Achieving Ethical Protection of Data Privacy

Adherence to data privacy protection standards is of the utmost importance to cyberprofessionals. On today’s technology-driven, information-intensive landscape, the information security function is made more complicated due to new sources of sociotechnology risk. Compounding this effect is that privacy infringement has become commonplace in media coverage, emphasizing the importance of data privacy protection to information security personnel.

However, the problem of data privacy is not unsolvable. A composite approach can be used, one that takes into consideration the tangible physical and financial conditions and intangible measures against logical loopholes, ethical violations, and social desirability.

Defining Data Privacy

Data privacy (i.e., information privacy, data protection) is about access, use and collection of data, and the data subject’s legal right to the data. This refers to:

• Freedom from unauthorized access to private data
• Inappropriate use of data
• Accuracy and completeness when collecting data about a person or persons (organizations included) by technology
• Availability of data content, and the data subject’s legal right to access; ownership
• The rights to inspect, update or correct these data

Data privacy is also concerned with the costs if data privacy is breached, and such costs include the so-called hard costs (e.g., financial penalties imposed by regulators, compensation payments in lawsuits such as noncompliance with contractual principles) and the soft costs (e.g., reputational damage, loss of client trust).

Data privacy, trust and security are closely intertwined, as are law and ethics. Viewing privacy from the perspective of ethics can help enterprises establish and improve their code of conduct. Considering privacy from an ethical point of view and establishing a code of conduct makes all individuals in an organization, not only security personnel, accountable for protecting valuable data.

Data privacy, trust and security are closely intertwined, as are law and ethics.

Achieving Data Privacy (Ethically)

Data privacy can be achieved through technical and social solutions. Technical solutions include safeguarding data from unauthorized or accidental access or loss. Social solutions include creating acceptability and awareness among customers about whether and how their data are being used, and doing so in a transparent and confidential way. Employees must commit to complying with organizational privacy rules, and organizations should instruct staff in how to actively avoid activities that may compromise privacy.

Next to technical and social solutions, the third element of achieving privacy is complying with data protection laws and regulations, which presents 2 issues. The first concern is that legal regulation is slow and, thus, unable to keep up with the rapid developments of information technology. Legal solutions are usually at least one step behind technological developments. Data privacy by electronic means should, therefore, be based not only on traditional jurisdiction, but also on soft law (i.e., self-binding policies such as existing data privacy principles). Soft law may be more effective than hard law. The reactions of disappointed customers and the fact that noncompliance with enterprise governance may result in unfair competition and/or liability toward affected customers are often more effective than mere fines or penalties.

The second problem with data protection has to do with the fact that many regulations are not internationally harmonized, causing severe complications (especially between the European Union and the United States) on a cross-border basis, which is the rule rather than the exception in modern business. To make data privacy rules work in a global environment, the principles outlined in this article consider US standards (e.g., the US Federal Trade Commission’s Fair Information Practice Principles [FIPPs]¹), European standards (e.g., Data Protection Directive 95/46/EC² and the General Data Protection Regulation [GDPR]³), Asian regulations (e.g., Hong Kong Personal Data Privacy Ordinance [PDPO]⁴) and international benchmarks (e.g., the Organization for Economic Co-operation and Development [OECD] Privacy Framework Basic Principles⁵).

The International Data Privacy Principles (IDPPs)⁶ approach takes into consideration the Asian, European, US and international data protection standards and focuses on personal data, but can also apply to enterprise data. These principles suggest that the 3 parameters (payment, consent, data category) should be balanced and combined with the previously mentioned, Asian, European, US and international standards, putting them into a set of privacy rules. Organizations in compliance with international data privacy standards should commit to the following 13 IDPPs:⁷

1. Comply with national data protection or privacy law, national contract law, and other legal requirements or regulations relating to data privacy.
2. Comply with current security standards to protect stored personal data from illegitimate or unauthorized access or from accidental access, processing, erasure, loss or use.
3. Implement an easily perceptible, accessible and comprehensible privacy policy with information on who is in charge of data privacy and how this person can be individually contacted, why and which personal data are collected, how these data are used, who will receive these data, how long these data are stored, and whether and which data will be deleted or rectified upon request.
4. Instruct employees to comply with such privacy policies and avoid activities that enable or facilitate illegitimate or unauthorized access in terms of IDPPs.
5. Do not use or divulge any customer data (except for statistical analysis and when the customer’s identity remains anonymous), unless the company is obliged to do so by law or the customer agrees to such use or circulation.
6. Do not collect customer data if such collection is unnecessary or excessive.
7. Use or divulge customer data in a fair way and only for a purpose related to activities of the company.
8. Do not outsource customer data to third parties unless they also comply with standards comparable to these IDPPs.
9. Announce data breaches relating to sensitive data.
10. Do not keep personal data for longer than necessary.
11. Do not transfer personal data to countries with inadequate or unknown data protection standards unless the customer is informed about these standards being inadequate or unknown and agrees to such a transfer.
12. In the case of a contract between the company and the customer in which the customer commits to pay for services or goods:
    • Inform the costumer individually and as soon as reasonably possible in the event of a data breach.
    • Inform the customer upon request about which specific data are stored, and delete such data upon request unless applicable laws or regulations require the company to continue storing such data.
    • Do not use or divulge content-related personal data.
    • Do not use or divulge any other personal data without the customer’s explicit, separate and individual consent.
    • Do not store, use or divulge any customer data, unless applicable laws or regulations require the company to continue storing such data.
13. In the absence of a contract between the company and the customer in which the customer commits to pay for services or goods:
    • Inform the customer as soon as reasonably possible in the event of data breaches.
    • Inform the customer upon request what types of sensitive data are stored and delete such data upon request when such data are outdated, unless applicable laws or regulations require the company to continue storing such data.
    • Do not use or divulge sensitive data without the customer’s explicit, separate and individual consent.

Conclusion

Though cultural differences may make it challenging to define a stable, universal value of privacy, broad consensus has been reached that privacy has intrinsic, core and social value. Trust is disturbed when privacy is breached, and security runs the risk of being diluted or lost altogether. Hence, a privacy approach that embraces the law, ethical principles, and societal and environmental concerns is critical, despite the complexity of and difficulty in upholding data privacy.

Trust is the foundation of privacy and security preservation. A violation of privacy constitutes a risk, and thus, a threat to security. Information protection is an essential information security function, and as such, strategies must be developed and implemented to ensure that data privacy policies, standards, guidelines and processes are appropriately enhanced, communicated and complied with, and that effective mitigation measures are implemented.

Editor’s Note

This is excerpted from an article that was published in the ISACA^® Journal. Read the full article, “An Ethical Approach to Data Privacy Protection,” in vol. 6, 2016, of the ISACA Journal.

Endnotes

¹ Federal Privacy Council, “Fair Information Practice Principles (FIPPs),” USA
² EUR-Lex, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, European Union
³ Gdpr-info.eu, General Data Protection Regulation, European Union
⁴ Office of the Privacy Commissioner for Personal Data, The Personal Data (Privacy) Ordinance, Hong Kong, 2021
⁵ Oecdprivacy.org, OECD Privacy Principles, 2010
⁶ Zankl, W.; The International Data Privacy Principles, presented at Harvard University, Cambridge, Massachusetts, USA, October 2014
⁷ Ibid.

Wanbil W. Lee, DBA

Is a cyberethics evangelist. He is president and founder of the Computer Ethics Society and is principal of Wanbil and Associates. He has five decades of experience in computing. He teaches information security and cyberethics to under- and postgraduate students, and he researches, consults and publishes in these areas. He has written more than 100 journal articles and conference papers.

Wolfgang Zankl, Ph.D.

Is a professor of private and comparative law at the University of Vienna (Austria). He founded and runs the European Center for E-commerce and Internet Law and is a board member of The Computer Ethics Society.

Henry Chang, CISM, CIPT, CISSP, DBA

Is an adjunct associate professor at the Law and Technology Centre, the University of Hong Kong. His research interests are in technological impact on privacy, accountability and Asia privacy laws.