Data Protection

1. IT Track Session Number 4 Data Protection What It Means to NA Webservants The Fourth Florida Service Symposium March 24-27, 2011, Tampa, Florida, USA

2. What Is the Data Protection Act? The European Union takes privacy very seriously. • In 1998, they developed a data protection plan • This has the force of law, in most nations • It is known as the Data Protection Act (DPA)

3. Eight Principles of the DPA Personal data must be: • Processed fairly and lawfully • Obtained for specific and lawful purposes • Adequate, relevant, and not excessive • Accurate and up to date • Kept no longer than necessary • Processed in accordance with the subject’s rights • Stored securely • Not sent to any nation with lesser protection

4. Does the DPA Apply to Us? YES

5. So, What do We Mean by “Data”? • Information being processed by computers or other data processing equipment • Information collected for such processing • Information gathered to be stored in a system that is designed to allow access to it • Information that can be accessed later • Information held by public authorities

6. What Is “Personal Data”? Very simply, it is any data that can directly, or when cross-referenced with other data, identify an individual. PERIOD

7. Example of Cross-Referencing Email header cross-referenced with access log: Email Header: Return-path: <steve-a@somegodforsakenscottishrock.net> • • • Received: from ip-cust-50.somegodforsakenscottishrock.net([73.50.161.62]) Access Log: 73.50.161.62 - - [14/Feb/2011:22:08:05 -0500] "GET /pictures/midgets-having-sex/with-goats/banned-in-three-nations.jpg HTTP/1.1" 200 9613 "-" "Mozilla/5.0 (webOS/1.4.5; U; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Version/1.0 Safari/532.2 Pre/1.0" In this case, the IP number was used to correlate an email received, with content being browsed.

8. What Personal Data do We Hold? • Personal Names • IP Addresses • Telephone Numbers • Mailing Addresses • Email Addresses • Actual Email Content • Passwords

9. How Sensitive? • Race and/or Ethnicity • Politics • Religion • Union Membership • Health • Sex • Criminal History

10. What is “Processing” In a word, handling data • Sending information by email • Sending information by postal mail • Verbally (phone, broadcast or in person) • Displaying data (not just computer display) • Fetching the data (can be getting a file folder) • Organizing the data (like in a file cabinet) Computers make all the above easier, but the definition goes beyond computers.

11. Example of “Processing” Giving someone a friend’s phone number over the phone.

12. Another Example Gossiping about someone, with personal information being exchanged verbally

13. Rights and Duties • The person to whom the data applies (not the person[s] currently in possession of the data) has RIGHTS. These are Data Subjects. • The person[s] (or organization[s]) that process the data, have DUTIES. These are Data Controllers. • A Data Processor is a person or organization that processes data on behalf of a Controller.

14. The Scary Words • The “R” Word: RESPONSIBILITY • The “A” Word: ACCOUNTABILITY

15. Ignorance Is No Excuse

16. Some useful links and further information: • UK Information Commissioner Office; http://www.ico.gov.uk/ • US Safe Harbor Framework; http://www.export.gov/safeharbor/eu/eg_main_018365.asp • Development of Data Protection in Europe, an overview; http://www.dataprotection.eu/ • History of Data Protection in the US; http://www.privireal.org/content/dp/usa.php • US Census Bureau Data Protection; (Contains useful links to US Data Protection Sites) • http://www.census.gov/privacy/data_protection/

17. Q&A