CH 1 - Introduction to Privacy

Ref - CIPP/US Textbook

1.1 Defining Privacy

1. In 1890, The Right to Privacy” in the Harvard Law Review, setting forth the essential definition of privacy as “the right to be let alone.”

2. Privacy has been defined as the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others.

1.2 Classes of Privacy

1. Classes of Privacy

   1. Information Privacy- establishing rules that govern the collection and handling of personal information.

      1. Financial information

      2. Medical information

      3. Government records

      4. records of a person’s activities on the Internet.

   2. Bodily Privacy - person’s physical being and any invasion thereof.

      1. Genetic testing

      2. Drug testing

      3. body cavity searches.

      4. Birth control

      5. Abortion

      6. adoption

   3. Territorial Privacy Invasion - limitations on one's environment, invation into an individual’s territorial privacy typically takes the form of monitoring

      1. Video surveillance

      2. ID checks

      3. workspace, home, or public space

   4. Communications Privacy protection of the means of correspondence

      1. Postal mail

      2. telephone conversations

      3. email

1.3 The Historical and Social Origins of Privacy

1. Bible, Quran,

   1. Do Not Gossip - Privacy as social concept, Freedom of being watched

2. Legal

   1. Justices of the Peace Act, enacted in 1361, included provisions calling for the arrest of “peeping Toms” and eavesdroppers.

   2. 1765 protected privacy of the home.

   3. US Constitution

      1. Word privacy doesn’t appear

      2. Provisions:

         1. Third - banning soldiers

         2. Fourth - Search Warrant

         3. Fifth - testify against yourself banned

         4. 14th - Due process under law, intrusions against bodily privacy

   4. California - State Constitution - Nov 1974 Ammended to add privacy

   5. UN - Universal Declaration of Human Rights

      1. 1948 - General Assembly - Legal Protection adopted - No one subjected to arbitrary interference with his privacy, family, home or correspondence.”

Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

2. 6. Council of Europe, 1950

1.4 Fair Information Practices

Purpose: The purpose of the Fair Information Practices is to set guidelines for handling, storing, and managing data with privacy, security, and fairness.

FIPS Overview

1. Rights of Individuals

   1. Notice. Organizations should provide notice about their privacy policies and procedures, and should identify the purpose for which personal information is collected, used, retained and disclosed.

   2. Choice and consent. Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers.

   3. Data subject access. Organizations should provide individuals with access to their personal information for review and update.

2. Controls on the Information. Organizations should focus on information security and information quality.

   1. Information security. Organizations should use reasonable administrative, technical and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification and destruction.

   2. Information quality. Organizations should maintain accurate, complete and relevant personal information for the purposes identified in the notice.

3. Information Lifecycle. Organizations should address the lifecycle of information, including collection, use and retention, and disclosure.

   1. Collection. Organizations should collect personal information only for the purposes identified in the notice.

   2. Use and Retention.

      1. Organizations should limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.

      2. Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose.

   3. Disclosure. Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

4. Management - Duties of the Data Controller

   1. Management and administration - organizations should define, document, communicate privacy policies

   2. Monitoring and enforcement - organizations should monitor compliance with their privacy policies

U.S. Health, Education and Welfare FIPs (1973)

1. FIPS today have an origin from 1973 report by the U.S. Department of Health, Education and Welfare Advisory Committee on Automated Systems.

   1. No personal data record keeping system that is secret

   2. People can find out what is stored on them

   3. People can find a way to correct info on them

OECD Guidelines (1980) FIPPs

1. Europe/US published a set of privacy principles entitled “Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data".

2. most widely recognized framework for FIPs and have been endorsed by the U.S. Federal Trade Commission (FTC) and many other government organizations.19

3. Guidelines:

   • Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

   • Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up to date.

   • Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are speci ed on each occasion of change of purpose.

   • Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except: (a) with the consent of the data subject or (b) by the authority of law.

   • Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

   • Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

   • Individual Participation Principle. An individual should have the right: (a) to obtain from a data controller, or otherwise, con rmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data rectified, completed or amended.

   • Accountability Principle. A data controller should be accountable for

Council of Europe Convention (1981)

1. Council of Europe passed the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data ("Convention 108"). This convention required member states of the Council of Europe that signed the treaty to incorporate certain data protection provisions into their domestic law.

APEC Privacy Framework (2004)

1. APEC Privacy Subgroup was established under the auspices of the Electronic Commerce Steering Group in order to develop a framework for privacy practices. This framework was designed to provide support to APEC-member economic legislation that would both protect individual interests

2. APEC privacy principles spelled out in the framework are:

• Notice

• Collection Limitation

• Uses of Personal Information

• Choice

• Integrity of Personal Information

• Access and Correction

• Accountability

Madrid Resolution (2009)

1. In 2009, the Madrid Resolution was approved by the independent data protection and privacy commissioners (not the governments themselves)

2. Dual purposes for the Madrid Resolution:

   1. Define a set of principles and rights guaranteeing

(1) the effective and internationally uniform protection of privacy with regard to the processing of personal data

(2) the facilitation of the international flows of personal data needed in a globalized world.

3. Principles

   1. Principle of lawfulness and fairness

   2. Purpose specification principle

   3. Proportionality principle

   4. Data quality

   5. Openness principle

   6. Accountability

1.5 Information Privacy, Data Protection and the Advent of Information Technology

1. Unprecedented accumulation of personal data, and the resulting potential for increased surveillance, also triggered an acute interest in privacy practices and the privacy rights of individuals.

2. United States passed its first national privacy law in 1970

3. Fair Credit Reporting Act, which focused solely on information about consumer credit.

1.6 Personal and Nonpersonal Information

1. Personal Information. In the United States, the terms personal information and personally identifiable information (PII) are generally used to define the information that is covered by privacy laws.

• Possible to identify an individual

1. 1. 1. 1. Names

         2. Social Security numbers

         3. Passport numbers

• “Identifiable” to an individual.

1. 1. 1. 4. Street address

         5. Telephone number

         6. Email address

2. Sensitive personal information

   1. 1. An important subset of personal information. what is considered sensitive varies depending on jurisdiction and particular regulations.

         1. In the United States these are sensitive

            1. Social Security numbers

            2. Financial information

            3. Driver’s license numbers

            4. Health Information

      2. Line between sensitive and personal - sensitive requires additional safeguards.

3. Nonpersonal Information

   1. 1. data elements used to identify the individual are removed, the remaining data becomes nonpersonal information, and privacy and data protection laws generally do not apply.

      2. Also called deidentified or anonymized

1.7 Sources of Personal Information

1. Publicly Records

   1. collected and Maintained by a government entity and available to the public.

   2. Real Estate Records

2. Publicly available information

   1. Generally available to a wide range of persons, i.e. in telephone books

   2. Names

   3. Addresses

   4. Information published in newspapers or other public media.

3. Nonpublic information

   1. not generally available or easily accessed due to law or custom.

   2. Examples - medical records, financial records, customer databases, and adoption records

1.8 Processing Personal Information

1. Data Subject

   1. Data Subject –the collection, recording, organization, storage, updating or modification, retrieval, consultation and use of PI. It also includes the disclosure by transmission, dissemination or making available in any other form, linking, alignment, or combination, blocking, erasure, or destruction of PI.

   2. individual about whom information is being processed (i.e. patient, employee, customer)

2. Data Controller

   1. An organization that has the authority to decide how and why PI is to be processed.

   2. It controls the use of PI by determining the purposes for its use and the manner in which the information is processed.

3. Data Processor

   1. Individual or organization, often 3rd party outsourcing service, that processes data on behalf of the data controller.

   2. Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, these data processors are called “business associates.

4. Data Protection Authority

1.9 Sources of Privacy Protection

1. Markets.

   1. Businesses that are brand sensitive are especially likely to adopt strict privacy practices to build up their reputations as trustworthy organizations.

2. Technology.

   1. Technology also can provide robust privacy protection.

   2. Rapid advancement of technology such as encryption provides people with new and advanced means of protecting themselves.

3. Law.

   1. Traditional approach to privacy regulation.

   2. However, simply enacting more laws does not necessarily result in better privacy and security.

   3. One very important source of privacy protections.

   4. In practice actual protection also depends on markets, technology and self-regulation.

4. Self-regulation and co-regulation.

   1. Self-regulation (and the closely related concept of co-regulation) is a complement to law that comes from the government. The term self-regulation can refer to any or all of three components: legislation, enforcement and adjudication.

1.10 World Models of Data Protection

1. Comprehensive

   1. Comprehensive data protection laws govern the collection, use and dissemination of personal information in the public and private sectors

   2. Official or agency, referred to as a data protection authority (DPA) in Europe, that ensures compliance with the law and investigates alleged breaches of the law’s provisions

2. Sectoral

   1. - addresses a particular industry or sector Healthcare (HIPPA)

3. Co Regulatory

   1. emphasizes industry development of enforceable codes or standards for privacy and data protection

   2. Legal requirements by the government are set.

   3. U.S. example is the Children’s Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC.

4. Self Regulatory

   1. Creation of codes of practice for the protection of personal information by a company, industry or independent body.

   2. PCI-DSS - code of practice for personal information (PCI-DSS) Payment Card Industry