View
1.142
Download
2
Embed Size (px)
DESCRIPTION
Conference and lecture given in February 2012 in Brussels
Citation preview
Social Media, Web 2.0The end of Privacy ?
Jacques Folon
Partner Edge ConsultingLecturer ICHEC
Visiting professor Université de Liège & Université de
Metz
Find the presentation on
www.slideshare.net/folon
Table of ContentsTable of ContentsThe author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
Follow me on scoop it for the latest news on data privacy and security
http://www.scoop.it/t/management-2-entreprise-2-0
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
4
By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?'Data pricavy is outdated !
Mark Zuckerberg, CEO Facebook
If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.
Eric Schmidt, ex- CEO of Googe
So is it still a question?
• Yep...
• see on the web, you’ll find sooo many debates
• and by the way data privacy legal framework also is applicable in the social media environment
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
What your boss thinks...
Good question ?
10
Employees share (too) many information and also with third
parties
Some news
Where the data areWhere the data are
Legal issues
Employee copy what they find on internet
Inappropriate posts against the company, colleagues, clients, suppliers,...
HR: recruitment, harassment, ...
Limitation of control by the employer
Archiving & e-discovery
Code of conducts
...
5
Source : https://www.britestream.com/difference.html.
Everything must be transparent
legal framework (s)
Some important legal definitionsSome important legal definitions
Personal data
Any information relating to an identified or identifiable person ('data subject') who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).
2299
Collecting and processing the personal data of individuals is only legitimate in one of the following circumstances:
•Where the individual concerned has unambiguously given his or her consent, after being adequately informed; or
•if data processing is needed for a contract, or
•if processing is required by a legal obligation; or
•if processing is necessary in order to protect the vital interest of the data subject, or
•if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
•if the data controller or a third party has a legitimate interest in doing so, so long as this interest does affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
When is it «legal»?
Source: http://ec.europa.eu/justice/data-protection/index_en.htm
Data subject
An identified or identifiable person to whom specific personal data relates.
It is someone who can be identified, directly or indirectly, in particular by reference to an
identification number or to one or more specific factors (physical, physiological,
mental, economic, cultural, social).
Processing of personal data
Processing of personal data means any operation or set of operations which is performed upon personal data, whether or not by automatic means (for example: collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deleting or destruction, etc.).
Source: http://ec.europa.eu/justice/data-protection/index_en.htm
3322
Controller
Natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The data controller must respect certain rules:
Source: http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm
• Personal Data must be processed legally and fairly;• It must be collected for explicit and legitimate purposes
and used accordingly;• It must be adequate, relevant and not excessive in relation
to the purposes for which it is collected and/or further processed;
• It must be accurate, and updated where necessary;• Data controllers must ensure that data subjects can
rectify, remove or block incorrect data about themselves;• Data that identifies individuals (personal data) must not be
kept any longer than strictly necessary;• Data controllers must protect personal data against
accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures. These protection measures must ensure a level of protection appropriate to the data.
3344
What can you ask of data controllers?
•Data controllers are required to inform you when they collect personal data about you;•You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;•You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;•You are entitled to ask the data controller if he or she is processing personal data about you;•You have the right to receive a copy of this data in intelligible form;•You have the right to ask for the deletion, blocking or erasing of the data.
Source: http://ec.europa.eu/justice/data-protection/index_en.htm
the law prohibits the processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, and the processing of data
concerning health or sex life unless one of the exception criteria is met.
exchange of data...exchange of data...
CoockiesCoockies
international transferinternational transfer
•Security managementSecurity management
– Security departementSecurity departement
– Consultant Consultant
– Security proceduresSecurity procedures
– Disaster recoveryDisaster recovery
Technical securityTechnical security– Risk analysisRisk analysis– Back-upBack-up– Procedures aganinst fire, theft, ...Procedures aganinst fire, theft, ...– Identity access managementIdentity access management– Authentification (identity management)Authentification (identity management)– Loggin and passwordLoggin and password
Legal securityLegal security
– Employment contractsEmployment contracts– sub contractorssub contractors– Code of conductCode of conduct– employee’s controlemployee’s control– Full respect of the legal frameworkFull respect of the legal framework
4433
Privacy statement confusion•53% of consumers consider that a
privacy statement means that data will never be sell or give
•43% only have read a privacy statement
•45% only use different email addresses
•33% changed passwords regularly
•71% decide not to register or purchase due to a request of unneeded information
•41% provide fake info 4433
Source: TRUSTe survey
4444
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
How many information?How many information?
6767
Could the employer control everything?
Control
Privacy vs right to controlCC-CAO 81Same rules for public and private
sector
CONTROL
•Purpose (4)•proportionality•procedure•information•individualization•Penalties
5522
Are posting on social media private?
It is on a public site and as such not privatethe employer may check what happens on social media with some limitations:
ok for linkedin, viadeo, etc.ok for others if complaints for by instance sexual harassmentno if it is for dicrimination or to find sensistive information
need for a code of conduct
TELEWORKING
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
They know where you are ...
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Making sure you can call
GSM Cell
GSM Cell
GSM Cell
You
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Tool: Triangulation
Database
Data
Data
Data
Data
You
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
“You are here”
Database
Data
Data
Data
You
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Tracking: defining actions
Friday, 12:45Friday, 12:45
Phone IDPhone IDPaymentPaymentFace recog.Face recog.
12:4712:47
12:5212:52
13:3013:30
13:5013:50
13:2513:25
13:4513:45PurchasePurchase
PurchasePurchase
Phone callPhone call
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Tracking: Matching
GSM Cell data
Payment data
Biometric data
- Identity- Action- Location- Time
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Tracking: Data collection
Friday, 12:45Friday, 12:45
Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleYouYou
You
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Filtering the data
Sunday, 12:45Dam Square
Sunday, 12:45Dam Square
Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleMaybe youMaybe you
Monday, 14:15Abbey road
Monday, 14:15Abbey road
YouYou
Tuesday, 09:45Johns Bagels
Tuesday, 09:45Johns Bagels
Matches now + pastMatches now + past
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Result
phone ID
+ biometrical data (camera)
+ payments + purchased items
= You + your wherabouts
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
DATA THEFT
Where do one steal data?
•Banks•Hospitals•Ministries•Police•Newspapers•Telecoms•...
Which devices are stolen?
•USB •Laptops•Hard disks•Papers•Binders•Cars
What do they know?
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Building your profile
You
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Building your profile
You
MedicMedical dataal dataMedicMedical dataal data
FinancFinancial ial
datadata
FinancFinancial ial
datadata
FamilyFamilyFriendFriend
ss
FamilyFamilyFriendFriend
ss
Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences
Private Private stuffstuff
Private Private stuffstuff
IncriminIncrimina-ting a-ting stuffstuff
IncriminIncrimina-ting a-ting stuffstuff WhereWhere
--aboutsabouts
WhereWhere--
aboutsabouts
Photo’sPhoto’sPhoto’sPhoto’s
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
Building your profile
You
MedicMedical dataal dataMedicMedical dataal data
FinancFinancial ial
datadata
FinancFinancial ial
datadata
FamilyFamilyFriendFriend
ss
FamilyFamilyFriendFriend
ss
Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences
Private Private stuffstuff
Private Private stuffstuff
IncriminIncrimina-ting a-ting stuffstuff
IncriminIncrimina-ting a-ting stuffstuff
ExpensExpenseses
ExpensExpenseses
BudgetBudgetss
BudgetBudgetss
WhereWhere--
aboutsabouts
WhereWhere--
aboutsabouts ConnecConnect-ionst-ions
ConnecConnect-ionst-ions
Photo’sPhoto’sPhoto’sPhoto’s
OpinionOpinionss
OpinionOpinionss
TravelsTravelsTravelsTravels CommuCommutestes
CommuCommutestes
Photo’sPhoto’sPhoto’sPhoto’s
SexualSexualSexualSexual
SexualSexualSexualSexual
Photo’sPhoto’sPhoto’sPhoto’s
LiteratuLiteraturere
LiteratuLiteraturere ConsuConsu
mermerConsuConsumermer
PeoplePeoplePeoplePeople
DiseaseDiseasess
DiseaseDiseasess
Current Current statestate
Current Current statestate
PersonaPersonal datal data
PersonaPersonal datal data
Source: http://www.slideshare.net/peterkaptein/post-privacy-era
Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio
How?
GSM Cell dataPhone calls
Payment data
Whereabouts via
biometric data
Bonus card data
Medical data
Browsing data
Profile databaseProfile database
Travel data
Google searchesSource: http://www.slideshare.net/peterkaptein/post-privacy-era
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
48
45
Implication for HR
8.1 before recruiting
8.1.1. roles & responsibilities
52
Contracts
Réglement de travail/arbeidsreglement
security policyCC/CAO 81
53
«forgotten» contracts
•consultants•subcontractors•auditors•accountants•cleaning
54
TESTSASSESMENTSSOCIAL MEDIA CHECKCV Screening
55
57
Employees’ responsibilities
Applicable rules before and after the contract
Privacy information
Mobiles, laptop,etc.
8.1.3 employment conditions
58
8.2 during the contract
59
Procedures
Control update security
manager Sponsorin
g
8.2.1 Management responsibilities
8.2.2 Training and awareness
61
Limit for control? Private emails? CC/CAO 81
8.2.3 Disciplinary process
62
8.3.1 End of contract
internal moveconfidentiality after the
endwhat is confidential
63
8.3.3.Cancel access rights
110000
The author
Social media & privacy ????
What’s data privacy?
Control of the employees
How are data collected?
Security & ISO 27002
Conclusion
Is this your data security ?
Social media are there...
+500 M users todayreaching 1 billion by 2012
85 M users today
70 M users today
120 M users today
74 M users today
10 M users today
Géolocalisation
http://projectvirginia.com/infographic-emerging-media-in-2011/
It’s not only the so-called generation Y
Recrutement et media sociaux
Source: http://www.doppelganger.name
Your boss thinking of data privacy ?Your boss thinking of data privacy ?
Or ?Or ?
86
Remember that security of personnal data is a legal requirement...
87
“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”
C. Darwin
QUESTIONS ?QUESTIONS ?