The Roots of Privacy Legislation

Previous page
Table of content
Next page

The Roots of Privacy Legislation

Before the computer age, individuals viewed protecting their privacy as avoiding Peeping Toms and keeping the government from tapping their phone lines. The invention of the computer not only enabled companies and governments to collect endless amounts of information about people, it allowed them to share and even sell this information. Few safeguards on this personal data, leaving it open to abuse by those handling it as well as outside attackers. In the 1980s, numerous countries, regions, and organizations started creating guidelines and legislation to stop the improper flow of personal information. This section will look at some of the advances made in privacy protection during the past two decades.

Organisation for Economic Co-operation and Development

The Organisation for Economic Co-operation and Development (OECD), found on the Web at http://www.oecd.org, is comprised of 30 member countries and 70 nonmember countries. The OECD s purpose is to discuss, develop, and refine economic and social policies. When many of its member countries were first considering privacy legislation, the OECD was concerned that the creation of such disparate privacy regulations would impede the flow of personal data among countries. To avoid this problem, the OECD adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in September 1980. Most of the privacy legislation that exists today is based on these guidelines. The guidelines consist of the following principles:

  • Collection Limitation Principle

    Limits on the collection of personal data should exist, and this collection should be obtained in a lawful and fair way with the knowledge and consent of the data owner, where appropriate.

  • Data Quality Principle

    Personal data should be relevant to the purposes for which they will be used and should be accurate, complete, and current.

  • Purpose Specification Principle

    The purpose for which the data is being collected should be specified, and changes to this purpose should be compatible with the original purpose. For example, if a Web site selling music initially tracked tape sales to determine the most popular artist, it later can switch to tracking CD sales to determine the top-selling artist.

  • Use Limitation Principle

    Personal data should not be disclosed or otherwise used for purposes other that those specified in the previous principle. However, this data can be disclosed or used for other purposes with the consent of the data owner or legal authorities.

  • Security Safeguards Principle

    Personal data should be protected by reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, modification, and disclosure.

  • Openness Principle

    Organizations should maintain a general policy of being forthcoming about their personal data collection practices and policies. An organization should be willing to specify the type of personal data it is storing and what it intends to use that data for.

  • Individual Participation Principle

    An individual should have the right to confirm that an organization is maintaining data on him and should be allowed to erase, rectify, complete, or amend the data. Access to the data should be straightforward and inexpensive.

  • Accountability Principle

    An organization collecting personal data must be accountable for providing measures that comply with the previous principles in this list.

Privacy Legislation in the United States

In the United States, privacy awareness with regard to personal data was born in 1973, when the Department of Health, Education, and Welfare published the report Records, Computers, and the Rights of Citizens, which discussed the protection of personal information on computer systems. Between 1973 and 1998, several other U.S. organizations published reports on the treatment of personal information. In 1998, the Federal Trade Commission created their Fair Information Practices to combine these various papers into a set of core principles. The principles are as follows:

  • Notice/Awareness

    Informs users about the data an organization is collecting and how it is being used

  • Choice/Consent

    Gives users the ability to choose the data about them that is collected and how it is used

  • Access/Participation

    Permits users to see the information about them that was collected and to change the information as appropriate

  • Integrity/Security

    Protects user data that is collected from unauthorized access or changes made without the user s consent

  • Enforcement/Redress

    Gives users a way to submit complaints to companies that collect their data

Unfortunately, companies were not compelled to comply with these principles. However, consumers were able to use these principles to bring lawsuits against companies who violated their privacy. This basically meant that, under the Fair Information Practices, companies could do whatever they wanted with consumers personal data, as long as they were not caught. The U.S. Department of Commerce s creation of the Safe Harbor Principles changed all that.

The Safe Harbor Principles

Many guidelines on privacy were written in the United States before the country s creation of the Safe Harbor Principles in 1998. However, as with the Fair Information Practices, none of these guidelines had any real influence on the way companies did business in the United States. The European Union (EU) Directives on data protection changed all that. If U.S. companies wanted to continue to do business with EU companies, they had to show that they were serious about privacy protection. To ensure the continued flow of information from companies in the EU to U.S. companies, the U.S. Department of Commerce created the Safe Harbor Principles.

The Safe Harbor Principles are, in effect, the U.S. version of the EU Directives. In addition, these principles marked the beginning of the adoption of effective privacy policies in the United States. By complying with the Safe Harbor Principles, U.S. companies could continue to work with EU companies. This means abiding by the seven tenets of the Safe Harbor Principles, which specify how personal information should be handled. To view the full set of requirements for acceptance into safe harbor, visit http://www.export.gov/safeharbor/sh_overview.html. The seven tenets of safe harbor are described next.

Notice

Notice means informing users about the type of information you are collecting, why you are collecting it, how long you will keep it, who will have access to it, which third parties you will share the information with, how users can access and then change or delete their data, and who they can contact if they feel that these commitments were broken.

As a company, this means that you need to create a privacy policy that covers how your employees will handle this personal information, and you must ensure that your employees adhere to this policy. Your policy should be compiled into a privacy statement and posted on your Web site in a conspicuous manner. Ensure that the document is clearly visible and easy to understand.

To view Microsoft s privacy statement, visit http://www.microsoft.com/info/privacy.htm. For assistance in creating a privacy statement, use the Privacy Statement Generator, located at http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm.

Choice

Choice means giving your customers an opportunity to tell you how they want their data handled before you collect it and to change their selection later if they want. Giving users a choice is not just about determining how your company will handle sensitive information; it also means specifying the method your company can use to contact a user. For example, can you contact users via e-mail, phone, or postal mail? Can you send users product materials, sales specials, and third-party materials, and can you include them in your marketing campaigns? Choice also governs how you record a user s browsing habits at your Web site.

Think about how you feel when you receive a sales call on the telephone during your favorite TV show or when you receive lots of random e-mail messages about improving your physical appearance. You do not want your customers to think negatively of your company when you contact them, so make sure your contact with them is expected.

You should give users opt-in and opt-out choices for how their data will be used. Opt-in means the user has to implicitly agree for their data to be used for a specific purpose. Opt-out means that the user has to indicate that they do not want their data used for a specific purpose. The determination for sensitive user information should be opt-in. When a user gives permission for their information to be used, for any secondary uses of their data, or for your company to share their personal information with third parties, the user should have the ability to opt-out of this use of her data.

Onward Transfer

Onward transfer refers to sharing a user s information with a business partner or other third party. For example, suppose that you sell bedroom furniture and you often team with a company that makes linen. After selling a bed to a customer, the linen company might want to send the customer a special offer on sheets. So you give the linen manufacturer your customer s contact information as a service to them. As innocent as this might sound, it should not happen without the customer s approval.

It is acceptable for you to share your customer information with a vendor who works with your company on a particular project, as long as that information sharing is based on the agreement you made with your customers and as long as the vendor agrees to comply with your company s privacy policy and abides by the Safe Harbor Principles. For example, if your customers agree to let you send them product materials, you are allowed to share your customers address information with a company you hire to mail the material to your customers.

Security

Sensitive customer information should be protected to ensure that only individuals with a valid reason can access the data and that the data is protected from alteration, misuse, destruction, or loss. Such security measures should not only include applying password protection; they should also include encrypting data while it is transmitted or stored. Network and database administrators should not have access to sensitive information unless they need to this information to perform their job duties. Invest in making the ability to steal information difficult. For example, encrypt the storage of data and audit each access of the data. Employees that have access to your customers data must abide by the corporate privacy policy specifying how the data is handled.

Data Integrity

Data integrity governs the quality of information that is being stored. It starts with collecting only the minimum amount of information you need to provide the service that you are offering to your customers. If you do not need a customer s cell phone number, do not collect it. When you transfer customer information to vendors, do not send the entire customer record. Transfer only the information that the vendor needs to perform the task they were hired to do.

Maintaining data integrity also involves ensuring that the information that you collect is current, complete, and accurate before you use it. Information that does not meet these requirements should be recollected or purged from the system.

Access

Customers from whom you collect information should be able to verify and update their information in an easy and inexpensive fashion. When your company no longer needs the information, users should be able to have their information removed from your storage systems. You can enable a user to directly access his information via an online form, indirectly access it via e-mail, or access it by contacting a company representative over the phone. In any of these cases, the user s identity should be verified before you permit him to read or modify his data.

Enforcement

Your customers should have some recourse if they feel their privacy rights have been abused. The privacy policy on your Web site should include an e-mail address or point to an online form that customers can use to contact your company about privacy abuses. Your company should also look into joining one of several online privacy compliance organizations. For more information on self-regulation and a list of online privacy compliance programs, visit the U.S. Federal Trade Commission s Self-Regulation and Privacy Online page at http://www.ftc.gov/os/1999/9907/pt071399.htm.

Other U.S. Privacy Legislation

Several other pieces of U.S. privacy legislation have been introduced to protect a specific aspect of a person s privacy or a specific type of data. We discuss some of these pieces of legislation in the remainder of this section. When storing customer information, someone from your organization s privacy department should review the type of information that you are storing, from whom you are collecting the information, and by what means you are collecting this data to ensure that you are abiding by the various privacy statutes. Once again, when it comes to practices that could affect your company s revenues or image, be proactive.

Children s Online Privacy Protection Act (COPPA)

This act prohibits the collection or transfer of information from individuals that are 13 years of age or younger without their parents permission. If your Web site knowingly collects information from children under the age of 13 or allows them to post personal information about themselves via chat rooms, e-mail, or other means, this act applies to you. COPPA is relevant to companies that operate sites that either target children or have knowledge that certain users are under the age of 13. When collecting information in person, verify the person s age. When collecting the information online, include a warning and have the user validate that they have their parents permission before collecting any data. In either case, the Web site should record the user s age for future reference, in case employees need to contact that user for example, to renew her membership.

Computer Fraud and Abuse Act (CFAA)

This act prohibits anyone from having physical or electronic access to any computer for any reason without permission from the user. No information can be read from, added to, modified on, or deleted from a user s computer without her permission. This act covers computers that are owned by individuals, not companies. A company always has the right to access its computers, even if an employee is storing personal information on it. Before downloading information or software to a user s computer or obtaining any information from a user s computer, get that user s permission.

Gramm-Leach-Bliley Act (GLBA)

This act governs the handling of financial information. Always inform a user in detail why you are collecting his financial data. Financial information is any descriptive information about a user s finances or any data that can be used to retrieve financial information for example, a person s salary or checking account number. The control and transmission of this information should be covered by strict corporate policies.

Health Insurance Portability and Accountability Act (HIPAA)

This act governs the handling of medical information. Always inform a user in detail why you are collecting her medical information. Medical information is any descriptive information about a user s health or any information that can be used to retrieve a user s medical history for example, a person s medical condition or health insurance number. The control and transmission of this information should be covered by strict corporate policies.

Privacy Legislation in Canada

In the 1980s, each of the Canadian provinces began to pass its own privacy legislation that applied to government agencies and regulated organizations. Quebec was the only province to pass privacy laws to protect the private sector, passing Bill 68, or the Act Respecting the Protection of Personal Information in the Private Sector, in 1994. In response to the EU Directives, the Canadian Standards Association (CSA) created the Model Code for the Protection of Personal Information (http://www.csa.ca/standards/privacy/code/Default.asp). A summary of the code s principles follows:

  • Accountability

    An organization is responsible for personal information under its control and should designate someone who is accountable for the organization s compliance with the following principles.

  • Identifying Purposes

    The purposes for which personal information is collected must be identified by the organization before or while the information is collected.

  • Consent

    The knowledge and consent of the user are required for the collection, use, or disclosure of personal information, except where inappropriate.

  • Limiting Collection

    The organization should only collect personal information necessary for the purposes it originally specified. Information must be collected by fair and lawful means.

  • Limiting Use, Disclosure, and Retention

    Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the user or as required by law. Personal information should be retained only as long as necessary for the fulfillment of those purposes.

  • Accuracy

    Personal information must be as accurate, complete, and up to date as the project at hand requires.

  • Safeguards

    Personal information should be protected by security safeguards appropriate to the sensitivity of the data.

  • Openness

    An organization should make readily available to users specific information about its policies and practices relating to the management of personal information.

  • Individual Access

    Upon request, a user must be informed of the existence, use, and disclosure of his personal information and must be given access to that information. A user should be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  • Challenging Compliance

    A user must be able to challenge an organization s compliance with these principles. To do so, user must have access to the organization employee accountable for the organization s compliance.

Canada s privacy code was the basis for their Personal Information Protection and Electronic Documents Act, or PIPEDA (http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp). This law was enacted in January 2001 and brings Canada into compliance with the EU Directives.

Privacy Legislation in Europe

In 1981, the Council of Europe introduced the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, also known as Convention 108. This resolution, along with the OECD guidelines, influenced many European countries to adopt privacy legislation. However, years later, several countries still had not moved to pass similar legislation. In July 1998, the European Union ratified the EU Directives on data protection in an effort to prevent the improper collection and use of personal data in EU countries. This directive compelled EU countries that had not yet done so to enact privacy legislation.

Today, Europe has some of the toughest privacy laws in the world. In general, European companies are forbidden to use someone s personal data for any reason unless a law indicates that it is OK to do so. This is contrary to privacy law in the United States.

One of the important provisions of the EU Directives forbids the transfer of personal information from any EU country to a country outside the EU that does not conform to a set of principles similar to the EU Directives. This could cause a major problem for companies in countries outside Europe that want to do business with EU countries. In fact, this was a major motivator for privacy legislation in the United States and other countries throughout the world.

Privacy Legislation in Asia

Asia as a whole is not as far along in regards to privacy legislation. However, the creation of the OECD guidelines has encouraged several pieces of legislation, as listed here. (See http://www.pco.org.hk/english/infocentre/speech_19970917.html for more information.)

  • Japan

    The Act for Protection of Computer Processed Personal Data Held by Administrative Organs (enacted December 1988)

  • Hong Kong SAR

    The Personal Data (Privacy) Ordinance (enacted September 1995)

  • Taiwan

    Law Governing Protection of Personal Data Processed by Computers (enacted July 1995)

Privacy Legislation in Australia

Australia s Privacy Act (http://www.privacy.gov.au/act/index.html#2.12) was passed by the Australian Parliament in 1988. This act is Australia s implementation of the OECD guidelines. The act consists of 11 principles that were meant to protect personal information being held by the federal government and its agencies. A summary of the principles follows:

  • Principle 1

    Manner and purpose of collection of personal information

  • Principle 2

    Solicitation of personal information from individuals concerned

  • Principle 3

    Solicitation of personal information generally

  • Principle 4

    Storage and security of personal information

  • Principle 5

    Information relating to records kept by the record keeper

  • Principle 6

    Access to records containing personal information

  • Principle 7

    Alteration of records containing personal information

  • Principle 8

    Record keeper to check accuracy of personal information before its use

  • Principle 9

    Personal information to be used only for relevant purposes

  • Principle 10

    Limits on use of personal information

  • Principle 11

    Limits on disclosure of personal information

In December 2000, Australia s parliament passed the Privacy Amendment Act 2000, which extends coverage of the Australian privacy act to most private sector organizations.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
ERP and Data Warehousing in Organizations: Issues and Challenges
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
An Introduction to Design Patterns in C++ with Qt 4
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy