Case StudiesCase Studies::

ITSS 4201 Internet Insurance and ITSS 4201 Internet Insurance and Information HidingInformation Hiding

University of PalestineUniversity of Palestine Eng. Wisam ZaqootEng. Wisam Zaqoot Feb 2010Feb 2010

-The Data Protection Act 1998 (in UK)The Data Protection Act 1998 (in UK)

-The Freedom of Information Act 2000 (in UK)-The Freedom of Information Act 2000 (in UK) - YouTube vs. media producers- YouTube vs. media producers

Case studiesCase studies::

OverviewOverview General overview of the DPA 1998General overview of the DPA 1998

DefinitionsDefinitions Changes since 1984 ActChanges since 1984 Act Sensitive Personal Data & ConsentSensitive Personal Data & Consent The eight principlesThe eight principles

Freedom of Information Act 2000Freedom of Information Act 2000 Public RightsPublic Rights ExemptionsExemptions Key PointsKey Points

ResourcesResources

Case study 1:Case study 1:The Data Protection Act 1998The Data Protection Act 1998

What is the Data Protection Act?What is the Data Protection Act? Intended to balance interests of data subjects Intended to balance interests of data subjects

with data controllers.with data controllers. Freedom to process data vs. privacy of Freedom to process data vs. privacy of

individuals.individuals. 1984 act was repealed by the 1998 act.1984 act was repealed by the 1998 act.

DefinitionsDefinitions Personal DataPersonal Data

Expression of opinion, or fact, E-mail address, photos, video footage Expression of opinion, or fact, E-mail address, photos, video footage etc. etc.etc. etc.

Some types are Some types are sensitivesensitive (a special new category). (a special new category). ProcessingProcessing

Reviewing, holding, sorting, deletingReviewing, holding, sorting, deleting Data ControllerData Controller

all of us! Users of dataall of us! Users of data Relevant Filing SystemRelevant Filing System

Readily accessible information about living individualsReadily accessible information about living individuals Information CommissionerInformation Commissioner

New name for Data Protection RegistrarNew name for Data Protection Registrar

Changes Since the 1984 ActChanges Since the 1984 Act

Much broader than the old act. Much broader than the old act. More rights for data subjects.More rights for data subjects. Covers relevant manual filing systems.Covers relevant manual filing systems. New category of data – sensitive data.New category of data – sensitive data. Transitional relief – 23 October 2001, for existing Transitional relief – 23 October 2001, for existing

automated data and 23 October 2007 for manual automated data and 23 October 2007 for manual records. records.

Rules about export of data to non-EEA countries.Rules about export of data to non-EEA countries.

Some Effects on Colleges and Some Effects on Colleges and DepartmentsDepartments

Data subjects are students, staff, alumni, suppliers Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, (sole traders or partnerships), tenants, legal advisers, fellows etc.fellows etc.

Anyone can be a data controllerAnyone can be a data controller Dead people have no rights.Dead people have no rights. Overseas transfers of data – notably to U.S.Overseas transfers of data – notably to U.S. Requirement to ensure data is secure, accurate, Requirement to ensure data is secure, accurate,

sufficient but not excessive.sufficient but not excessive. Can’t hold data longer than is reasonable.Can’t hold data longer than is reasonable.

1. Principles of the act1. Principles of the act

Non-sensitive Personal data must be Non-sensitive Personal data must be processed processed fairlyfairly and and lawfullylawfully and shall not be and shall not be processed unless one of the below is met. processed unless one of the below is met. Consent – Consent – the most importantthe most important ContractContract Legal ObligationLegal Obligation Vital interests of subject (life or death!)Vital interests of subject (life or death!) Public functionsPublic functions Balance of interestBalance of interest

Sensitive Personal DataSensitive Personal Data

Racial or ethnic originRacial or ethnic origin Political opinionsPolitical opinions Religious/similar beliefs (note food!)Religious/similar beliefs (note food!) Trade Union MembershipTrade Union Membership HealthHealth Sexual LifeSexual Life OffencesOffences

Sensitive Personal DataSensitive Personal Data

May only be held if one of the below is met:May only be held if one of the below is met: Explicit and Explicit and informedinformed consent consent Employment LawEmployment Law Vital Interests of SubjectVital Interests of Subject Legal ProceedingsLegal Proceedings Medical Purposes (by medical professionals)Medical Purposes (by medical professionals) Equal opportunities monitoringEqual opportunities monitoring

ConsentConsent

““Freely given specific and Freely given specific and informed informed indication indication of wishes by which the data subject signifies of wishes by which the data subject signifies agreement to personal data relating to him/her agreement to personal data relating to him/her being processed.”being processed.”

Can’t use implied consent – must get forms Can’t use implied consent – must get forms back.back.

Can’t use blanket consent as condition of Can’t use blanket consent as condition of entry.entry.

Fair processingFair processing

Must not intentionally or otherwise deceive Must not intentionally or otherwise deceive or mislead subject as to purpose of data or mislead subject as to purpose of data use/collection.use/collection.

Must identify to subject data Must identify to subject data controller/nominated representative.controller/nominated representative.

Must identify to subject purpose of Must identify to subject purpose of processing data.processing data.

Exceptions are disproportionate effort (direct Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation.marketing not allowed) or legal obligation.

22 . .Principles of the actPrinciples of the act

Data must be obtained only for one or more Data must be obtained only for one or more specified lawful purposes.specified lawful purposes. Must not use data for a new incompatible purpose Must not use data for a new incompatible purpose

without subject’s consent.without subject’s consent. Have a data protection statement explaining what Have a data protection statement explaining what

data will be held and why and get consent from new data will be held and why and get consent from new students/staff as they arrive.students/staff as they arrive.

33 & . & .44 . .Principles of the actPrinciples of the act

Personal data must be adequate, relevant and Personal data must be adequate, relevant and not excessive.not excessive. Must not stock up on data without a reason that Must not stock up on data without a reason that

can be justified – consent!can be justified – consent! Personal data shall be accurate and up-to-date.Personal data shall be accurate and up-to-date.

This is an ongoing requirement and means data This is an ongoing requirement and means data needs to be kept under constant review.needs to be kept under constant review.

55 . .Principles of the actPrinciples of the act

Personal data may not be kept for any longer Personal data may not be kept for any longer than is necessary for its stated purpose(s).than is necessary for its stated purpose(s). This potentially creates a problem with old This potentially creates a problem with old

staff/members data. Development offices beware!staff/members data. Development offices beware! Consent from all new staff/members to keep their Consent from all new staff/members to keep their

data after they have left as this is a different data after they have left as this is a different purpose to keeping it while they are here.purpose to keeping it while they are here.

66 . .Principles of the actPrinciples of the act

Personal data must be processed in Personal data must be processed in accordance with the rights of data subjectsaccordance with the rights of data subjects This means that you cannot do things that This means that you cannot do things that

violate the rights given to data subjects under violate the rights given to data subjects under the new act, especially denying access to data.the new act, especially denying access to data.

Rights of data subjectsRights of data subjects

Must be informed if personal data are being Must be informed if personal data are being processed and given a description of the personal data processed and given a description of the personal data and for what purpose it is being held.and for what purpose it is being held.

May prevent processing for purposes of direct May prevent processing for purposes of direct marketing.marketing.

Right to see algorithms used in automated decision Right to see algorithms used in automated decision making (credit scoring etc.).making (credit scoring etc.).

Compensation, rectification, blocking, destruction.Compensation, rectification, blocking, destruction.

Access rightsAccess rights

Right to have communicated to him/her in an Right to have communicated to him/her in an intelligible form the information constituting the intelligible form the information constituting the data.data.

Right to be informed of logic involved in Right to be informed of logic involved in automated processing.automated processing.

Request must be in writing, fee may be charged Request must be in writing, fee may be charged and identity may be thoroughly checked.and identity may be thoroughly checked.

Access rightsAccess rights

Data may be withheld if disclosure would Data may be withheld if disclosure would disclose data about a third party unless:disclose data about a third party unless: Third party has consented to disclosureThird party has consented to disclosure It is reasonable to comply without the third It is reasonable to comply without the third

party’s consent. party’s consent. Duty of confidentiality, steps taken to seek Duty of confidentiality, steps taken to seek

consent, express refusal of third party.consent, express refusal of third party.

7. Principles of the act7. Principles of the act Technical or organisational measures must Technical or organisational measures must

be taken to prevent unauthorised or be taken to prevent unauthorised or unlawful processing of data and accidental unlawful processing of data and accidental loss, damage or destruction of data.loss, damage or destruction of data. First is related to IT support staff (backups, First is related to IT support staff (backups,

password security etc.) but everyone can help.password security etc.) but everyone can help. Second is about being careful with keys, having Second is about being careful with keys, having

access controls, CCTV monitoring etc.access controls, CCTV monitoring etc. Beware Beware social engineeringsocial engineering!!

8. Principles of the act8. Principles of the act

Personal data may not be transferred overseas Personal data may not be transferred overseas unless the receiving country has an adequate unless the receiving country has an adequate level of protection for it.level of protection for it. US does not.US does not. Putting things on a web site is equal to export of Putting things on a web site is equal to export of

data.data. Transfer is OK if contract is in place with the Transfer is OK if contract is in place with the

abroad party or the subject has consented.abroad party or the subject has consented. Data Protection Commissioner is preparing standard Data Protection Commissioner is preparing standard

contracts.contracts.

Case study 2:Case study 2: The Freedom of Information Act 2000The Freedom of Information Act 2000

The Freedom of Information Act 2000The Freedom of Information Act 2000 The FOI act 2000 gives individuals the right to The FOI act 2000 gives individuals the right to

access information about certain public bodies access information about certain public bodies by two routes:by two routes: Publication SchemePublication Scheme General Right of AccessGeneral Right of Access

There are exemptionsThere are exemptions FOI basically extends subject access rights FOI basically extends subject access rights

given in the DPA 1998given in the DPA 1998 Colleges are separate legal entities so need their Colleges are separate legal entities so need their

own Publication Scheme and proceduresown Publication Scheme and procedures

FOI – Public RightsFOI – Public Rights To be told whether the information exists – known as the To be told whether the information exists – known as the

duty to confirm or deny duty to confirm or deny To receive the information (and, where possible, in the To receive the information (and, where possible, in the

manner requested) manner requested) To receive reasons for a decision to withhold To receive reasons for a decision to withhold

information information All requests must be in “permanent form”All requests must be in “permanent form”

E-mail, Letter, FaxE-mail, Letter, Fax Reply must be sent within 20 working daysReply must be sent within 20 working days

Use vacation auto-reply for contact person if they are awayUse vacation auto-reply for contact person if they are away

FOI – ExemptionsFOI – Exemptions Many exemptions, some absolute, some Many exemptions, some absolute, some

qualified e.g.qualified e.g. Commercial InterestCommercial Interest Law enforcementLaw enforcement Legal Professional PrivilegeLegal Professional Privilege Parliamentary PrivilegeParliamentary Privilege

FOI does not override DPA but DPA is not an FOI does not override DPA but DPA is not an excuse not to comply with FOI requestsexcuse not to comply with FOI requests Interaction is complex!Interaction is complex!

FOI – Vexatious or RepeatedFOI – Vexatious or RepeatedSome people may exploit FOI in a vexatious or repeated manner.Some people may exploit FOI in a vexatious or repeated manner.

Vexatious means:Vexatious means:

clearly does not have any serious purpose or valueclearly does not have any serious purpose or value

is designed to cause disruption or annoyanceis designed to cause disruption or annoyance

has the effect of harassing the public authorityhas the effect of harassing the public authority

can otherwise fairly be characterized as obsessive or manifestly unreasonable.can otherwise fairly be characterized as obsessive or manifestly unreasonable.

Repeated means:Repeated means:

More often than a “reasonable interval”More often than a “reasonable interval”

Needs definingNeeds defining

Requests asking if previously requested information has changed are OKRequests asking if previously requested information has changed are OK

Reply can say when info is next to be updated and a request before then would be Reply can say when info is next to be updated and a request before then would be

“repeated”“repeated”

FOI - Key points to noteFOI - Key points to note Requests can be received by anyone within the organisation and Requests can be received by anyone within the organisation and

do not need to refer to the Freedom of Information Actdo not need to refer to the Freedom of Information Act Requests must be in writing (including e-mail, fax etc)Requests must be in writing (including e-mail, fax etc) Requests must be dealt within 20 working daysRequests must be dealt within 20 working days No obligation to provide information which is already in the No obligation to provide information which is already in the

public domain/accessible by other means (e.g. via the publication public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold)scheme or in a book the organisation may hold)

No obligation to create information that the Organisation does not No obligation to create information that the Organisation does not already hold (e.g. statistical summaries)already hold (e.g. statistical summaries)

Organisation may charge a fee for the provision of information. Organisation may charge a fee for the provision of information. Charges must be calculated in accordance with the fees regulations Charges must be calculated in accordance with the fees regulations

prescribed by the Department for Constitutional Affairs. Currently £50 prescribed by the Department for Constitutional Affairs. Currently £50 maximum.maximum.

NO

YESNO

NOSend the applicant a data protection subject access

request form, to be returned to the

University’s Data Protection Officer

Is the enquirer requesting information

about him/herself?

Is the request in writing (including e-

mail, fax)?

Send request to the Data

Protection Officer at the University

Offices

Ask the applicant to put the request into writing, and send to the Data

Protection Officer at the University Offices

Is the information requested available via the Publication Scheme (check at:

http://www.admin.ox.ac.uk/foi/contents.shtml) or via any other means?

Does the request relate to a living

individual(s)?

Tell the applicant where he/she will be able to find

the information

Does the information requested relate solely to your department or unit?

Provide the information

Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been

asked)? *

Is the request in writing (including

e-mail, fax)?

Ask the applicant to use the FOI request form (at

http://www.admin.ox.ac.uk/foi/

Contactdata.protection@admin.ox.ac.uk

for advice

NO

YES

YES

YES

YES

YESYES

NO

NO

Start HereExample: How Example: How to Deal with to Deal with

Enquiries in a Enquiries in a universityuniversity??

* Check that the information does not contain any reference to individuals, other than that which is already publicly available

Case study 3:Case study 3: YouTube vs. media producersYouTube vs. media producers

YouTube notifies users before uploading videos:YouTube notifies users before uploading videos: ““Do not upload any TV shows, music videos, music Do not upload any TV shows, music videos, music

concerts or commercials without permission unless they concerts or commercials without permission unless they consist entirely of content you created yourselfconsist entirely of content you created yourself..””

In spite of that YouTube website contains so many In spite of that YouTube website contains so many copyrighted materials uploaded illegally.copyrighted materials uploaded illegally.

YouTube doesn’t check video clips before making YouTube doesn’t check video clips before making them available online. And it left to copyright holders them available online. And it left to copyright holders the right to order the removal of the the right to order the removal of the videos infringing videos infringing their copyrights. their copyrights.

YouTube vs. ViacomYouTube vs. Viacom

In 2008, Viacom, a media producing company In 2008, Viacom, a media producing company won a lawsuit against YouTube. The ruling won a lawsuit against YouTube. The ruling gave Viacom access to records of what people gave Viacom access to records of what people watch on YouTube.watch on YouTube.

YouTube was ordered to hand over about YouTube was ordered to hand over about 12 terabytes of data about the viewing habits 12 terabytes of data about the viewing habits of its users.of its users.