 20 working days No obligation to provide information which is already in the No obligation to provide information which is already in the
public domain/accessible by other means (e.g. via the publication public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold)scheme or in a book the organisation may hold)
No obligation to create information that the Organisation does not No obligation to create information that the Organisation does not already hold (e.g. statistical summaries)already hold (e.g. statistical summaries)
Organisation may charge a fee for the provision of information. Organisation may charge a fee for the provision of information. Charges must be calculated in accordance with the fees regulations Charges must be calculated in accordance with the fees regulations
prescribed by the Department for Constitutional Affairs. Currently £50 prescribed by the Department for Constitutional Affairs. Currently £50 maximum.maximum.
NO
YESNO
NOSend the applicant a data protection subject access
request form, to be returned to the
University’s Data Protection Officer
Is the enquirer requesting information
about him/herself?
Is the request in writing (including e-
mail, fax)?
Send request to the Data
Protection Officer at the University
Offices
Ask the applicant to put the request into writing, and send to the Data
Protection Officer at the University Offices
Is the information requested available via the Publication Scheme (check at:
http://www.admin.ox.ac.uk/foi/contents.shtml) or via any other means?
Does the request relate to a living
individual(s)?
Tell the applicant where he/she will be able to find
the information
Does the information requested relate solely to your department or unit?
Provide the information
Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been
asked)? *
Is the request in writing (including
e-mail, fax)?
Ask the applicant to use the FOI request form (at
http://www.admin.ox.ac.uk/foi/
for advice
NO
YES
YES
YES
YES
YESYES
NO
NO
Start HereExample: How Example: How to Deal with to Deal with
Enquiries in a Enquiries in a universityuniversity??
* Check that the information does not contain any reference to individuals, other than that which is already publicly available
YouTube notifies users before uploading videos:YouTube notifies users before uploading videos: ““Do not upload any TV shows, music videos, music Do not upload any TV shows, music videos, music
concerts or commercials without permission unless they concerts or commercials without permission unless they consist entirely of content you created yourselfconsist entirely of content you created yourself..””
In spite of that YouTube website contains so many In spite of that YouTube website contains so many copyrighted materials uploaded illegally.copyrighted materials uploaded illegally.
YouTube doesn’t check video clips before making YouTube doesn’t check video clips before making them available online. And it left to copyright holders them available online. And it left to copyright holders the right to order the removal of the the right to order the removal of the videos infringing videos infringing their copyrights. their copyrights.
YouTube vs. ViacomYouTube vs. Viacom
In 2008, Viacom, a media producing company In 2008, Viacom, a media producing company won a lawsuit against YouTube. The ruling won a lawsuit against YouTube. The ruling gave Viacom access to records of what people gave Viacom access to records of what people watch on YouTube.watch on YouTube.
YouTube was ordered to hand over about YouTube was ordered to hand over about 12 terabytes of data about the viewing habits 12 terabytes of data about the viewing habits of its users.of its users.