1 / 25

Computer and Data Security Laws and Regulations

Explore the topic of privacy and data protection laws and regulations, including the concept of privacy, EU data protection directives, UK data protection laws, and legal safeguards and deterrents.

fosters
Download Presentation

Computer and Data Security Laws and Regulations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer and Data Security Laws and Regulations --short most basic version-- Nicolas T. Courtois - University College of London

  2. Is Privacy Universal? A Western concept, not easy to translate into a foreign language. Italian: “la privacy”. Yet, the right to privacy has been enacted by the United Nations in 1948: • no one voted against, but the Soviet Block+South Africa+Saudi Arabia abstained. Article 12 of Universal Declaration of Human Rights: • No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. • Everyone has the right to the protection of the law against such interferences or attacks. Nicolas T. Courtois, December 2009

  3. Concept of Privacy [UK] The Calcutt Committee in the United Kingdom was satisfied that “it would be possible to define it legally” and adopted this definition: The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information This brings us to two types of Privacy • Physical: • human body/intimate life • personal belongings: free from intrusion/searches/seizures. • Informational Privacy. • about collection and sharing of data about ourselves… • about us: religion, sexual orientation, political affiliations, personal activities, etc… • about our actions: location data, what we buy, what we do, say, write, who we voted for, what search for with Google, etc. Nicolas T. Courtois, December 2009

  4. EU and Data Privacy 1950: European Convention on Human Rights = ECHR Article 8 provides a right to respect for one's "private and family life, his home and his correspondence", Nicolas T. Courtois, December 2009

  5. Data Privacy and Confidentiality Nicolas T. Courtois, December 2009

  6. EU and Data Protection 95/46/EU [1995]: to allow the free flow of personal data (only) between member states by harmonizing minimal information protection. An organization must implement appropriate technical and organizational measures to protect personal data against: • accidental or unlawful destruction • accidental loss, alteration, • unauthorized disclosure or access, (includes interception/eavesdropping over a network). Nicolas T. Courtois, December 2009

  7. EU Data Protection Directive 95/46/EU [1995] Enforced by • Laws of each EU country • Local “Data Protection Commissioner” in each country. Example: UK: • Data Protection Act [1998] • Information Commissioner’s Office Nicolas T. Courtois, December 2009

  8. UK Data Protection Act 8 Principles: All data must be: - processed fairly and lawfully - obtained & used only for specified and lawful purposes - adequate, relevant and not excessive - accurate, and where necessary, kept up to date - kept for no longer than necessary - processed in accordance with the data subject’s rights - kept secure - transferred only to countries that offer adequate data protection More details: http://www.ico.gov.uk/home/for_organisations/data_protection_guide.aspx Nicolas T. Courtois, December 2009

  9. Legal Safeguards and Deterrents Nicolas T. Courtois, December 2009

  10. UK Law • The Fraud Act 2006 came into force in early 2007. • The Fraud Act introduces a general offence of fraudwhich can be committed by • false representation (e.g. phishing) • failing to disclose information [e.g. on an ad/prospectus] • abuse of position [employee access, carer 4 elderly..] • One previous loophole: possession of software or data designed or adapted for use in [connection with] fraud. • Possession: up to 5 years. [possession + intention to be somewhat used to fraud/cheat, even if used by sb. else] • Writing software: up to 10 years. Maximum sentence: 10 years. Nicolas T. Courtois, December 2009

  11. Data “Non-Privacy” Nicolas T. Courtois, December 2009

  12. Correspondence The content: good legal protection in most countries. In contrast, and less protection since Sept 11th: • Communications: • lawful interception implemented • and technology makes it easier and easier to intercept data illegally.. Even less protection: • traffic data, who talks to whom? Nicolas T. Courtois, December 2009

  13. Telecommunications and Data Retention Nicolas T. Courtois, December 2009

  14. Data Retention EU Directive 2006/04/EC. Obligatory to keep for 6-24 months: • trace and identify the source of a communication; • same for the destination of a communication; • to identify the date, time and duration of a communication • identify the type of communication; • identify the communication device; • identify the geographical location of mobile communication equipment. Nicolas T. Courtois, December 2009

  15. E-mail Retention Nicolas T. Courtois, December 2009

  16. US: Publicly Traded Companies E-mail retention obligations • must retain their email and Instant Messaging (IM) that should be produced in lawsuit or/and a regulatory or financial audit... Nicolas T. Courtois, December 2009

  17. UK: Your Employer E-mail retention? Regulation of Investigatory Powers Act 2000 (RIPA): allows employers to log, intercept and/or record all forms of communications - for instance telephone calls as well as emails and the use of internet sites – in certain circumstances regardless of whether the parties to the communication have consented to the interception or not. Only business communications, not personal. Nicolas T. Courtois, December 2009

  18. All Good Reasons to Log/Record • establish the existence of facts relevant to the business (which might include establishing the disputed facts of a conversation or email exchange); • ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business • ascertain or demonstrate standards which are, or ought to be, achieved by the person using the system (which could include quality control or staff training) • prevent or detect crime • investigate or detect the unauthorized use of telecommunications systems • ensure the effective operation of the system. Example given: right to open an employee email account to access relevant business communications when a member of staff is off sick or away. Caveat: Only business communications, not personal. Monitoring - but not recording - is also authorized for the purpose of determining whether or not communications are relevant to the business. Nicolas T. Courtois, December 2009

  19. + Code of Practice Code of practice: http://www.privacydataprotection.co.uk/pdf/employment_code_of_practice.pdf • it will usually be intrusive to monitor workers • workers have legitimate expectations of privacy for their private lives, and also should expect some degree of privacy in the Workplace • if employers wish to monitor their workers they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by the real benefits that will be delivered • workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified • in any event, workers' awareness will influence their expectations Nicolas T. Courtois, December 2009

  20. Types of Data Nicolas T. Courtois, December 2009

  21. 2 Types of Data: Regulators and companies frequently make distinction between: • Personal Data (name, address, family details etc…) • More related to privacy… • Financial Data: account number, credit history, etc… • More related to security and fraud… Nicolas T. Courtois, December 2009

  22. Personal Data - Underestimated Risk Both types of data are used by criminals. Nicolas T. Courtois, December 2009

  23. EU Data Protection Directive 95/46/EU [1995]: Gives a definition of personal data: Article 2A: • any information relating to an identified or identifiable natural person ('data subject'); • an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity Nicolas T. Courtois, December 2009

  24. Scope of « Personal Data »? “any information relating to an identified or identifiable natural person ('data subject')” • Seems every data is personal data??? A more precise notion is [as appears in US standards, e.g. NIST] Personally Identifiable Information (PII) = def • Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Nicolas T. Courtois, December 2009

  25. EU Directive - Protection 95/46/EU [1995]: must implement measures… to protect personal data against: • unauthorized disclosure or access, Nicolas T. Courtois, December 2009

More Related