Chapter 9 - Privacy and Civil

Liberties
Regulations Abroad [USA and EU]

IT 5105 Professional Issues in IT

Upekha Vandebona
[email protected]

Ref : George W. Reynolds, Ethics in Information Technology , 5th Edition.

Privacy Violations for Making Decisions

Hire a job candidate (Specifically in IT

industry)
Consumers purchasing habits and financial
condition for target, marketing efforts to
consumers who are most likely to buy their
products and services.
Approve a loan,
Offer a scholarship,
Privacy Violations for Making Decisions -
Defending Arguments

Organizationsalso need basic information

about customers to serve them better.
Itis hard to imagine an organization having
productive relationships with its customers
without having data about them.
Approaches to Ensure Privacy

New Laws
Reasonable limits must be set on government and
business access to personal information
Technical Solutions
New information and communication technologies
must be designed to protect rather than diminish
privacy
Privacy Policies
Appropriate corporate policies must be developed
to set baseline standards for peoples privacy
Education
Protection against Government & Private
Industry

Today, in addition to protection from

government intrusion, people want and
need privacy protection from private
industry.
Right to Privacy/ Information Privacy

A broad definition of the right of privacy is

the right to be left alone the most
comprehensive of rights, and the right most
valued by a free people.
Impact of IT on privacy is the term
information privacy
Right to Privacy/ Information Privacy

Information privacy is the combination of

communications privacy (the ability to
communicate with others, without those
communications being monitored by other
persons or organizations)
data privacy (the ability to limit access to
ones personal data by other individuals and
organizations in order to exercise a substantial
degree of control over that data and its use).
Areas

Financial Data,
Health Information,
Childrens Personal Data,
Fair Information Practices,
Electronic
Surveillance, and Access to
Government Records. ***
Financial Data
Individuals must reveal much of their personal
financial data in order to take advantage of the
wide range of financial products and services
available.
To access many of these financial products and
services, individuals must use a personal logon
name, password, account number, or PIN.
The inadvertent loss or disclosure of this personal
financial data carries a high risk of loss of privacy
and potential financial loss.
Gramm-Leach-Bliley Act (1999) - USA

GLBA or Financial Services Modernization

Act.
Three key rules that affect personal privacy

Implications after the law was passed.

1) Financial Privacy Rule

This rule established mandatory guidelines for

the collection and disclosure of personal
financial information by financial
organizations.
Under this provision, financial institutions
must provide a privacy notice to each
consumer that explains what data about the
consumer is gathered, with whom that data
is shared, how the data is used, and how the
data is protected.
1) Financial Privacy Rule

The notice must also explain the consumers

right to opt out
torefuse to give the institution the right to collect
and share personal data with unaffiliated parties.
Anytime a companys privacy policy is changed,
customers must be contacted again and given
the right to opt out.
The privacy notice must be provided to the
consumer at the time the consumer relationship
is formed and once each year thereafter.
1) Financial Privacy Rule

Customers who take no action,

automatically opt in and give financial
institutions the right to share personal data,
such as annual earnings, net worth,
employers, personal investment
information, loan amounts, and Social
Security numbers, to other financial
institutions.
2) Safeguards Rule

Thisrule requires each financial institution

to document a data security plan
describing the companys preparation and
plans for the ongoing protection of clients
personal data.
3) Pretexting Rule

Thisrule addresses attempts by people to

access personal information without proper
authority by such means as impersonating
an account holder or phishing.
GLBA encourages financial institutions to
implement safeguards against pretexting.
Health Information

The use of electronic medical records and the

subsequent interlinking and transferring of this
electronic information among different
organizations has become widespread.
Individualsfear, intrusions into their health
data by employers, schools, insurance firms,
law enforcement agencies, and even
marketing firms looking to promote their
products and services.
HIPPA - Health Insurance Portability Act -
USA -1996
Toimprove the portability and continuity of
health insurance coverage; to reduce
fraud, waste, and abuse in health insurance
and healthcare delivery; and to simplify
the administration of health insurance.
HIPPA - Health Insurance Portability Act

Requires healthcare organizations to

employ standardized electronic
transactions, codes, and identifiers to
enable them to fully digitize medical
records, thus making it possible to
exchange medical data over the Internet.
Privacy Under the HIPAA Provisions

Healthcare providers must obtain written

consent from patients prior to disclosing any
information in their medical records.
Thus, patients need to sign a HIPAA disclosure
form each time they are treated at a hospital,
and such a form must be kept on file with
their primary care physician.
In addition, healthcare providers are required
to keep track of everyone who receives
information from a patients medical file.
Privacy Under the HIPAA Provisions

Healthcare companies must appoint a

privacy officer to develop privacy policies
and procedures as well as train employees
on how to handle sensitive patient data.
These actions must address the potential
for unauthorized access to data by
outside hackers as well as the more likely
threat of internal misuse of data.
Privacy Under the HIPAA Provisions

HIPAA assigns responsibility to healthcare

organizations, as the originators of
individual medical data, for certifying that
their business partners also comply with
HIPAA security and privacy rules.
Childrens Personal Data

Facts
How much hours teens spend on surfing the
web per week?
Does parents have the idea what they are
looking at online?
High percentage of teens have received an
online request for personal information.
High percentage of children have been
approached online by a stranger.
Childrens Personal Data

Many people feel that there is a need to

protect children from being exposed to
inappropriate material and online
predators; becoming the target of
harassment; divulging personal data; and
becoming involved in gambling or other
inappropriate behavior.
FERPA - Family Educational Rights and
Privacy Act (1974) - USA
Assigns certain rights to parents regarding
their childrens educational records.
These rights transfer to the student once
the student reaches the age of 18 or if he
or she attends a school beyond the high
school level.
Under FERPA, the presumption is that a
students records are private and not
available to the public without the consent
of the student.
FERPA - Family Educational Rights and
Privacy Act (1974) - USA
These rights include
the right to access educational records
maintained by a school;
the right to demand that educational records
be disclosed only with student consent;
the right to amend educational records; and
the right to file complaints against a school for
disclosing educational records in violation of
FERPA
COPPA - Childrens Online Privacy
Protection Act (1998) - USA
As an attempt to give parents control over
the collection, use, and disclosure of their
childrens personal information;
Any Web site that caters to children must
offer comprehensive privacy policies, notify
parents or guardians about its data
collection practices, and receive parental
consent before collecting any personal
information from children under 13 years of
age.
COPPA - Childrens Online Privacy
Protection Act (1998) - USA
The law has had a major impact and has
required many companies to spend
hundreds of thousands of dollars to make
their sites compliant; other companies
eliminated preteens as a target audience.
Fair Information Practices

Fairinformation practices is a term for a

set of guidelines that govern the
collection and use of personal data.
The overall goal of such guidelines is to
stop the unlawful storage of personal data,
eliminate the storage of inaccurate
personal data, and prevent the abuse or
unauthorized disclosure of such data.
Fair Information Practices

Forsome organizations and countries, a key

issue is the flow of personal data across
national boundaries (transborder data
flow).
Fairinformation practices are important
because they form the underlying basis for
many national laws addressing data privacy
and data protection issues.
European Union Data Protection Directive
(1995)

Requires any company doing business within

the borders of the countries comprising the
European Union to implement a set of
privacy directives on the fair and
appropriate use of information.
Basically, this directive requires member
countries to ensure that data transferred to
non-European Union (EU) countries is
protected.
European Union Data Protection Directive
(1995)

It also bars the export of data to countries

that do not have data privacy protection
standards comparable to those of the EU.
For example, in 2012, the European
Commission approved New Zealand as a
country that provides adequate
protection of personal data under the
directive so that personal information from
Europe may flow freely to New Zealand.
What is the
Sri Lankan
Context?
MCQ

The purpose of the Fundamental Rights

was to;
a) grant additional powers to the government
b) identify exceptions to specific portions of
the Constitution
c) identify additional rights of individuals
d) identify requirements for being a good
citizen
MCQ

In USA under the provisions of ___________,

healthcare providers must obtain written
consent from patients prior to disclosing any
information in their medical records.
a) HIPAA
b) COPPA
c) Computer Crimes Act No. 24 of 2007
d) FERPA
e) ADA Section 508
MCQ

According to the Childrens Online Privacy

Protection Act, a Web site that caters to
children must:
a) offer comprehensive privacy policies
b) notify parents or guardians about its data
collection practices
c) receive parental consent before collecting any
personal information from preteens
d) all of the above
MCQ

In USA, ________ is a federal law that

assigns certain rights to parents regarding
their childrens educational records.
a) HIPAA
b) COPPA
c) Computer Crimes Act No. 24 of 2007
d) FERPA
e) ADA Section 508
MCQ

Which of the following identifies the

numbers dialed for outgoing calls?
a) pen register
b) wiretap
c) trap and trace
d) all of the above
True / False ?

SriLanka has a single, overarching national

data privacy policy. True or False?
The European philosophy of addressing
privacy concerns employs strict government
regulation, including enforcement by a set
of commissioners; it differs greatly from
the U.S. philosophy of having no federal
privacy policy. True or False?
Fill Blanks

A(n)____________ is a text file that a Web

site can download to a visitors hard drive
to identify visitors on subsequent visits.
Short Answers

What is a pen register?

Justify

Are surveillance cameras worth the cost in

terms of resources and loss of privacy,
given the role that they play in deterring or
solving crimes?
Do you feel that information systems to
fight terrorism should be developed and
used even if they infringe the privacy rights
of ordinary citizens?
Justify

Why do employers monitor workers? Do you

think they have the right to do so?
Do you feel that information systems to
fight terrorism should be developed and
used even if they infringe on privacy rights?
What Would You Do? - Scenario 1

You are a recent college graduate with only

a year of experience with your employer.
You were recently promoted to Head of
Administration of email services.
You are quite surprised to receive a phone
call at home on a Saturday from the Chief
Financial Officer of the firm asking that you
immediately delete all email from all email
servers, including the archive and back-up
servers, that is older than six months.
What Would You Do? - Scenario 1
He states that the reason for his request is that
there have been an increasing number of
complaints about the slowness of email services. In
addition, he says he is concerned about the cost of
storing so much email.
This does not sound right to you because you
recently have taken several measures that have
speeded up email services.
An alarm goes off when you recall muted
conversations in the lunchroom last week about an
officer of the company passing along inside trade
information to an outsider.
What do you say to the Chief Financial Officer?
Why?
What Would You Do? - Scenario 2
You are a new brand manager for a product line of
gardening equipments. You are considering collecting
information from various organizations about the people
who are going to retiring from their service. The
information which includes list of names and their
mailing addresses, places of living, lands owned, email
addresses, annual income received, and highest level of
education achieved.
You could use the data to identify likely purchasers of
your gardening equipments, and you could then send
those people emails announcing the new product line
and advertizing its many features.
List the advantages and disadvantages of such a
marketing strategy. Would you recommend this means
of promotion in this instance? Why or why not?
What Would You Do? - Scenario 3

Your company is rolling out a training program

to ensure that everyone is familiar with the
companys Internet usage policy.
As a member of the Human Resources
Department, you have been asked to develop
a key piece of the training relating to why this
policy is needed.
What kind of concerns can you expect your
audience to raise? How can you deal with this
anticipated resistance to the policy?