Embed Size (px)
Citation preview
Data Protection Act:
Implications for Monitoring Technologies
David SpeakmanLiam HoustonNiall Kerrigan
MSc. Information Systems Management, NUI Galway
March 2013
Overview
• Evolution of DPA• Current Implications• Future Trends
The Need for Data Protection Laws
Every person has the right to privacy...
– Technology development has given greater potential for gathering and processing of personal data
– This data being processed without considering the risks, or worse having data taken from them without realising
– Monitoring technology can track where you are, what you do and when you do it at anytime it wishes – “Big Brother” effect. Do you recall the film Enemy of the State?
– The world envisioned by George Orwell’s novel 1984 is now evident, without the correct and enforced legislation, it is easily a possibility.
The Need for Data Protection Laws
Development of the DPAThe development of technology required data protection legislation:
– 1981 - The Organisation for Economic Co-Ordination and Development provide the EU with a set of guidelines
– 1988 – The Irish Government created the Data Protection Act is the first legislation created to monitor data collection
– 1995 – The EU Data Protection Directive encourages all member states to adapt a similar approach to Data Protection Laws to allow for legal transborder data flow
– 2003 – The Irish Government amend the DPA to align with the EU Directive and increase the rights of the Data Subject
Influence of OECD Guidelines on current DPA
OECD Guidelines8 key principles
Collection Limitation Purpose Specification Use Limitation Security Safeguards Data quality Openness Individual
Participation Accountability
Data Protection ActLaws to ensure
Lawful obtaining and processing of data
Data is relevant to its purpose
Security Accuracy Availability of data to the
data subject Data is not kept longer than
necessary
Current Implications:
CCTV and Electronic Communications
CCTV
– Monitoring 24/7, 365 days a year– Records everything you do, where you do it,
when you do it. – Captures vast amount of “personal data”– Subject to DPA– Act states CCTV must be “adequate, relevant
and not excessive” for its purposes – How are CCTV systems justified?
Is CCTV justifiable?
• Proper Use of CCTV system– Must consider what CCTV is being used for– Acceptable: capturing intruders damaging/removing goods from
premises– Unacceptable: monitoring employees, covert surveillance
• Suitable images being recorded– Acceptable: Areas where security issues have arisen prior to
CCTV being installed– Unacceptable: Directly at toilet cubicles/urinals
Is CCTV justifiable?
• Transparency– Information must be provided to data subject prior to recording
e.g. usually a sign at premises entrance• Storage and retention
– Retention period must be justifiable, usually one month– Recordings must be kept in restricted, monitored and secure
environment– Recordings must be in either tape, still images or disk.
• Access Requests– Requests must be made available to data subject– Must identify subject, display date/time/location
E-Communications
• Now in e-communication age - part of our everyday lives
• Process “personal data” – companies subject to DPA via special rules
• Rules in the areas of data breaches, marketing, data retention and data disclosure.
• Compliance issued via Privacy Policy• Failure to comply results in severe penalties
E-Communications
Security Issues:– Traffic Data– Cookies – Location Data
Traffic Data
– Details of calls, texts, emails, Internet use – Should only be retained for set amount of time
for payment and querying purposes– Restrictions in place for marketing this “traffic
data”
Traffic Data
Recall the abuse of “Traffic Data” by the News of the World that forced the closure of the newspaper
Cookies
• Personal data may not be removed unless user:– 1. Informed why cookies are being used– 2. Has been given his/her consent
• The above not applicable where info is required for communication transmission or for info specifically required by the user e.g. shopping cart
• Information on cookies should be readily available to users
Cookies
Location Data
• Gives a user’s geographical location• User must be given:
– Prior consent to location data being processed– Reasons and duration of processing– Whether data will be processed to a “third
party”– Option to withdraw consent
Future Trends:
Privacy vs. New TechnologyStrengthening Data Protection LawsFuture Implications
Privacy vs. New Technology
• Cutting Edge Technologies – protecting privacy becoming more difficult
• Era of ‘Big Data’ – detailed info on our every movement
• “Personal data” on mobile devices collected and analysed without consent – builds detailed user profiles
• “Golden Solution” – Correct Protection of civilian privacy without halting new technological innovation
Strengthening Data Protection Laws
• European Commission – to reinforce EU data legislation by 2014
“to put individuals in control of their own personal data”
Future Technologies & Implications
• Google Glass– Will make personal privacy and data protection impossible– Recordings will be stored on Google servers
• The future of monitoring technology?“It’s inevitable that surveillance drones will be deployed over New York City. Get used to it”
-Michael Bloomberg, 2013
