Week 11: ECM1407 Social and Professional Issues of the Information Age PDF

Week 11 ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira Data Protection ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira Data Protection The Data Protection Act Sneaky Responses General Data Protection Regulation (GDPR) Week 10: Data Protection The Data Protection Act ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira Privacy Three key aspects of privacy: Freedom from intrusion; Control of information about oneself; Freedom from surveillance. We often give up our privacy for the benefit of dealing with strangers. Humans Rights You have the right to live your life privately without government interference. https://www.equalityhumanrights.com/en/human-rights-act/article-8-respect-your-private-and-family-life https://www.legislation.gov.uk/ukpga/1998/42/schedule/1 Back in the 60s From academic/military settings to An increase in the collection and distribution of information as a commercial activity. Governmental centralization of information about individuals’ private affairs. Warren, Adam, and James Dearnley. "Data protection legislation in the United Kingdom: From development to statute 1969–84." Information, Community & Society 8.2 (2005): 238-263. Back in the 70s In 1972, the Committee on Privacy—the Younger Report—identified three areas of concerns when computers are used: 1. compiling personal profiles on single databases; 2. data matching across multiple databases; 3. and unauthorized access to personal information. Warren, Adam, and James Dearnley. "Data protection legislation in the United Kingdom: From development to statute 1969–84." Information, Community & Society 8.2 (2005): 238-263. https://api.parliament.uk/historic-hansard/lords/1973/jun/06/privacy-younger-committees-report Back in the 70s In 1972, the Committee on Privacy—the Younger Report—identified three areas of concerns when computers are used: 1. compiling personal profiles on single databases; 2. data matching across multiple databases; 3. and unauthorized access to personal information. In 1974, Sweden bans the export of Swedish personal data to the UK. The UK was considered a “data haven”: no legal control or regulation. Warren, Adam, and James Dearnley. "Data protection legislation in the United Kingdom: From development to statute 1969–84." Information, Community & Society 8.2 (2005): 238-263. https://api.parliament.uk/historic-hansard/lords/1973/jun/06/privacy-younger-committees-report The Data Protection Act 1984 It is concerned with personal data relating to an identifiable living individual. https://www.legislation.gov.uk/ukpga/1984/35/contents/enacted The Data Protection Act 1984 The act considers: Data subject means an individual who is the subject of personal data. Data users are the ones who process and control data. Computer bureaux are those who only process data. https://www.legislation.gov.uk/ukpga/1984/35/contents/enacted The Data Protection Act 1984 The act considers: Data subject means an individual who is the subject of personal data. Data users are the ones who process and control data. Computer bureaux are those who only process data. The Data Protection Registrar was responsible for promoting data protection and enforcing the act at tribunals. https://www.legislation.gov.uk/ukpga/1984/35/contents/enacted Sneaky responses Data sharing I have read and understood the privacy policy, and wish to register. IMPORTANT, READ CAREFULLY : YOUR USE OF AND ACCESS TO THE WEBSITE AND PRODUCTS AND SERVICES AND ASSOCIATED SOFTWARE (COLLECTIVELY, THE "SERVICES") OF ZOOM VIDEO COMMUNICATIONS, INC. AND ITS AFFILIATES ("ZOOM") IS CONDITIONED UPON YOUR COMPLIANCE WITH AND ACCEPTANCE OF THESE TERMS, WHICH INCLUDE YOUR AGREEMENT TO ARBITRATE CLAIMS. PLEASE REVIEW THOROUGHLY BEFORE ACCEPTING. BY CLICKING/CHECKING THE "I AGREE" BUTTON/BOX, ACCESSING THE ZOOM WEBSITE OR BY UTILIZING THE ZOOM SERVICES YOU AGREE TO BE BOUND BY THESE TERMS OF SERVICE AND ALL EXHIBITS, ORDER FORMS, AND INCORPORATED POLICIES (THE “AGREEMENT” OR “TOS”). THE ZOOM SERVICES ARE NOT AVAILABLE TO PERSONS WHO ARE NOT LEGALLY ELIGIBLE TO BE BOUND BY THESE TERMS OF SERVICE. Zoom will provide the Services, and you may access and use the Services, in accordance with this Agreement. Zoom may provide any of the Services hereunder through any of its Af liates. If You order Services through an on-line registration page or an order form (each an "Order Form"), the Order Form may contain additional terms and conditions and information regarding the Services you are ordering. Unless otherwise expressly set forth in any such additional terms and conditions applicable to the speci c Service which You choose to use, those additional terms are hereby incorporated into this Agreement in relation to Your use of that Service. System Requirements. Use of the Services requires one or more compatible devices, Internet access (fees may apply), and certain software (fees may apply), and may require obtaining updates or upgrades from time to time. Because use of the Services involves hardware, software, and Internet access, Your ability to access and use the Services may be affected by the performance of these factors. High speed Internet access is recommended. You acknowledge and agree that such system requirements, which may be changed from time to time, are Your responsibility. 1. DEFINITIONS. The following de nitions will apply in this Agreement, and any reference to the singular includes a reference to the plural and vice versa. Service speci c de nitions are found in the Services Description located at www.zoom.us/docs/en-us/services-description.html. “Af liate” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by or is under common control with that Party. For purposes of this Agreement, “control” means an economic or voting interest of at least fty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity. “End User” means a Host or Participant (as de ned in the Services Description) who uses the Services. "Initial Subscription Term" means the initial subscription term for a Service as speci ed in an Order Form. "Service Effective Date" means the date an Initial Subscription Term begins as speci ed in an Order Form. "Renewal Term" means the renewal subscription term for a Service commencing after the Initial Subscription Term or another Renewal Term as speci ed in an Order Form. 2. SERVICES. Zoom will provide the Services as described on the Order Form, and standard updates to the Services that are made generally available by Zoom during the term. Zoom may, in its sole discretion, discontinue the Services or modify the features of the Services from time to time without prior notice. fi fi fi fi fi fi fi fi fi fi fi fi Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. I have read and understood the privacy policy, and wish to register. It is legally binding. Companies can refuse service. Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. zuckerberg video https://www.youtube.com/watch?v=bBevsgSn65A Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. “Terms of Service; Didn't Read” website simplifies terms of services. “I have read and agree to the Terms” is the biggest lie on the web. “Terms of Service; Didn't Read” (ToS;DR) https://tosdr.org/ Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. Other examples? Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. We do not claim ownership of your content, but you grant us a licence to use it. Nothing is changing about your rights in your content. We do not claim ownership of your content that you post on or through the Service and you are free to share your Other examples? content with anyone else, wherever you choose. However, we need certain legal permissions from you (known as a "licence") to provide the Service. When you share, post or upload content that is covered by intellectual property rights (such as photos or videos) on or in connection with our Service, you hereby grant to us a non-exclusive, royalty-free, transferable, sub-licensable, worldwide licence to host, use, distribute, modify, run, copy, publicly perform or display, translate and create derivative works of your content (consistent with your privacy and application settings). This licence will end when your content is deleted from our systems. You can delete content individually or all at once by deleting your account. Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. Other examples? DNA https://www.youtube.com/watch?v=2oeZdCixvwM Sneaky responses Terms of service (or terms of use) consist of the legal agreements between a service provider and an individual who wants to use the service. Sneaky subscription to services Data Protection ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira Previously Back in the 60s: collection and distribution of information commercially. Back in the 70s: the Younger Report; UK, a data haven. 1984: the Data Protection Act. then companies bamboozling user into handing over their personal data. Week 10: Data Protection General Data Protection Regulation (GDPR) ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira General Data Protection Regulation (GDPR) 2018 EU regulation law on data protection and privacy. The GDPR regulates how organizations process personal data. “any information relating to a natural person who is identified or identifiable, directly or indirectly, with particular reference to an identifier, such as name, ID number, location data, or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” https://uk-gdpr.org/ General Data Protection Regulation (GDPR) 2018 EU regulation law on data protection and privacy. The GDPR regulates how organizations process personal data. It became a model for national laws outside EU. EU-GDPR and UK-GDPR are quite similar. https://uk-gdpr.org/ General Data Protection Regulation The ‘six plus one’ data principles Accuracy Lawfulness, fairness and transparency Storage limitation Purpose limitation Integrity and confidentiality (security) Data minimisation Accountability https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/ General Data Protection Regulation: principles Lawfulness, fairness and transparency Data should be processed lawfully, fairly and in a transparent manner in relation to individuals. Transparency You should be clear, open and honest with people from the start about who you are, and how and why you use their personal data. Fairness You should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. Lawfulness For processing of personal data to be lawful, you need to identify specific grounds for the processing. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/ General Data Protection Regulation: principles Lawfulness, fairness and transparency The lawful bases for personal data processing Data should be processed lawfully, At least one of these must apply when processing personal data: fairly and in a transparent manner in Consent: the individual has given clear consent to process their personal relation to individuals. data for a specific purpose. Contract: the processing is necessary for a contract with the individual. Legal obligation: the processing is necessary for complying with the law. Vital interests: the processing is necessary to protect someone’s life. Public task: the processing is necessary for performing a task in the public interest. Lawfulness For processing of personal data to be lawful, you Legitimate interests: the processing is necessary for a company’s need to identify specific grounds for the processing. legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ General Data Protection Regulation: principles Lawfulness, fairness and transparency https://www.exeter.ac.uk/ General Data Protection Regulation: principles Lawfulness, fairness and transparency Data should be processed lawfully, fairly and in a transparent manner in relation to individuals. WindTre was fined for € 17 million “[…] Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. […] the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation." https://edpb.europa.eu/news/national-news/2020/telephone-operators-italian-sa-fines-wind-eur-17-million-and-iliad-eur-08_en General Data Protection Regulation: principles Purpose limitation Storage limitation Data should be collected only for Data should stored only as long as is specific legitimate purposes. necessary. Data minimization Accuracy Data should be adequate, relevant and Personal data should be accurate, and limited to what is necessary. where necessary, kept up to date. General Data Protection Regulation: principles Purpose limitation Storage limitation Data should be collected only for Data should stored only as long as is specific legitimate purposes. necessary. Data minimization Accuracy Data should be adequate, relevant and Personal data should be accurate, and limited to what is necessary. where necessary, kept up to date. https://www.youtube.com/watch?v=2o_VpzQFj5s General Data Protection Regulation: principles Integrity and confidentiality (security) Data should be processed in a manner 72 hours to respond to a personal data breach. that ensures appropriate security. General Data Protection Regulation: principles Integrity and confidentiality (security) Data should be processed in a manner that ensures appropriate security. General Data Protection Regulation: principles Integrity and confidentiality (security) Data should be processed in a manner that ensures appropriate security. HIV Scotland fined £10,000 for email data breach “The data protection breach involved an email to 105 people, including patient advocates representing people living in Scotland with HIV." https://www.bbc.co.uk/news/uk-scotland-59008366 https://www.civilsociety.co.uk/news/hiv-charity-fined-10-000-over-data-breach.html General Data Protection Regulation: principles Integrity and confidentiality (security) Data should be processed in a manner that ensures appropriate security. British Airways was fined for £184 million Personal details of more than 400,000 customers were leaked due to a cyberattack, and British Airways lacked adequate security to detect and defend itself against it. The fine was reduced to £20 million due to "the economic impact of Covid-19”. https://www.bbc.co.uk/news/technology-54568784 https://www.bbc.co.uk/news/business-48905907 General Data Protection Regulation: principles Accountability The controller should be responsible for demonstrating compliance with the data principles. Depending on the type of business, this principle creates a new position in companies: data protection officer. https://cybersecurityguide.org/careers/data-protection-officer/ https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/ Privacy Rights of Individuals As individuals, data subjects have rights: The right to erasure. The right to be informed. The right to restrict processing. The right of access. The right to data portability. The right to rectification. The right to object. Privacy Rights of Individuals As individuals, data subjects have rights: The right to erasure. The right to be informed. The right to restrict processing. The right of access. The right to data portability. The right to rectification. The right to object. Privacy Rights of Individuals Example: Downloading your data: Instagram Facebook Google Location History The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/ The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. The organisation no longer needs your data for the original reason they collected or used it for. You initially consented to the organisation using your data, but have now withdrawn your consent. You have objected to the use of your data, and your interests outweigh those of the organisation using it. You have objected to the use of your data for direct marketing purposes. The organisation has collected or used your data unlawfully. The organisation has a legal obligation to erase your data. The data was collected from you as a child for an online service. https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/ The Right to be Forgotten https://www.youtube.com/watch?v=cSrslo52cHI The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. When it does not apply: For exercising the right of freedom of expression and information; For compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority; For reasons of public interest in public health; For archiving purposes in the public interest. https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/ The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. Streisand effect The Right to be Forgotten https://www.youtube.com/watch?v=r-ERajkMXw0 The Right to be Forgotten The Internet never forgets? GDPR gives individuals “the right to be forgotten” The right of having personal information removed from services under certain circumstances. Streisand effect: when attempting to hide a piece of information leads to increasing awareness about it. https://en.wikipedia.org/wiki/Streisand_effect The Right to be Forgotten Tricking the algorithm; an alternative approach: Should we have right to be forgotten? Are we re-writing history? “Who controls the past controls the future: who controls the present control the past” Data Protection ECM1407: Social and Professional Issues of the Information Age Marcos Oliveira

Week 11: ECM1407 Social and Professional Issues of the Information Age PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue