Data privacy & social media

Social Media, Web 2.0The end of Privacy ?

Jacques Folon

Partner Edge ConsultingLecturer ICHEC

Visiting professor Université de Liège & Université de

Metz

Find the presentation on

www.slideshare.net/folon

http://www.slideshare.net/folon

http://www.slideshare.net/folon

Table of ContentsTable of ContentsThe author

Social media & privacy ????

What’s data privacy?

Control of the employees

How are data collected?

Security & ISO 27002

Conclusion

Chargé de cours Partner

Auteur

http://be.linkedin.com/in/folon [email protected]

[email protected]

Administrateur

mailto:[email protected]

Follow me on scoop it for the latest news on data privacy and security

http://www.scoop.it/t/management-2-entreprise-2-0

http://www.scoop.it/t/management-2-entreprise-2-0

The author






Conclusion

4

By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?'Data pricavy is outdated !

Mark Zuckerberg, CEO Facebook

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

Eric Schmidt, ex- CEO of Googe

So is it still a question?

• Yep...

• see on the web, you’ll find sooo many debates

• and by the way data privacy legal framework also is applicable in the social media environment

The author






Conclusion

What your boss thinks...

Good question ?

10

Employees share (too) many information and also with third

parties

Some news

Where the data areWhere the data are

Legal issues

Employee copy what they find on internet

Inappropriate posts against the company, colleagues, clients, suppliers,...

HR: recruitment, harassment, ...

Limitation of control by the employer

Archiving & e-discovery

Code of conducts

...

5

Source : https://www.britestream.com/difference.html.

https://www.britestream.com/difference.html

Everything must be transparent

legal framework (s)

Some important legal definitionsSome important legal definitions

Personal data

Any information relating to an identified or identifiable person ('data subject') who can be identified, directly or indirectly, in particular by

reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).

2299

Collecting and processing the personal data of individuals is only legitimate in one of the following circumstances:

•Where the individual concerned has unambiguously given his or her consent, after being adequately informed; or

•if data processing is needed for a contract, or

•if processing is required by a legal obligation; or

•if processing is necessary in order to protect the vital interest of the data subject, or

•if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or

•if the data controller or a third party has a legitimate interest in doing so, so long as this interest does affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.

When is it «legal»?

Source: http://ec.europa.eu/justice/data-protection/index_en.htm

http://ec.europa.eu/justice/data-protection/index_en.htm

Data subject

An identified or identifiable person to whom specific personal data relates.

It is someone who can be identified, directly or indirectly, in particular by reference to an

identification number or to one or more specific factors (physical, physiological,

mental, economic, cultural, social).

Processing of personal data

Processing of personal data means any operation or set of operations which is performed upon personal data, whether or not by automatic means (for example: collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deleting or destruction, etc.).



3322

Controller

Natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The data controller must respect certain rules:

Source: http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm

• Personal Data must be processed legally and fairly;• It must be collected for explicit and legitimate purposes

and used accordingly;• It must be adequate, relevant and not excessive in relation

to the purposes for which it is collected and/or further processed;

• It must be accurate, and updated where necessary;• Data controllers must ensure that data subjects can

rectify, remove or block incorrect data about themselves;• Data that identifies individuals (personal data) must not be

kept any longer than strictly necessary;• Data controllers must protect personal data against

accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures. These protection measures must ensure a level of protection appropriate to the data.

http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm

3344

What can you ask of data controllers?

•Data controllers are required to inform you when they collect personal data about you;•You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;•You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;•You are entitled to ask the data controller if he or she is processing personal data about you;•You have the right to receive a copy of this data in intelligible form;•You have the right to ask for the deletion, blocking or erasing of the data.



the law prohibits the processing of personal data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade-union membership, and the processing of data

concerning health or sex life unless one of the exception criteria is met.

exchange of data...exchange of data...

CoockiesCoockies

international transferinternational transfer

•Security managementSecurity management

– Security departementSecurity departement

– Consultant Consultant

– Security proceduresSecurity procedures

– Disaster recoveryDisaster recovery

Technical securityTechnical security– Risk analysisRisk analysis– Back-upBack-up– Procedures aganinst fire, theft, ...Procedures aganinst fire, theft, ...– Identity access managementIdentity access management– Authentification (identity management)Authentification (identity management)– Loggin and passwordLoggin and password

Legal securityLegal security

– Employment contractsEmployment contracts– sub contractorssub contractors– Code of conductCode of conduct– employee’s controlemployee’s control– Full respect of the legal frameworkFull respect of the legal framework

4433

Privacy statement confusion•53% of consumers consider that a

privacy statement means that data will never be sell or give

•43% only have read a privacy statement

•45% only use different email addresses

•33% changed passwords regularly

•71% decide not to register or purchase due to a request of unneeded information

•41% provide fake info 4433

Source: TRUSTe survey

4444

The author






Conclusion

How many information?How many information?

6767

Could the employer control everything?

Control

Privacy vs right to controlCC-CAO 81Same rules for public and private

sector

CONTROL

•Purpose (4)•proportionality•procedure•information•individualization•Penalties

5522

Are posting on social media private?

It is on a public site and as such not privatethe employer may check what happens on social media with some limitations:

ok for linkedin, viadeo, etc.ok for others if complaints for by instance sexual harassmentno if it is for dicrimination or to find sensistive information

need for a code of conduct

TELEWORKING

The author






Conclusion

They know where you are ...

Source: http://www.slideshare.net/peterkaptein/post-privacy-era

http://www.slideshare.net/peterkaptein/post-privacy-era



Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio

Making sure you can call

GSM Cell

GSM Cell

GSM Cell

You




Tool: Triangulation

Database

Data

Data

Data

Data

You




“You are here”

Database

Data

Data

Data

You




Tracking: defining actions

Friday, 12:45Friday, 12:45

Phone IDPhone IDPaymentPaymentFace recog.Face recog.

12:4712:47

12:5212:52

13:3013:30

13:5013:50

13:2513:25

13:4513:45PurchasePurchase

PurchasePurchase

Phone callPhone call




Tracking: Matching

GSM Cell data

Payment data

Biometric data

- Identity- Action- Location- Time




Tracking: Data collection

Friday, 12:45Friday, 12:45

Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleYouYou

You




Filtering the data

Sunday, 12:45Dam Square

Sunday, 12:45Dam Square

Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleMaybe youMaybe you

Monday, 14:15Abbey road

Monday, 14:15Abbey road

YouYou

Tuesday, 09:45Johns Bagels

Tuesday, 09:45Johns Bagels

Matches now + pastMatches now + past




Result

phone ID

+ biometrical data (camera)

+ payments + purchased items

= You + your wherabouts



DATA THEFT

Where do one steal data?

•Banks•Hospitals•Ministries•Police•Newspapers•Telecoms•...

Which devices are stolen?

•USB •Laptops•Hard disks•Papers•Binders•Cars

What do they know?


Building your profile

You





You

MedicMedical dataal dataMedicMedical dataal data

FinancFinancial ial

datadata

FinancFinancial ial

datadata

FamilyFamilyFriendFriend

ss


ss

Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences

Private Private stuffstuff


IncriminIncrimina-ting a-ting stuffstuff

IncriminIncrimina-ting a-ting stuffstuff WhereWhere

--aboutsabouts

WhereWhere--

aboutsabouts

Photo’sPhoto’sPhoto’sPhoto’s





You

MedicMedical dataal dataMedicMedical dataal data

FinancFinancial ial

datadata

FinancFinancial ial

datadata


ss


ss

Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences





ExpensExpenseses

ExpensExpenseses

BudgetBudgetss

BudgetBudgetss

WhereWhere--

aboutsabouts

WhereWhere--

aboutsabouts ConnecConnect-ionst-ions

ConnecConnect-ionst-ions


OpinionOpinionss

OpinionOpinionss

TravelsTravelsTravelsTravels CommuCommutestes

CommuCommutestes


SexualSexualSexualSexual

SexualSexualSexualSexual


LiteratuLiteraturere

LiteratuLiteraturere ConsuConsu

mermerConsuConsumermer

PeoplePeoplePeoplePeople

DiseaseDiseasess

DiseaseDiseasess

Current Current statestate

Current Current statestate

PersonaPersonal datal data

PersonaPersonal datal data




How?

GSM Cell dataPhone calls

Payment data

Whereabouts via

biometric data

Bonus card data

Medical data

Browsing data

Profile databaseProfile database

Travel data

Google searchesSource: http://www.slideshare.net/peterkaptein/post-privacy-era

The author






Conclusion

48

45

Implication for HR

8.1 before recruiting

8.1.1. roles & responsibilities

52

Contracts

Réglement de travail/arbeidsreglement

security policyCC/CAO 81

53

«forgotten» contracts

•consultants•subcontractors•auditors•accountants•cleaning

54

TESTSASSESMENTSSOCIAL MEDIA CHECKCV Screening

55

57

Employees’ responsibilities

Applicable rules before and after the contract

Privacy information

Mobiles, laptop,etc.

8.1.3 employment conditions

58

8.2 during the contract

59

Procedures

Control update security

manager Sponsorin

g

8.2.1 Management responsibilities

8.2.2 Training and awareness

61

Limit for control? Private emails? CC/CAO 81

8.2.3 Disciplinary process

62

8.3.1 End of contract

internal moveconfidentiality after the

endwhat is confidential

63

8.3.3.Cancel access rights

110000

The author






Conclusion

Is this your data security ?

Social media are there...

+500 M users todayreaching 1 billion by 2012

85 M users today

70 M users today

120 M users today

74 M users today

10 M users today

Géolocalisation

http://projectvirginia.com/infographic-emerging-media-in-2011/

It’s not only the so-called generation Y

Recrutement et media sociaux

Source: http://www.doppelganger.name

Your boss thinking of data privacy ?Your boss thinking of data privacy ?

Or ?Or ?

86

Remember that security of personnal data is a legal requirement...

87

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

C. Darwin

QUESTIONS ?QUESTIONS ?

Education

Data privacy & social media