Data privacy

From Wikipedia, the free encyclopedia

(Redirected from Information Privacy)
Jump to: navigation, search
Merge arrow
 It has been suggested that this article or section be merged into Privacy. (Discuss)


Data privacy refers to the evolving relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data.

Privacy concerns exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. The most common sources of data privacy issues are:

  • Health information
  • Criminal justice
  • Financial information
  • Genetic information
  • Location information
  • In some cases even ethnic or gender information

The challenge in data privacy is to share data while protecting personally identifiable information (data security). Consider the example of health data which are collected from hospitals in a district; it is standard practice to share this only in the aggregate. The idea of sharing the data in the aggregate is to ensure that only non-identifiable data are shared.

The legal protection of the right to privacy in general and of data privacy in particular varies greatly around the world.

The Universal Declaration of Human Rights states in its article 12 that:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Contents

Increasingly, as heterogeneous information systems with different privacy rules are interconnected, technical control and logging mechanisms (policy appliances) will be required to reconcile, enforce and monitor privacy policy rules (and laws) as information is shared across systems and to ensure accountability for information use. There are several technologies to address privacy protection in enterprise IT systems. These fall into two categories: communication and enforcement.

Policy Communication
  • P3P - The Platform for Privacy Preferences. P3P is a standard for communicating privacy practices and comparing them to the preferences of individuals.
Policy Enforcement
  • XACML - The Extensible Access Control Markup Language together with its Privacy Profile is a standard for expressing privacy policies in a machine-readable language which a software system can use to enforce the policy in enterprise IT systems.
  • EPAL - The Enterprise Privacy Authorization Language is very similar to XACML, but is not yet a standard.
  • WS-Privacy - "Web Service Privacy" will be a specification for communicating privacy policy in web services. For example, it may specify how privacy policy information can be embedded in the SOAP envelope of a web service message.

Data privacy is not highly legislated or regulated in the U.S.. In the United States, access to private data is culturally acceptable in many cases, such as credit reports for employment or housing purposes. Although partial regulations exist, for instance the Children's Online Privacy Protection Act and HIPAA, there is no all-encompassing law regulating the use of personal data. The culture of free speech in the U.S. may be a reason for the reluctance to trust the government to protect personal information. In the U.S. the first amendment protects free speech and in many instances privacy conflicts with this amendment. In many countries privacy has been used as a tool to suppress free speech.

The safe harbor arrangement was developed by the US Department of Commerce in order to provide a means for US companies to demonstrate compliance with European Commission directives and thus to simplify relations between them and European businesses.

The Supreme Court interpreted the Constitution to grant a right of privacy to individuals in Griswold v. Connecticut. Very few states, however, recognize an individual's right to privacy, a notable exception being California. An inalienable right to privacy is enshrined in the California Constitution's article 1, section 1, and the California legislature has enacted several pieces of legislation aimed at protecting this right. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect in relation to federally regulated organizations on 1 January 2001, and in relation to all other organizations on 1 January 2004. It brings Canada into compliance with the requirements of the European Commission's directive. For more information, visit the website of the Privacy Commissioner of Canada. The text of the Act may be found at [1].

The right to data privacy is heavily regulated and rigidly enforced in Europe. Article 8 of the European Convention on Human Rights (ECHR) provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. According to the Court's case law the collection of information by officials of the state about an individual without his consent always falls within the scope of Article 8. Thus, gathering information for the official census, recording fingerprints and photographs in a police register, collecting medical data or details of personal expenditures and implementing a system of personal identification have been judged to raise data privacy issues. Any state interference with a person's privacy is only acceptable for the Court if three conditions are fulfilled: (1) the interference is in accordance with the law, (2) pursues a legitimate goal and (3) is necessary in a democratic society. For more information, please refer to Human Rights Handbook no. 1 (PDF) or the Council of Europe data protection page.

The government is not the only entity which may pose a threat to data privacy. Other citizens, and private companies most importantly, engage in far more threatening activities, especially since the automated processing of data became widespread. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was concluded within the Council of Europe in 1981. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

As all the member states of the European Union are also signatories of the European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the European Commission was concerned that diverging data protection legislation would emerge and impede the free flow of data within the EU zone. Therefore the European Commission decided to harmonize data protection regulation and proposed the Directive on the protection of personal data, which member states had to transpose into law by the end of 1998.

The directive contains a number of key principles which must be complied with. Anyone processing personal data must comply with the eight enforceable principles of good practice.
They say that data must be:

  • Fairly and lawfully processed.
  • Processed for limited purposes.
  • Adequate, relevant and not excessive.
  • Accurate.
  • Not kept longer than necessary.
  • Processed in accordance with the data subject's rights.
  • Secure.
  • Not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', 'holding' and 'disclosing'. For more details on these data principles, read the article about the directive on the protection of personal data or visit the EU data protection page.

All EU member states adopted legislation pursuant this directive or adapted their existing laws. Each country also has its own supervisory authority to monitor the level of protection.

The US Department of Commerce created the Safe Harbor certification program in response to the 1995 Directive on Data Protection (Directive 95/46/EC) of the European Commission. Directive 95/46/EC declares in Chapter IV Article 25 that personal data may only be transferred from the countries in the EEA to countries which provide adequate privacy protection. Historically establishing adequacy required the creation of national laws broadly equivalent to those which implemented Directive 95/46/EU in Europe. Although there are exceptions to this blanket prohibition (for example where the disclosure to a country outside the EEA is made with the consent of the relevant individual - Article 26(1)(a)), they are limited in practical scope. As a result, Article 25 created a legal risk to organisations which transfer personal data from Europe to the USA.

The Safe Harbor program addresses this issue, in a unique way. The Safe Harbor is not a blanket law imposed on all organisations in the US. Rather it is a voluntary program enforced by the FTC; US organisations which register with this program, having self-assessed their compliance with a number of standards, are "deemed adequate" for the purposes of Article 25, and personal information can be sent to such organisations from the EEA without the sender being in breach of Article 25 or its EU national equivalents. The Safe Harbor was approved as providing adequate protection for personal data, for the purposes of Article 25(6), by the European Commission on 26 July 2000 by means of decision 2000/520/EC[[2]]. Notwithstanding that approval, the self assessment approach of the Safe Harbor remains controversial with a number of European privacy regulators and commentators (see for example the European Commission Staff Working Document from 20/10/2004[[3]]).

The Safe Harbor is not a perfect solution to the challenges posed by Article 25. In particular, organisations adopting the Safe Harbor need to think carefully about how they will achieve compliance with the onward transfer obligations of the Safe Harbor (where personal data originating in the EU is transferred to the US Safe Harbor and then onward to a third country). The alternative compliance approach, recommended by many EU privacy regulators, of "Binding Corporate Rules" resolves this issue. In addition, any dispute arising in relation to the transfer of HR data to the US Safe Harbor must be heard by a panel of EU privacy regulators[[4]].

International

Australia

U.S.

Canada

Europe

  • Council of Europe data protection page
  • EU data protection page - The European Commission provides elaborate information on the following subjects:
    • Legislative documents
    • Transposition and implementation of Directive 95/46/EC
    • European Data Protection Supervisor
    • National Data Protection Commissioners
    • Art. 29 Data protection Working Party
    • Adequacy of protection in third countries and model contracts for the transfer of personal data to third countries
    • International links
Retrieved from "http://en.wikipedia.org/wiki/Data_privacy"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.