UNIT – V

Privacy Issues
 Contents

1. Basic Data Privacy Concepts: Fundamental Concepts,

2. Data Privacy Attacks
3. Data linking and profiling
4. privacy policies and their specifications
5. privacy policy languages
6. privacy in different domains- medical, financial, etc.
 1. Fundamental Concepts - What is
Data Privacy?
• Data privacy is a part of the data protection area that deals
with the proper handling of data.

• Data privacy relates to how a piece of information—or data

—should be handled based on its relative importance.

• Organizations need to learn how to process personal data

while protecting privacy preferences of individuals. 3
 1. Fundamental Concepts - What is
Data Privacy? (contd..)

Why is Data Privacy Important?

1. When data that should be kept private gets in the
wrong hands, bad things can happen.

2. A data breach at a government agency can, for

example, put top secret information in the
hands of an enemy state.
4

3. A breach at a corporation can put proprietary data

in the hands of a competitor.
 1. Fundamental Concepts - What is
Data Privacy? (contd..)

Why is Data Privacy Important?

4. A breach at a school could put students’ PII

in the hands of criminals who could commit
identity theft.

5. A breach at a hospital or doctor’s office can 5

put PHI in the hands of those who might

misuse it.
 2. Fundamental Concepts - What is PII?

Personally Identifiable Information is defined by the US Office of

Privacy and Open Government as:

Information which can be used to distinguish or trace an

individual’s identity, such as
• their name,
• social security number,
• biometric records, etc. alone, or
• when combined with other personal or identifying 6
information which is linked or linkable to a specific
individual, such as
• date and place of birth,
• mother’s maiden name, etc.
 Some Important Aspects of Data Privacy

•Data Privacy is not the same as Data Security

•Privacy is theright to be left alone Consequences
of non-compliance:
•More and more privacy regulations worldwide are
coming up such as GDPR
•General Data Protection Regulation - The General Data
Protection Regulation (GDPR) is a legal framework that
sets guidelines for the collection and processing of
personal information from individuals who live in the 7
European Union (EU)
8
Data in Question

General Data Protection Regulation (GDPR) in European Union (EU)

1
0
 Some Common Standards of Data Privacy

Personal Data Protection Bill (PDPB) India

• Introduced in December of 2019

• Approved by Cabinet Ministry through Voice Vote.
• Applicable to whole India

Companies all over India are already beginning to prepare.

PDPB is modeled after GDPR although some of its policies
1
aren't laid out as clearly and more discretion is given to India's1
Central Government to decide how it is enforced and when
exceptions can be made.
Some Common Standards of Data Privacy

California Consumer Privacy Act (CCPA) USA

While there is currently no data privacy law applicable to

all industries on the federal level, every state in the Union
has their own data privacy laws.

These regulations vary significantly in terms of scope,

applicability, and penalties, but the strictest among them
is the recent California Consumer Privacy Act (CCPA) 10
 Some Common Standards of Data Privacy

General Data Protection Regulation (GDPR) EU

• It is the toughest privacy and security law in the world.

• Though it was drafted and passed by the European
Union (EU), it imposes obligations onto organizations
anywhere, so long as they target or collect data related
to people in the EU. The regulation was put into effect
on May 25, 2018. 11

• The GDPR will levy harsh fines against those who

violate its privacy and security standards, with
penalties reaching into the tens of millions of euros.
 Introduction to ISO 27701:2019

International Standards:
•ISO 27701:2019: Privacy Information Management
•ISO 27001:2013: Information security management systems

ISO 27701:2019 – Security Techniques - serves as a privacy

extension to the ISO 27001:2013 and ISO/IEC 27002.

Specifies the requirements for – and provides guidance for the

establishment, implementation, maintenance and improvement of
12
PIMS (Privacy Information Management System) in an organization
Introduction to ISO 27701:2019

The International Standard for Privacy Information

Management

Based on the requirements, control objectives and

controls of ISO 27001 and includes a set of privacy-
specific requirements, controls and controls objectives
13

Published in August 2019

Benefits of Implementing PIMS

14
 NIST Privacy Framework

Overview of the Privacy Framework

Cybersecurity and Privacy Risk Management

15
 3. Data Privacy Attacks

1. Denial of service (DOS) and distributed denial of service

(DDoS) attacks
2. Man in the middle (MITM) attack
3. Phishing and spear phishing attacks
Drive by attack
4. SQL injection attack
24
5. Cross-site scripting (XSS) attack
Denial of service (DOS) and Distributed Denial Of Service (Ddos) Attacks
Man In The Middle (MITM) Attack
Phishing and spear phishing attacks Drive by attack
hishing
SQL injection attack
Cross-site Scripting (XSS) Attack
 Privacy Policies and Their Specifications

 A Privacy Policy is not only the legally required document to

disclose your practices on protecting personal information,
but it's also great way to show users that you can be
trusted, and that you have procedures in place to handle
their personal information with care.

 Privacy Notice(or Privacy Statement) A statement made to a

data subject that describes how the organization collects,
uses, retains and discloses personal information.
16
 A privacy notice is sometimes referred to as a privacy
statement, a fair processing statement or sometimes a
privacy policy.
 What to Include in Privacy Policy?

1. Collection
2. Use and Disclosure
3. Information Quality
4. Data Security
5. Openness
6. Access and Correction
7. Identifiers
8. Anonymity
9. Transborder Data Flows
10. Sensitive Information
 Privacy Policies and Their Specifications

Collection: Collection of personal information must be fair, lawful and

not intrusive. A person must be told the following:
1. organization's name,
2. the purpose of collection,
3. any laws requiring the collection,
4. the main consequences if all or part of the information is not
provided, and
5. that the person can get access to their personal information.

Use & Disclosure: An organization should only use or disclose

information for the purpose for which it was collected unless the 17
person has consented, or the secondary purpose is related to the
primary purpose and a person would expect such disclosure.
Privacy Policies and Their Specifications

Information Quality : An organization must take

reasonable steps to make sure that the personal
information it collects, uses or discloses is accurate,
complete and up-to date.

Data Security: An organization must take reasonable

steps to protect the personal information it holds from
misuse and loss and from unauthorized access, 18
modification or disclosure.
Privacy Policies and Their Specifications

Openness: An organization must have a policy document outlining its

information handling practices and make this available to anyone who
requests it.

Access and Correction: An organization must give an individual access

to personal information it holds about that individual.

Identifiers: An organization must not adopt, use or disclose an

identifier that has been assigned by a Commonwealth government
'agency'. For example, a tax file number or Medicare number.
19
 Privacy Policies and Their Specifications

Anonymity: Organizations must give people the option to interact

anonymously whenever it is lawful and practicable to do.

Transborder Data Flows: An organization can only transfer personal

information to a recipient in a foreign country in circumstances where it is
necessary to do so to complete an agreement with a person, or where the
information will have appropriate protection or the person has consented to
the transfer.
Sensitive Information: An organization must not collect sensitive
20
information (for example, details of a person’s race, religion, sexual
preferences or health) unless the individual has consented.
A few PII Security Controls

Change Management—tracking and auditing changes to

configuration on IT systems which might have security
implications, such as adding/removing user accounts.

Data Loss Prevention—implementing systems that can

track sensitive data transferred within the organization
or outside it, and identify unnatural patterns that might
suggest a breach.

Data masking—ensuring that data is stored or 22

transmitted with the minimal required details for the

specific transaction, with other details masked or
omitted.
 A few PII Security Controls

Privileged user monitoring—monitoring all privileged access to files and

databases, user creation and newly granted privileges, blocking and alerting
when suspicious activity is detected.

User rights management—identifying excessive, inappropriate, or unused user

privileges and taking corrective action, such as removing user accounts that
have not been used for several months.

Secure audit trail archiving—ensuring that any activity conducted on or in

relation to PII is audited and retained for a period of 1-7 years, for legal
23 or
compliance purposes.
 Privacy in Different Domains
What does the ICANN organization do?
The Internet Corporation for Assigned Names and Numbers (ICANN) is an
internationally organized, non-profit corporation that has responsibility for
Internet Protocol (IP) address space allocation, protocol identifier assignment,
generic (gTLD) and country code (ccTLD) Top-Level Domain name system
management,

What is Domain Privacy?

Every domain name has a WHOIS listing, which is a searchable database of
registered domains. It is available to everyone on the Internet.
Without domain privacy, or WHOIS privacy protection, all of your contact
information (address, phone number, name, etc.) is available to the public.

Why DNS - 3 root servers? It's because of the limitations 25of the
original DNS infrastructure, which used only IPv4¹ containing 32
bytes.
 Privacy in Different Domains

What are the benefits of Domain Privacy and Protection?

With Full Domain Privacy & Protection, your domain is protected
from domain hijacking and honest mistakes like accidental
transfer or an expired credit card. It also prevents spam with a
private email address for domain inquiries.

Full Domain Privacy & Protection puts your domain on locked

status , making inadvertent, accidental or malicious transfers
26
virtually impossible. Plus, it will extend your domain's renewal
period in case of an expired credit card and billing failure.
 Data Linking and Profiling

Data linking is used to bring together information from different sources in order
to create a new, richer dataset. This involves identifying and combining
information from corresponding records on each of the different source dataset.

Data linkage is done by assigning an identifying number to each person on a

dataset and storing a set of links to all records for the person. The TDLU
[Tasmanian Data Linkage Unit] is responsible for creating and maintaining the
links between the main state wide health collections and other approved data
sources in Tasmaniadata . Enables the construction of chronological sequences
of events and when used at the macro level provide valuable information for
policy and research into the health and wellbeing of the population.
 Data Linking and Profiling

Profile linking is also one of the most important methods used in link
building. It is a tactic used by Search Engine Optimization (SEO) professionals
in order to gain do follow / no follow backlinks from reputed websites. In
profile link, you simply add your website's URL to a personal, professional or
any business profile, which you create on different sites. Getting profile links
from such site provides quality backlinks and such links carries more weight
and are more beneficial to your site.

Profile Linking is an excellent tool in SEO to promote a website. Creating the

right link profile includes placing links on review sites, social networks, blogs
28

and forums, and news services.