Information Technology and Ethics/Privacy and Data Protection

In this section, we are discussing privacy and data protection. We will be focusing on a few laws and policies passed to protect a person’s privacy online, specifically concerning data protection. This is in response to the many technologies that have arisen with time. The issue with rapid advances in technology has caused many new avenues for nefarious people looking to obtain someone’s personal information. This has led to an increase in the need for data protection. In this specific section, we will discuss the background of Privacy and why it has changed. How did this lead to a need for data protection? What are the technologies that were developed for Data Protection? What laws and policies were passed for Data Protection? As mentioned before, this chapter focuses mainly on privacy and the issues concerning data protection. This is so you might understand that no matter how privacy has advanced in many forms in our society, there is a constant measure made to try and protect a person’s privacy and their personal information on the web.

Privacy was created with a different mindset when the concept was first introduced in our society. It has always been considered a basic human right and has always encompassed many areas of a person’s life. The right to the privacy of the home, the privacy to your possessions, the privacy of your information. It is usually the government that has to protect and make sure that every citizen has a right to privacy in their lives. It can be quite difficult clarifying though, as many times documents concerning privacy and the subjects it protects are vague. In the US specifically, the Fourth and Fifth Amendments are used as the main source for determining what violates a person’s privacy today. This is because the right to privacy is not explicitly clarified in the Constitution, there is a lack of documentation at times to help clarify privacy and this has led to many having to look at whatever documentation they could and deciding if that is considered part of a person’s privacy. As well as protected by the government as well. As stated by Senator D. Brent Waltz “Even the most casual student of American Constitutional scholarship will note that the notion of “privacy” as a distinct legal construct is lacking in our founding documents.”(Waltz, 2014,p. 205). With the advancement of technology and the “Internet of Things,” privacy has become a big topic when dealing with matters of information online.^[1]

Data protection can be described simply as measures or technologies used to make sure that a person’s data or information is protected. Specifically, it aims to protect 3 aspects of data that can be clarified more by what is known as the C.I.A triad.

C.I.A Triad edit

The C.I.A Triad has nothing to do with the CIA, but is a model for organizations to look at certain aspects of information. It helps organizations by making sure several aspects are covered. By managing these aspects well, they can create reliable cybersecurity policies and procedures to protect that information and allow for proper data protection. CIA stands for Confidentiality, Integrity, and Availability, and these aspects allow for proper data protection.

Confidentiality edit

Data protection tries to protect the confidentiality of your information. It is the process of limiting access to information and data. It basically means that the information provided can only be seen by certain people, and making sure anyone unauthorized can not view or access the information. It is related to privacy, as it answers the question of who will use the data. People don't want their data to be seen or accessed by everyone. It can lead to damage to their assets or privacy. To achieve confidentiality of information, organizations use policies that educate employees on what they can view or not and tools such as data storage and cryptography to add security to the information. Examples of Confidentiality being breached are data dumps or disclosures of personal information on the internet.

Integrity edit

The next aspect of information in the C.I.A triad is Integrity. It is the process of protecting data to make sure that it stays unchanged and in the original condition that it was received. That means the information must not have been edited, modified, or deleted in any way unless authorized. The integrity of information can be at risk anytime it is being acquired, stored, or exchanged. This can be because of attacks from malware and viruses such as worms, trojans, logic bombs, or boot viruses. It also can be caused by buggy software or noise when transmitting data. To achieve integrity and maintain it, checksums and error-correcting are used to verify if bits or hashes were changed, and see if the integrity of the information was lost.

Availability edit

The last aspect of Information in the triad is Availability. This means that access to the information is always ready to be given to those that are authorized. To explain it, it is like a building with a keycard reader on the door. When you scan your card, you expect to be able to enter the building and use the resources inside. If the reader reads your card, but the door glitches and doesn’t open, you are denied Availability. This applies to information and data as well.^[2]

Now how does Data Protection accomplish the aspects stated above? Well, Data Protection covers this by many activities. ^[3]

E-Discovery and Compliance: edit

It is the gathering of knowledge and information in electronic forms. It is the process of locating, extracting, analyzing, and reviewing digital data such as images, files, emails, network traffic, and more. It helps to draw a picture or, allow for there guidelines for people in the field of E-Discovery that are tasked with locating essential information.

Archiving: edit

Archiving is the process of securing information, especially inactive information for an unknown amount of time or a tremendous amount of time. the information can be brought out anytime and can be referenced but it is mostly not usable currently but still should be protected.

Backups: edit

Backups are creating copies of the information. Basically creating a secure copy of them so that if the original data is tampered with or corrupted, that you can use the backup copy to restore the original data.

Snapshots: edit

Snapshots are the process of recording the state of a machine at a specific time. Usually for storage devices, taking a snapshot is a good way to create a copy of data and information, similar to backups. Data and Information can be restored to that specific time of the snapshot.^[4]

Replication: edit

Replication is a very costly part of data protection that is quite necessary for the disaster recovery process. Involves replicating and duplicating the data and then move it to an offsite location so that it is protected. This is more so for organizations to recover after attacks, natural disasters, and other incidents of great damage or harm to the data and information under them.^[5]

Availability: edit

Availability is making sure that the data and information are accessible at times to whoever has access to it. To make sure it is not completely restricted and unattended to or unsupervised.

Disaster Recovery: edit

Disaster Recovery is the process of an organization making sure to recover from disasters and look at the state of their data. Basically seeing what might have lost Confidentiality, Integrity, and Availability. This involves using the tools and processes above and also trying to find what caused the disaster and how to plan for it in the future so that they would be able to recover more effectively if it ever happens again.^[6]

Business Continuity: edit

Business Continuity is the process of creating systems and tools to help with the recovery process and deal with threats in the future. Basically planning ahead, to secure themselves, and make sure that threats can be taken care of or avoided again.

Yet there is more to ensure data protection than just tools and processes. There are many regulations, laws, and policies as well to help and ensure proper data protection. One of these regulations that are considered to be strongly accepted by many is the GDPR. Since 1995, Europe's data privacy has been regulated under the Directive 95/46/EC of the European Parliament along with the Council of 24 October 1995.^[7] The regulations would be on the protection of individuals with concern to the treatment of the data, 1995 O.J. (I. 281) (Directive).^[7] These regulations were viewed to be ineffective due to the rapid evolution of technology, they want to offer better protection and rights to EU citizens, and unification of data protection laws. This resulted in the creation of the “General Data Protection Regulation”(GDPR), which its final text was approved of in 2016.^[7] The GDPR came into implementation on May 25, 2018.

The GDPR's main goal is to hold companies more accountable to user’s data and strengthen the control of users on their personal data. It does this by having provisions that require a business to safeguard the personal data and privacy of EU citizens for every transaction that transpires within the EU. Exportation of personal data outside of the EU is also regulated by the GDPR.^[8]This legislation would force companies to have separated consent forms for the different types of data they collect along with the feasibility to retract consent. It would also prevent companies from the collection of data for children under 16 without a person that holds “parental responsibility”.^[9]Companies that have had their databases breach would have to release a notice to those affected within 72 hours.^[9] It will also give the consumer the ability to wipe out all data that has been collected on them by companies. Types of data that is protected by GDPR are basic identity information, web data, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation.^[8] The GDPR defines roles within a company for who is responsible for ensuring compliance with the GDPR’s regulations. These would be the data controller, data processor, and the data protection officer (DPO).^[8] Any company that violates the rules of the GDPR would be subjected to a fine of up to 4 percent of annual global turnover or 20 million euros, whichever is larger.^[9]

GDPR Principles to process data ethically edit

The GDPR states the principles in Articles (5-11) on how all the personal data should be processed.^[10] Data controllers are expected to process personal data in an ethical manner. The six principles that account for ethical data processing are:

1. Lawful, Fair and Transparent: Personal information of the data subject should be processed ethically, fairly and in a transparent manner. When in relation to the data subject, All the processes should be justifiable to the law.
2. Purpose Limitation: The processes involving personal data should only be limited to the original purpose for which it was collected from the data subject.
3. Data Minimisation: When collecting data, data controllers must ensure that only relevant information is collected in relation to the purposes.
4. Accuracy: Personal data of data subjects must be accurate and kept up to date. Inaccurate or outdated data should be deleted.
5. Storage limitation: The personal data collected must retain only when necessary. The data must be deleted when it is no longer needed for any legitimate purpose
6. Integrity and confidentiality: Company must take technical measures that ensure the protection of personal data that include unauthorized access or unethical processing and against accidental loss.^[11]

Privacy policies edit

Organizations should practice good ethics by following GDPR guidelines. According to Northwestern, A person’s name, email, phone, address, and SSN all count as being a user’s personal data as it identifies the user, “in practice, these also include all data which are or can be assigned to a person in any kind of way”.^[12] Since these data entries are considered personal, the policies that govern them must use these data entries to a very limited extent. Ethical organizations should be protecting this information and only gathering the necessary information.

For the processor, the data must be limited to the extent required by the controller, and then must swiftly be deleted to ensure that the user’s information can not be used for other purposes except what is required. For the controller, the information provided by the processor must be categorized for deletion based on the conclusion that was resolved from the issue. For instance, within Oracle’s privacy policy is a statement reading, “engage in transactions with our customers, suppliers and business partners, and to process purchases of our products and services, will be retained for the duration of the transaction or services period”.^[13] Failure to follow these guidelines is not only unethical but can lead to penalties.

In the US laws related to data protection are quite diverse. They have defined laws related to a different sector and medium-specific data security laws, for example, they have different laws and regulation are applied to financial companies, telecom department, health care, credit report, children's information gathering, etc. Moreover, every 50 states in the United States have their own laws and regulation which an organization has to abide. So, if anyone is trying to set up an organization they first have to regulate with the federal (if the bill is passed by the Congress)and then the state laws.^[14]

As the US doesn’t have a Federal law specifically for the data protection or data breach all the 50 states came together and created rules and regulations. The state laws mostly focus on protecting data, proper privacy policies are created by the organization, how and what are the steps that are taken in securing and safeguarding SSN and driver’s license number, and the timeline for notifying about the data breach. Now, if we talk about the privacy laws California tops the chart it alone has more than 25 state laws that are related to data privacy/protection. Recently the state has introduced a new law California Consumer Privacy Act of 2018 (CCPA) which will be effective from January 1, 2020. On March 21st, 2018, South Dakota has signed a new law that is implied to an organization that are conducting business in the state. Considering the factor of having the most strict laws related to the financial sector New York tops the chart.^[15][16]

Though the US privacy laws are very complex and difficult to understand, it’s very important to understand them and abide by the rules and regulations. Not only the state the Attorney General of the state or Federal Trade Commission has the right to take action against the organization too. They have set up rules and regulations too.

1. ↑ Waltz, D. B. (2014). Privacy in the Digital Age. Ind. L. Rev., 48, 205.
2. ↑ Samonas, S., & Coss, D. (2014). THE CIA STRIKES BACK: REDEFINING CONFIDENTIALITY, INTEGRITY AND AVAILABILITY IN SECURITY. Journal of Information System Security, 10(3).
3. ↑ Pearlman, S. (n.d.). What is Data Processing? Definition and Stages - Talend Cloud Integration. Retrieved from https://www.talend.com/resources/what-is-data-processing/
4. ↑ Snapshot technology overview. (2006, April 26). Retrieved from https://www.ibm.com/developerworks/tivoli/library/t-snaptsm1/index.html
5. ↑ Data Replication – Backup Technology. (n.d.). Retrieved from https://www.delltechnologies.com/en-us/learn/data-protection/data-replication.htm
6. ↑ Schwab, J., Topping, K. C., Eadie, C. C., Deyle, R. E., & Smith, R. A. (1998). Planning for post-disaster recovery and reconstruction (pp. 483-484). Chicago, IL: American Planning Association.
7. ↑ ^{a b c} Petersen, K. (2018). GDPR: What (and Why) You Need to Know About EU Data Protection Law. [ebook] pp.12-16. Available at: https://www.kmclaw.com/media/article/247_July_Aug_2018_Peterson_Data_Protection.pdf
8. ↑ ^{a b c} Nadeau, M. (2018, April 23). General Data Protection Regulation (GDPR): What you need to know to stay compliant. Retrieved from CSO: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
9. ↑ ^{a b c} Kharpal, A. (2018, May 25). Everything you need to know about a new EU data law that could shake up big US tech. Retrieved from CNBC: https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html
10. ↑ Bhatia, P. Understanding 6 key GDPR principles. Retrieved from EU GDPR Academy: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
11. ↑ Data Protection 2019: Laws and Regulations: USA: ICLG. (n.d.). Retrieved from https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
12. ↑ paper, O. W. (2018, April). Oracle Cloud Infrastructure and the GDPR. Retrieved from Cloud oracle: https://cloud.oracle.com/iaas/whitepapers/oci-gdpr.pdf
13. ↑ N. (2018, May 25). Guidance for General Data Protection Regulations (GDPR) compliance in the conduct of human research. Retrieved from https://irb.northwestern.edu/sites/irb/files/documents/GDPR+Guidance.pdf
14. ↑ Data Protection Law: An Overview(Rep.). (2019, March 25). Retrieved https://fas.org/sgp/crs/misc/R45631.pdf
15. ↑ Law in the United States. (2019, January 28). Retrieved from https://www.dlapiperdataprotection.com/index.html?c=US&c2=&go-button=GO&t=law
16. ↑ McDaniel, P., & Lipscomb, K. (2018, April 30). Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance. Retrieved from https://www.securityprivacybytes.com/2018/04/data-breach-laws-on-the-books-in-every-state-federal-data-breach-law-hangs-in-the-balance/