< Information Technology and Ethics

Data Protection Ethics

Data protection refers to the protection of consumer’s personal information. Many companies collect consumer’s personal information for their business processes. Due to the sensitivity of the information accessed, the government implements information privacy regulations. There are various data protection regulations around the world that prohibit disclosure or unethical use of personal information of the consumer. Few of the data protection regulations are:

General Data Protection Regulation (European Union)

Since 1995, Europe's data privacy has been regulated under the Directive 95/46/EC of the European Parliament along with the Council of 24 October 1995.[1] The regulations would be on the protection of individuals with concern to the treatment of the data, 1995 O.J. (I. 281) (Directive).[1] These regulations were viewed to be ineffective due to the rapid evolution of technology, the want to offer better protections and rights to EU citizens, and unification data protection laws. This resulted in the creation of the “General Data Protection Regulation”(GDPR), which its final text was approved of in 2016.[1] The GDPR came into implementation on May 25, 2018.

The GDPR main goal is to hold companies more accountable to user’s data and strengthen the control of user on their personal data. It does this by having provisions that require a business to safeguard the personal data and privacy of EU citizens for every transaction that transpire within the EU. Exportation of personal data outside of the EU is also regulated by the GDPR.[2]This legislation would force companies to have separated consent forms for the different types of data they collect along with the feasibility to retract consent. It would also prevent companies from the collection of data for children under 16 without a person that holds “parental responsibility”.[3]Companies that have had their databases breach would have to release a notice to those affected within 72 hours.[3] It will also give the consumer the ability to wipe out all data that has been collected on them by companies. Types of data that is protected by GDPR are basic identity information, web data, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation.[2] The GDPR defines roles within a company for who is responsible for ensuring compliance with the GDPR’s regulations. These would be the data controller, data processor, and the data protection officer (DPO).[2] Any company that violates the rules of the GDPR would be subjected to a fine of up to 4 percent of annual global turnover or 20 million euros, whichever is larger.[3]

Definitions

Data controller's ethical responsibility is to decide how the personal data will be processed. Considering the nature, scope, context, and purpose of the process, it is the data controller’s responsibility to ensure that processing is performed as per the GDPR guidelines. The data controller ensures that proper measures are taken to secure and protect personal data.

Data processor stores or process the data on behalf of the data controller. Data processors using personal data for processing or storing to achieve the objective must commit to abide by all the policies laid out in the GDPR for handling sensitive data. Data processor ensures that the processing of personal data is carried out in an ethical manner.

Data subject refers to the individual who is providing their personal data to a data controller or data processor. They can be referred to as data owners because it’s their personal data which is collected, held or processed. Under GDPR, data subjects have special rights to track their personal data based on how it is used by the controller

GDPR Principles to process data ethically

The GDPR states the principles in Articles (5-11) on how all the personal data should be processed.[4] Data controllers are expected to process personal data in an ethical manner. The six principles that account for ethical data processing are:

  1. Lawful, Fair and Transparent: Personal information of the data subject should be processed ethically, fairly and in a transparent manner. When in relation to the data subject, All the processes should be justifiable to the law.
  2. Purpose Limitation: The processes involving personal data should only be limited to the original purpose for which it was collected from the data subject.
  3. Data Minimisation: When collecting data, data controllers must ensure that only relevant information is collected in relation to the purposes.
  4. Accuracy: Personal data of data subjects must be accurate and kept up to date. Inaccurate or outdated data should be deleted.
  5. Storage limitation: The personal data collected must retain only when necessary. The data must be deleted when it is no longer needed for any legitimate purpose
  6. Integrity and confidentiality: Company must take technical measures that ensure the protection of personal data that include unauthorized access or unethical processing and against accidental loss.
Compliance

The GDPR requires data controllers to be accountable when processing personal data. The controller should be able to demonstrate compliance with all the principles.[5] For compliance the controller needs:

  1. Responsibility: Maintain transparent internal data protection policies, approved and endorsed by the highest level of the organization’s management, Follow stated procedures for data breach notification.
  2. Ownership: Companies should maintain and implement organizational measures such as policies and procedures which meet in particular to the principles of data protection. A company must run a Data Protection Impact Assessment (DPIA), where appropriate. A company must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Appoint a DPO for the high-level sector organization. The company must maintain the records of processing activities in relation to the data subject.
  3. Evidence: The Article 5(2) and 24 in GDPR states that companies should be able to demonstrate the evidence of all the processes (in the context of personal data) are in compliance with the regulation. The relevant documentation should be produced that can be used as evidence to demonstrate compliance.

Data Protection Officer

A Data Protection Officer (DPO) is an enterprise data protection leadership role required by GDPR. They act as a C-level executive to manage data protection strategies organization-wide. It is their job to make sure the organization is compliant with GDPR including its legal and ethical ramifications.

GDPR calls for mandatory “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like religion, race, or ethnicity.[6] This mostly applies to large organizations because they are likely to handle a lot of data; however, even smaller organizations need a DPO if their sole business is data collection and storage.

The DPO cannot have conflicts of interest within the organization.[7] This raises legal and ethical concerns if organizations decide to appoint an existing employee instead of hiring a new one. Looking at the requirements of the role, a Chief Information Security Officer (CISO) or a legal counsel would be a good fit; however, they have a conflict of interest and would have to hold themselves accountable while doing their job outside of the DPO role. It would be unethical for an organization to appoint an individual who has this conflict of interest just as it would be so if that individual continued to hold the responsibilities of their role and be a DPO. If an organization violates this requirement then they may be subject to penalties.

The DPO has a professional ethical responsibility to protect the data that the company handles to protect the individuals that could be affected in the case of a breach. They must ensure employees are educated on data compliance requirements of GDPR. The DPO must inform users how their data is being used, the rights they have over their data, and how the organization is protecting their data.[8]

Privacy policies

Organizations should practice good ethics by following GDPR guidelines. According to Northwestern, A person’s name, email, phone, address, and SSN all count as being a user’s personal data as it identifies the user, “in practice, these also include all data which are or can be assigned to a person in any kind of way”.[9] Since these data entries are considered personal, the policies that govern them must use these data entries to a very limited extent. Ethical organizations should be protecting this information and only gathering necessary information.

For the processor, the data must be limited to the extent required by the controller, and then must swiftly be deleted to ensure that the user’s information can not be used for other purposes except what is required. For the controller, the information provided by the processor must be categorized for deletion based on the conclusion that was resolved from the issue. For instance, within Oracle’s privacy policy is a statement reading, “engage in transactions with our customers, suppliers and business partners, and to process purchases of our products and services, will be retained for the duration of the transaction or services period”.[10] Failure to follow these guidelines is not only unethical but can lead to penalties.

Penalties

Organizations and businesses are provided with a number of sanctions when found processing personal data unethically, to help them comply with this regulation such as warnings and orders to erase, rectify or restrict data, ban on data processing (permanent or temporary), performing audits, preventing data transfer to third countries and monetary penalties. These sanctions can majorly impact the operations carried out by both data controllers or processors.

Monetary penalties are divided into two categories, less severe breaches, and more severe breaches. The maximum fine for less severe breaches is 10 million Euros or two percent of the company’s annual revenue, whichever is greater. The maximum fine for more severe breaches is 20 million Euros or four percent of the company’s annual revenue, whichever is greater.

The above-mentioned categories are not the only aspects the organizations should take into consideration when it comes to fines. Other factors such as damage to reputation, compensation claims for individuals damage due to data breach and losing consumer trust are equally important.

Case Studies

France’s data protection inspectorate has fined Google $57 million for breaching European Union online privacy rules, this is the biggest penalty imposed on a tech giant so far.[11] This happened because Google had faults in two critical areas. Google failed in obtaining valid consent to obtain and ethically process data because essential information such as the processing purposes and data storage periods were widely spread across in their several documents. Secondly, there was a fault in Google’s consent agreements and pre-ticked account sign-ups, it was not granular, freely given and informed.

A taxi company Taxa has been fined by the data inspectorate for not complying with the GDPR principles.[11] They deleted the customer’s name, however, their phone numbers were not removed. Taxa 4x35 is found non-compliant with the requirements of the Data Protection Regulation, in accordance with Article 5 (2); point b, the company has failed to define the purpose of storing customers data for five years after their taxi ride. Also, they failed to adequately document the deletions and its procedure that have taken place in their systems.

In 2018, a hospital in Portuguese was fined 400,000 Euros for infringement of the GDPR.[11] Their employees had unauthorized access to personal information of patients, their IT systems lacked the capability to manage and protect the sensitive data. However, in their defense, the hospital claimed to use IT systems provided by the Portuguese Health Ministry to public hospitals. Since it was the hospital’s responsibility to adhere with GDPR guidelines, therefore, their claim was rejected. Processing of personal data by organizations for the services to function properly is legal, provided they have requested for consent and made data subject fully aware of what they will do with their information. However, the problem arises when the information is processed for other uses. It is important to understand this distinction mentioned in the Regulation. Privacy policies are the only reference point to check how personal data is processed by the data controllers. The non-compliance of tech giants in this area indicates that the data controllers should ensure that their policies are well designed and is fully compliant with the GDPR guidelines.

US Privacy Law

In the US laws related to the data protection are quite diverse. They have defined laws related to a different sector and medium-specific data security laws, for example, they have different laws and regulation are applied to financial companies, telecom department, health care, credit report, children's information gathering, etc. Moreover, every 50 states in the United States have their own laws and regulation which an organization has to abide. So, if anyone is trying to set up an organization they first have to regulate with the federal (if the bill is passed by the Congress)and then the state laws.[12]

As the US doesn’t have a Federal law specifically for the data protection or data breach all the 50 states came together and created rules and regulations. The state laws mostly focus on protecting data, proper privacy policies are created by the organization, how and what are the steps that are taken in securing and safeguarding SSN and driver’s license number and the timeline for notifying about the data breach. Now, if we talk about the privacy laws California tops the chart it alone has more than 25 state laws which are related to the data privacy/protection. Recently the state has introduced a new law California Consumer Privacy Act of 2018 (CCPA) which will be effective from January 1, 2020. On March 21st, 2018, South Dakota has signed new law which is implied to an organization who are conducting business in the state. Considering the factor of having the most strict laws related to financial sector New York tops the chart.[13][14]

Though the US privacy laws are very complex and difficult to understand, it’s very important to understand them and abide by the rules and regulations. Not only the state the Attorney General of the state or Federal Trade Commission has the rights to take action against the organization too. They have set up rules and regulations too.

Policy: Illinois Personal Information Protection Act, 815 ILCS 530

The new Illinois law enhances rights to prevent the privacy of users. The new law which is the Illinois Personal Information Protection Act, 815 ILCS 530 is one of the most stringent law in the US. The Law basically ask the companies to manage, prevent and handle user personal information with very carefully. The personal information basically includes everything which could disclose their identity such as their name, address, phone number, driver's license, SSN, credit card, medical and health insurance.[15]

The act says that if a company who hold a driver's license or SSN must notify the Illinois residents as early as possible without any unreasonable delay. The notification should mostly include all the details through which the consumer can contact, report or get information about the data breach and if their personal information has been compromised or not. Mostly will include address, toll-free numbers to contact. Moreover, it should also include fraud alerts.

The act also gives the authority to the consumers to sue the organization under the "Consumer Fraud and Deceptive Business Practices Act". The state also has the authority to take action against the company for violating any of the laws stated under the act.

References

  1. 1 2 3 Petersen, K. (2018). GDPR: What (and Why) You Need to Know About EU Data Protection Law. [ebook] pp.12-16. Available at: https://www.kmclaw.com/media/article/247_July_Aug_2018_Peterson_Data_Protection.pdf
  2. 1 2 3 Nadeau, M. (2018, April 23). General Data Protection Regulation (GDPR): What you need to know to stay compliant. Retrieved from CSO: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
  3. 1 2 3 Kharpal, A. (2018, May 25). Everything you need to know about a new EU data law that could shake up big US tech. Retrieved from CNBC: https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html
  4. Bhatia, P. Understanding 6 key GDPR principles. Retrieved from EU GDPR Academy: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
  5. Dubrovskaya, S. (2017, September 27). Implementing 3 main accountability principles under the EU GDPR. Retrieved from EU GDPR Academy: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/
  6. Lord, N. (2019, April 22). What is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance in 2019. Retrieved From https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance
  7. Voss, G. (2017). European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting. The Business Lawyer,72, 221-233. Retrieved from https://www.researchgate.net/profile/W_Voss/publication/312093729_European_Union_Data_Privacy_Law_Reform_General_Data_Protection_Regulation_Privacy_Shield_and_the_Right_to_Delisting/links/5a3a94424585155ac76f56ca/European-Union-Data-Privacy-Law-Reform-General-Data-Protection-Regulation-Privacy-Shield-and-the-Right-to-Delisting.pdf.
  8. Data Protection Officer. Retrieved from https://gdpr-info.eu/issues/data-protection-officer/
  9. paper, O. W. (2018, April). Oracle Cloud Infrastructure and the GDPR. Retrieved from Cloud oracle: https://cloud.oracle.com/iaas/whitepapers/oci-gdpr.pdf
  10. N. (2018, May 25). Guidance for General Data Protection Regulations (GDPR) compliance in the conduct of human research. Retrieved from https://irb.northwestern.edu/sites/irb/files/documents/GDPR+Guidance.pdf
  11. 1 2 3 Forney, M. (2018, November 29). Major GDPR Fine Tracker – An Ongoing, Always-Up-To-Date List of Enforcement Actions. Retrieved from Alpin: https://alpin.io/blog/gdpr-fines-list/
  12. Data Protection Law: An Overview(Rep.). (2019, March 25). Retrieved https://fas.org/sgp/crs/misc/R45631.pdf
  13. Law in the United States. (2019, January 28). Retrieved from https://www.dlapiperdataprotection.com/index.html?c=US&c2=&go-button=GO&t=law
  14. McDaniel, P., & Lipscomb, K. (2018, April 30). Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance. Retrieved from https://www.securityprivacybytes.com/2018/04/data-breach-laws-on-the-books-in-every-state-federal-data-breach-law-hangs-in-the-balance/
  15. Van Deuren, B. Illinois' Stringent Data Privacy Laws: Are You Handling Data Correctly? Retrieved from https://www.reinhartlaw.com/knowledge/illinois-stringent-data-privacy-laws-are-you-handling-data-correctly/
This article is issued from Wikibooks. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.