Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Studies: ITSS 4201 Internet Insurance and Information Hiding University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb.

Published byLynette Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "Case Studies: ITSS 4201 Internet Insurance and Information Hiding University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb."— Presentation transcript:

1 Case Studies: ITSS 4201 Internet Insurance and Information Hiding University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb 2010 Feb 2010

2 -The Data Protection Act 1998 (in UK) -The Freedom of Information Act 2000 (in UK) - YouTube vs. media producers Case studies:

3 Overview General overview of the DPA 1998 General overview of the DPA 1998 Definitions Definitions Changes since 1984 Act Changes since 1984 Act Sensitive Personal Data & Consent Sensitive Personal Data & Consent The eight principles The eight principles Freedom of Information Act 2000 Freedom of Information Act 2000 Public Rights Public Rights Exemptions Exemptions Key Points Key Points Resources Resources

4 Case study 1: The Data Protection Act 1998

5 What is the Data Protection Act? Intended to balance interests of data subjects with data controllers. Intended to balance interests of data subjects with data controllers. Freedom to process data vs. privacy of individuals. Freedom to process data vs. privacy of individuals. 1984 act was repealed by the 1998 act. 1984 act was repealed by the 1998 act.

6 Definitions Personal Data Personal Data Expression of opinion, or fact, E-mail address, photos, video footage etc. etc. Expression of opinion, or fact, E-mail address, photos, video footage etc. etc. Some types are sensitive (a special new category). Some types are sensitive (a special new category). Processing Processing Reviewing, holding, sorting, deleting Reviewing, holding, sorting, deleting Data Controller Data Controller all of us! Users of data all of us! Users of data Relevant Filing System Relevant Filing System Readily accessible information about living individuals Readily accessible information about living individuals Information Commissioner Information Commissioner New name for Data Protection Registrar New name for Data Protection Registrar

7 Changes Since the 1984 Act Much broader than the old act. Much broader than the old act. More rights for data subjects. More rights for data subjects. Covers relevant manual filing systems. Covers relevant manual filing systems. New category of data – sensitive data. New category of data – sensitive data. Transitional relief – 23 October 2001, for existing automated data and 23 October 2007 for manual records. Transitional relief – 23 October 2001, for existing automated data and 23 October 2007 for manual records. Rules about export of data to non-EEA countries. Rules about export of data to non-EEA countries.

8 Some Effects on Colleges and Departments Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, fellows etc. Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, fellows etc. Anyone can be a data controller Anyone can be a data controller Dead people have no rights. Dead people have no rights. Overseas transfers of data – notably to U.S. Overseas transfers of data – notably to U.S. Requirement to ensure data is secure, accurate, sufficient but not excessive. Requirement to ensure data is secure, accurate, sufficient but not excessive. Can ’ t hold data longer than is reasonable. Can ’ t hold data longer than is reasonable.

9 1. Principles of the act Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met. Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met. Consent – the most important Consent – the most important Contract Contract Legal Obligation Legal Obligation Vital interests of subject (life or death!) Vital interests of subject (life or death!) Public functions Public functions Balance of interest Balance of interest

10 Sensitive Personal Data Racial or ethnic origin Racial or ethnic origin Political opinions Political opinions Religious/similar beliefs (note food!) Religious/similar beliefs (note food!) Trade Union Membership Trade Union Membership Health Health Sexual Life Sexual Life Offences Offences

11 Sensitive Personal Data May only be held if one of the below is met: May only be held if one of the below is met: Explicit and informed consent Explicit and informed consent Employment Law Employment Law Vital Interests of Subject Vital Interests of Subject Legal Proceedings Legal Proceedings Medical Purposes (by medical professionals) Medical Purposes (by medical professionals) Equal opportunities monitoring Equal opportunities monitoring

12 Consent “ Freely given specific and informed indication of wishes by which the data subject signifies agreement to personal data relating to him/her being processed. ” “ Freely given specific and informed indication of wishes by which the data subject signifies agreement to personal data relating to him/her being processed. ” Can ’ t use implied consent – must get forms back. Can ’ t use implied consent – must get forms back. Can ’ t use blanket consent as condition of entry. Can ’ t use blanket consent as condition of entry.

13 Fair processing Must not intentionally or otherwise deceive or mislead subject as to purpose of data use/collection. Must not intentionally or otherwise deceive or mislead subject as to purpose of data use/collection. Must identify to subject data controller/nominated representative. Must identify to subject data controller/nominated representative. Must identify to subject purpose of processing data. Must identify to subject purpose of processing data. Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation. Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation.

14 2. Principles of the act Data must be obtained only for one or more specified lawful purposes. Data must be obtained only for one or more specified lawful purposes. Must not use data for a new incompatible purpose without subject ’ s consent. Must not use data for a new incompatible purpose without subject ’ s consent. Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive. Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive.

15 3. & 4. Principles of the act Personal data must be adequate, relevant and not excessive. Personal data must be adequate, relevant and not excessive. Must not stock up on data without a reason that can be justified – consent! Must not stock up on data without a reason that can be justified – consent! Personal data shall be accurate and up-to-date. Personal data shall be accurate and up-to-date. This is an ongoing requirement and means data needs to be kept under constant review. This is an ongoing requirement and means data needs to be kept under constant review.

16 5. Principles of the act Personal data may not be kept for any longer than is necessary for its stated purpose(s). Personal data may not be kept for any longer than is necessary for its stated purpose(s). This potentially creates a problem with old staff/members data. Development offices beware! This potentially creates a problem with old staff/members data. Development offices beware! Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here. Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here.

17 6. Principles of the act Personal data must be processed in accordance with the rights of data subjects Personal data must be processed in accordance with the rights of data subjects This means that you cannot do things that violate the rights given to data subjects under the new act, especially denying access to data. This means that you cannot do things that violate the rights given to data subjects under the new act, especially denying access to data.

18 Rights of data subjects Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held. Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held. May prevent processing for purposes of direct marketing. May prevent processing for purposes of direct marketing. Right to see algorithms used in automated decision making (credit scoring etc.). Right to see algorithms used in automated decision making (credit scoring etc.). Compensation, rectification, blocking, destruction. Compensation, rectification, blocking, destruction.

19 Access rights Right to have communicated to him/her in an intelligible form the information constituting the data. Right to have communicated to him/her in an intelligible form the information constituting the data. Right to be informed of logic involved in automated processing. Right to be informed of logic involved in automated processing. Request must be in writing, fee may be charged and identity may be thoroughly checked. Request must be in writing, fee may be charged and identity may be thoroughly checked.

20 Access rights Data may be withheld if disclosure would disclose data about a third party unless: Data may be withheld if disclosure would disclose data about a third party unless: Third party has consented to disclosure Third party has consented to disclosure It is reasonable to comply without the third party ’ s consent. It is reasonable to comply without the third party ’ s consent. Duty of confidentiality, steps taken to seek consent, express refusal of third party. Duty of confidentiality, steps taken to seek consent, express refusal of third party.

21 7. Principles of the act Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data. Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data. First is related to IT support staff (backups, password security etc.) but everyone can help. First is related to IT support staff (backups, password security etc.) but everyone can help. Second is about being careful with keys, having access controls, CCTV monitoring etc. Second is about being careful with keys, having access controls, CCTV monitoring etc. Beware social engineering! Beware social engineering!

22 8. Principles of the act Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. US does not. US does not. Putting things on a web site is equal to export of data. Putting things on a web site is equal to export of data. Transfer is OK if contract is in place with the abroad party or the subject has consented. Transfer is OK if contract is in place with the abroad party or the subject has consented. Data Protection Commissioner is preparing standard contracts. Data Protection Commissioner is preparing standard contracts.

23 Case study 2: The Freedom of Information Act 2000

24 The Freedom of Information Act 2000 The FOI act 2000 gives individuals the right to access information about certain public bodies by two routes: The FOI act 2000 gives individuals the right to access information about certain public bodies by two routes: Publication Scheme Publication Scheme General Right of Access General Right of Access There are exemptions There are exemptions FOI basically extends subject access rights given in the DPA 1998 FOI basically extends subject access rights given in the DPA 1998 Colleges are separate legal entities so need their own Publication Scheme and procedures Colleges are separate legal entities so need their own Publication Scheme and procedures

25 FOI – Public Rights To be told whether the information exists – known as the duty to confirm or deny To be told whether the information exists – known as the duty to confirm or deny To receive the information (and, where possible, in the manner requested) To receive the information (and, where possible, in the manner requested) To receive reasons for a decision to withhold information To receive reasons for a decision to withhold information All requests must be in “ permanent form ” All requests must be in “ permanent form ” E-mail, Letter, Fax E-mail, Letter, Fax Reply must be sent within 20 working days Reply must be sent within 20 working days Use vacation auto-reply for contact person if they are away Use vacation auto-reply for contact person if they are away

26 FOI – Exemptions Many exemptions, some absolute, some qualified e.g. Many exemptions, some absolute, some qualified e.g. Commercial Interest Commercial Interest Law enforcement Law enforcement Legal Professional Privilege Legal Professional Privilege Parliamentary Privilege Parliamentary Privilege FOI does not override DPA but DPA is not an excuse not to comply with FOI requests FOI does not override DPA but DPA is not an excuse not to comply with FOI requests Interaction is complex! Interaction is complex!

27 FOI – Vexatious or Repeated Some people may exploit FOI in a vexatious or repeated manner. Vexatious means: Vexatious means: clearly does not have any serious purpose or value clearly does not have any serious purpose or value is designed to cause disruption or annoyance is designed to cause disruption or annoyance has the effect of harassing the public authority has the effect of harassing the public authority can otherwise fairly be characterized as obsessive or manifestly unreasonable. can otherwise fairly be characterized as obsessive or manifestly unreasonable. Repeated means: Repeated means: More often than a “ reasonable interval ” More often than a “ reasonable interval ” Needs defining Needs defining Requests asking if previously requested information has changed are OK Requests asking if previously requested information has changed are OK Reply can say when info is next to be updated and a request before then would be “ repeated ” Reply can say when info is next to be updated and a request before then would be “ repeated ”

28 FOI - Key points to note Requests can be received by anyone within the organisation and do not need to refer to the Freedom of Information Act Requests can be received by anyone within the organisation and do not need to refer to the Freedom of Information Act Requests must be in writing (including e-mail, fax etc) Requests must be in writing (including e-mail, fax etc) Requests must be dealt within 20 working days Requests must be dealt within 20 working days No obligation to provide information which is already in the public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold) No obligation to provide information which is already in the public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold) No obligation to create information that the Organisation does not already hold (e.g. statistical summaries) No obligation to create information that the Organisation does not already hold (e.g. statistical summaries) Organisation may charge a fee for the provision of information. Organisation may charge a fee for the provision of information. Charges must be calculated in accordance with the fees regulations prescribed by the Department for Constitutional Affairs. Currently £ 50 maximum. Charges must be calculated in accordance with the fees regulations prescribed by the Department for Constitutional Affairs. Currently £ 50 maximum.

29 NO YES NO Send the applicant a data protection subject access request form, to be returned to the University’s Data Protection Officer Is the enquirer requesting information about him/herself? Is the request in writing (including e-mail, fax)? Send request to the Data Protection Officer at the University Offices Ask the applicant to put the request into writing, and send to the Data Protection Officer at the University Offices Is the information requested available via the Publication Scheme (check at: http://www.admin.ox.ac.uk/foi/contents.shtml) or via any other means? Does the request relate to a living individual(s)? Tell the applicant where he/she will be able to find the information Does the information requested relate solely to your department or unit? Provide the information Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been asked)? * Is the request in writing (including e-mail, fax)? Ask the applicant to use the FOI request form (at http://www.admin.ox.ac.uk/foi/ Contact data.protection@admin.ox.ac.uk for advice NO YES NO Start Here Example: How to Deal with Enquiries in a university? * Check that the information does not contain any reference to individuals, other than that which is already publicly available

30 Case study 3: YouTube vs. media producers

31 YouTube notifies users before uploading videos: YouTube notifies users before uploading videos: “ Do not upload any TV shows, music videos, music concerts or commercials without permission unless they consist entirely of content you created yourself. ” “ Do not upload any TV shows, music videos, music concerts or commercials without permission unless they consist entirely of content you created yourself. ” In spite of that YouTube website contains so many copyrighted materials uploaded illegally. In spite of that YouTube website contains so many copyrighted materials uploaded illegally. YouTube doesn ’ t check video clips before making them available online. And it left to copyright holders the right to order the removal of the videos infringing their copyrights. YouTube doesn ’ t check video clips before making them available online. And it left to copyright holders the right to order the removal of the videos infringing their copyrights.

32 YouTube vs. Viacom In 2008, Viacom, a media producing company won a lawsuit against YouTube. The ruling gave Viacom access to records of what people watch on YouTube. In 2008, Viacom, a media producing company won a lawsuit against YouTube. The ruling gave Viacom access to records of what people watch on YouTube. YouTube was ordered to hand over about 12 terabytes of data about the viewing habits of its users. YouTube was ordered to hand over about 12 terabytes of data about the viewing habits of its users.

Download ppt "Case Studies: ITSS 4201 Internet Insurance and Information Hiding University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb."

Similar presentations

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection and Freedom of Information

Data Protection and Freedom of Information
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.

Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.
Data Protection and Records Management

Data Protection and Records Management
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Tony Brett, Corpus Christi College Oxford University, 29 th June 2000 The Data Protection Act 1998 Tony Brett IT Systems Manager Corpus Christi College.

Tony Brett, Corpus Christi College Oxford University, 29 th June 2000 The Data Protection Act 1998 Tony Brett IT Systems Manager Corpus Christi College.
The Data Protection Act 1998 and the Freedom of Information Act 2000

The Data Protection Act 1998 and the Freedom of Information Act 2000
The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Tony Brett Head of IT Support Staff Services Computing.

The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Tony Brett Head of IT Support Staff Services Computing.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
2010 Case Study – A Pig of a Day Document Risk Management.

2010 Case Study – A Pig of a Day Document Risk Management.

Similar presentations

Ads by Google