TOPIC 4: Data and Information Privacy

Introduction

The primary goal of this final topic is to facilitate a solid understanding of the basic rules for protecting privacy and personal information. The topic also seeks to illuminate issues relating to data in emerging technologies as well as data protection in research. Furthermore, this topic will impact knowledge on the relevant issues of legal policies on privacy and data protection.

Learning Objectives

Upon completion of this topic learners are expected to have developed skills and knowledge related to: Personal Information and privacy protection Issues relating to data in emerging technologies and Data protection in research Legal policies on data and privacy protection

 

4.1       Personal Information Privacy

In academic research and higher learning institutions the need for personal information privacy is of importance. Reasons being that when doing research we collect data in most cases to people and in most cases of an aspect that is confidential. It is this reason we need research clearance and an ethics declaration. But what is information privacy? As we all know, rights to information privacy is among the important civil rights. The right to privacy is characterized with the right to be alone. However, in this digital era, we can realize that privacy is no longer about being alone. Privacy is about which information is being collected and what is happening to it, having choices on how it is collected and being confident that it is secure when used. According to Ahmetoglu and Khedher (2015) the abundance of information and poor knowledge of users about privacy led results to poor use of information and hence a need of educating people about privacy issues and related risk factors become essential.

Information or data privacy underlines the relationship between data collection and dissemination, technology, public privacy expectation, as well as the political and legal issues pertaining to them. For instance, it is possible to monitor, log and record web behaviours and the patterns used by people who access the internet in emailing and general surfing among others. According to Ermakova et al (2015) and Sharari and Faqir (2014) information privacy training sessions are important for users so that can effectively use the information including in the health sector.  The widespread use of electronic communications–or eCommunications technologies in the twenty-first century is profoundly affecting how we work, play and interact with one another and as such became an integral part of our lives and make us more borderless, truly global world (Bohaker, Austin,Clement & Perrin, 2015).  Personal information privacy calls for acceptable policies need to be made available for such internet users, so that administrators of higher education institutions have a more clearly defined function in the monitoring of the internet usage. Thus Information privacy, or data privacy (also known as data protection), is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. According to

4.1.1 Personal information privacy

When it comes to personal information privacy, sets of all data that are associated with individual are concerned. This may include names, date of birth, gender, school, graduation, geographical location and so on. Thus personal information is termed as a technical or objective sense.

Personal information can either be sensitive or identifiable. When we talk of personal information are sensitive, we refers to information that some people believes that they should be kept private while identifiable information refers to any type of information that identifies or can be used to identify, contact or locate the person to whom such information relates. Identifiable information can be including but not limited to name, address, phone number, social security number and credit card information.

With the advent of computers and the advanced technology, numerous companies and institutions store a lot of information in databases containing personal data. In many institutions, this technology can be used to understand and perform ways that improve student achievement, community engagement, and institution accountability. Despite these benefits, Technology can present several drawbacks, and one of drawback being the challenge of data and information privacy. This concern can raise fears, especially in areas of infringement to student records. We might have seen the increasing data infringement incidents which illustrate that colleges and universities are highly susceptible to compromising information. Thus, these institutions need to implement measures to counter privacy threats, either by implementing security policy, updating systems as technology changes or offering computer security training to their personnel among others.

 

 

Activity 4.1

Objective (AIM): To familiarise yourself with privacy and personal information security in social media. Motivation (WHY): To be aware of the need for privacy and personal information security. WHO: You may take this activity individually or in groups Resources: A PC connected to the internet, Facebook, LinkedIn, Google Tool: Discussion forum Duration: 60 minutes Activity: WHAT: Investigate the privacy and personal information security of an application such as Facebook, LinkedIn, Google or any other you like to use. Capture findings in a document, and then share them with the group by attaching the document to the forum post.  HOW:  Contribute your group's responses through the discussion forum. Although only 1 person will submit the response, make sure that you include the names of ALL the group members at the top of your assignment. FEEDBACK: Read at least two posts given by other contributors and comment on their findings.

 

 

 

4.1.2 Protecting personal information

So far we have understood the meaning of personal information and its privacy. It’s high time now to know how we can protect them. There are key procedures and strategies that a person can take in order to protect personal information and satisfy the security obligations of the privacy. These procedures and strategies may vary in its implementation and the impact they have on users. Individuals have to consider taking a privacy impact assessment and information security risk for new acts and practices, or changes in existing acts or practices that involve handling of personal information. The following strategies are some of the recommended security measures:

 

Governance

Entities need to establish clear procedures and lines of authority for decisions regarding information security within an organization. They should have a governing body, committee or designated people/s that are responsible for managing the individual’s personal information to ensure its integrity, security and accessibility, including defining information security measures and plans to implement and maintain those measures.

 

Data infringements

A data infringement is a situation from which sensitive, protected or confidential information is potentially being viewed, stolen or used by an unauthorized individual. Data infringement can involve personal health information (PHI), personally identifiable information (PII), trade secrets or even intellectual property. When data infringement occurs, having a response plan that includes procedures and clear lines of authority will be of great help for individuals to control the infringements and manage their responses.

Physical security

Another protective measure is by controlling the physical security. Physical security is very important in ensuring that personal information is not accessed inappropriately. Entities need to consider which steps are necessary to ensure that physical copies of personal information are secure. It is advised that workspace itself needs to be designed to facilitate good privacy practices. For example, security and alarm systems can be used to control entry to the workplace or it is possible to access individuals’ movements from access log. Computer screens need not to be easily read by third parties. Employees working on sensitive matters need to have secure and private working space. Also the movements of physical files containing personal information need to have provision for securing them as well as all files are placed in a lockable cabinet and access to keys need to be controlled.

Personnel security and training

It is very important for Organization’s staff members to know the importance of good information handling and security practices. Training of staff is needed to avoid practices that can infringe the individual’s privacy. Staff should get training regarding ICT and communications security for such an Institution. They should also be informed of changes to policy and procedures or other workplace security requirements. Privacy training generally helps staff to avoid practices that would infringe the entity’s privacy obligations by ensuring that they understand their responsibilities.

 

Workplace policies

Information privacy protection can be very effective if they are integrated within workplace policies. Policies need to be regularly regulated to ensure that they are effective and in line with the current privacy situation. Information security and handling of the personal information document need to be addressed in a single policy document and management should ensure that staffs are trained regarding their responsibilities. Management should have a clear policy that covers information security guidelines when staff members work off-site, such as from home, a secondary site office or from a temporary office.

 

Managing the information life cycle

Information life cycle is a process through which every written or computerized record goes through from its creation to its final archiving or destruction. Individuals who handle information need to ensure that such information is not inappropriately used or disclosed during its lifecycle. This may include ensuring that personal information does not mistakenly disclose to the incorrect individual or not lost and is disposed of appropriately when it is no longer required.

Some policies may require personal information to be retained for a specified period of time. Likewise, individuals that surpass personal information to a third party for storage; processing or destruction need to consider what steps are required to ensure that the third party will protect that information. Policies should reveal what processes the entity uses to identify customers or clients prior to disclosing their personal information by phone or in person. This may include measures that the entity can take to ensure the verification processes do not infringe the client’s privacy and emails containing personal information are sent to the intended recipient. Furthermore, measures taken during system upgrade, disaster recovery and system’ backups should be outlined in the policy document.

 

Standards

Standards are documents that set out specifications and procedures designed to ensure products, services and systems are safe, reliable and consistently perform the way they are intended to. Standards may be general or specific to particular industries or sectors. Examples include ISO 27000 series of information security management systems standards and ISO 31000 of risk management standards. Adopting a standard is one way that individuals can gain some confidence regarding their security practices. However, complying with a standard does not release the entity to take further steps to protect its holdings of personal information.

Regular monitoring and review

Regular review of information security measures is very important due to the fact that entity’s processes, information, personnel, applications, infrastructure, as well as changing of technology and security risk settings regularly keep on changing. Entities should regularly monitor and review the operation and effectiveness of its information security measures

4.1.3    ICT security

In the era of developing the use of ICT, a number of issues in education need to be changed including in the teaching and learning process. This then poses challenges in security and whether academicians can be able to ensure safe use of ICT in teaching (Miron & Ravid, 2015). When it comes to ICT security, individuals require protecting both the physical devices that make up a computer system (computer hardware) as well as the information that the computer hardware holds from unauthorised use, access, theft or damage. However, ICT security measures should also ensure that the hardware and the information stored on it remain accessible and useful to legitimate users. It is advisable to consider ICT security measures and the protection of personal information to be a part of the decision whether to use, purchase, build or upgrade ICT systems rather than addressing it after a privacy infringement has occurred. Entities who provide online customer services or engage in electronic commerce, such as online retail businesses are advised to utilise ICT security measures to ensure that their website, along with smart phones, apps, terminals, kiosks and other environments that are connected to a network are secure and that they provide a safe environment for individuals to make payments or provide their banking and personal information.

Implementing ICT security procedures help individuals to protect themselves against malicious hackers, computer viruses and other harmful programs as well as the damage caused by them. These programs are being used to gain unauthorised access to computer systems and disrupt their operations or steal any stored personal information. Furthermore, ICT security can also protect information against unauthorised use or disclosure as a result of human error, hardware or software malfunction, power failure and natural disasters.

Activity 4.2

Objective (AIM): To familiarise yourself with the importance of security measures when processing and using information. Motivation (WHY): To become aware of the available security measures in a fast changing Information and Communication Technology environment. WHO:  This activity should be done individually. Resources:  A computer connected to the internet Tool:    Discussion Forum Duration:  60 minutes Activity:  WHAT TO DO: Open the browser and search for information related to information security measures and security risks. Discuss how information security affects the community. Describe reasons for protecting data and information. Explain how can information be stored. HOW: Contribute your  responses through the discussion forum. FEEDBACK: After you finish this activity you need to respond to other member’s in a discussion forum. Respond to each other’s contribution Take notes of responses to your own post Assessment:  Completion of this activity will count towards your course portfolio

 

 

4.2       Data and emerging technologies

In the previous section we have seen various strategies for protecting personal information within Organizations. We have seen that when we determine the appropriate steps to protect personal information, we need to consider the ways in which we handle this information. In this part we are going to see various Data handling practices when dealing with emerging technologies

Data handling practices

Data handling practices consider how personal information is being collected, processed and stored. An entity should also consider whether it outsources any of its data handling to a third party. If he/she outsources data handling to a third party, there is a need of considering how the third party handles and secures that information.

When outsourcing information, an appropriate steps need to be taken to ensure third parties meet the personnel’s Privacy obligations. These steps may include having specific obligations about the handling of personal information on contracts and mechanisms to ensure that such obligations are being fulfilled. These can be such as regular reporting requirements and conducting inspections of the third party’s facilities. Similarly, it is reasonable for such units that store personal information remotely, such as with cloud computing services may be located overseas; taking consideration for different steps from or additional steps to a unit that stores information on its own facilities.

Technologies are used in teaching and learning, thus a need to have the skills to ensure data are carefully handled (Miron, & Ravid, 2015; Jung & Rader, 2016). The digital nature of learning in higher education institutions makes data more susceptible to various forms of academic dishonesty. Therefore, data privacy has become a major concern and must be taken into consideration, especially when planning for an online education.

4.3       Data protection in research

Research is among the core functions of any Academic institution. Within disciplines such as education, Sciences, and health, research often entails the processing of personal data, including sensitive personal data. There may also be a situation when the University is involved in international research that may involve the transfer of personal data overseas through the internet. This section discusses the use of information and communication technologies in academic institutions including public and private sectors and the information privacy law as a response.

Research on ICT environment

One of the major concerns about data privacy revolves around the protection of data in research. We can all acknowledge that any academic research involves the disclosure of private and otherwise confidential information. Such information is used in examining varied aspects of the society so as to have a better understanding of the same. However, the advent of technology, while having increased effectiveness in collection, storage and retrieval of such data, has also resulted in higher susceptibility of such information. In most cases, such data falls in the wrong hands as a result of carelessness, while there are instances where hackers attack the institutions’ data systems.

We can see that recent advances in technology and telecommunications have significantly changed the background of education in the world. Nowadays textbooks, photocopies, and filmstrips supplied with the entire educational content to a classroom full of students have gone leaving everything being placed online. Early adopters of these technologies have demonstrated their potential to transform the educational process, but they have also called attention to possible challenges. In particular, the information sharing, web-hosting, and telecommunication innovations has enabled these new educational technologies to raise questions about how best we can protect researcher’s privacy during use.

Online publication

Making publications available electronically is hotly becoming a debate. The introduction of the internet and mobile technology has greatly revolutionized the formal traditional industry. Many Organizations are now evaluating whether they need to take their publications online, keep them in print or the combination of two. To understand who has something to gain or lose by adapting to online publication, it is necessary to understand the roles involved in the publication and the social infrastructure that are affected by changing publishing approaches.

 

1. The Infrastructure of publication

The publication process normally involves one or more of the following groups;

• Authors
• Publishers
• Third party institutions
• Users

When considering traditional publishing, the publishers serve as truthful brokers between authors who wish to disseminate their thoughts, ideas and knowledge and the users of those works (readers; learners; in general, interested parties). Third party institutions include the schools, professional organizations, research labs and companies with whom these authors are affiliated.

The emergence of the internet, especially web seems to be now challenging the relationships that existed between these parties. We can recall that, previously publishers provided peer reviewed materials of the authors they would like to publish. The author’s peers in their respective discipline were recruited without pay, no cost, but through a reward system with the Institute they are affiliated to. This process has resulted in delay for publication of new findings, hence the rapid information sharing is compromised. However the integrity of this process is being assured. With the evolution of the internet and use of the web, authors can now publish their findings immediately; however the legitimacy needed by the third party institutions and the general audience of users is still a challenge. To fight against the failure of online publications, publishers need to maintain all aspects of traditional print publications.

1. The role of copyright

You can recall what we have discussed about copyright issues and its infringements from topic two of this module. Now let us see the role of copyright when it comes to online publications.

Copyright issues seem to be challenging when considering the world of online publishing. Copyright law is the concept that the authors own the materials they have invented in any tangible medium of expression from which it can be perceived, reproduced, or communicated either directly or with the aid of a machine or device. However, when considering online publication, this law seems to be missing. The ease with which authors can put their inventions online and share with others can be crashed with the rights emphasized by publishers. The issue is publishers cannot control the remunerative compensation of those bits travelling to all parts of the world. Now to retain control the licensing and ownership of content by publishers is widely increasing. In 2001, Creative Commons was founded with the intention of making online information more easily accessible. Creative Commons have developed a set of machine-readable licenses that authors can use to share their inventions. Also Creative Commons provides a means for authors to contribute their inventions to the public domain. When the copyright is donated to the public, no license is being involved.

1. Collaboration in Research work

We can recall the traditional publication process could not easily support authors with the same research interests to share their work together in publishing their knowledge. Due to vast changes in technology, nowadays it has become very common for researchers to work with each other across institutions and geographic boundaries. This is among the advantages of online publication over print-based as authors can share their knowledge freely, allowing their invention discussed, given comments, reworked and re-published. Sharing of knowledge can result in new research ideas, hypothesis, and even advancement of knowledge.

Another advantage is that, as authors can communicate online, it is possible for them to communicate more effectively by incorporating images, simulations, audio and videos, hence make their findings more interesting and best delivered to the interested parties. This type of communication provides a more interactive environment which not only convey knowledge in new and exciting, but also demoralizing publishers with old styled publishing techniques. Furthermore, online publication or “web of collaboration” can allow author’s inventions be linked with other resources that help them to further explain the message they wish to convey. Now days there are different forms of online publication with interactive dialog parts which allow users to provide feedback.

1. Protecting online content

Now we have seen the infrastructure, copyright and collaboration issues of online publication; there might raise a question “How can we protect the online publications from an unauthorised access?” The answer is simply protecting the web page by using “encryption” (converting data into a certain form that cannot easily be understood by unauthorised people) and passwords. The website owner can prevent users from downloading, copying, forwarding or even printing the content. The content can be encrypted and can be viewed only if accessed from the authorized servers.

4.4       Legal policies on data and privacy protection on academic

In the previous sections we have discussed personal information and data protection with the issues raised by emerging technologies. We have also discussed about the information and communication technology issues in research. Let us now see the legal policies on data and its privacy protection.

Data Protection Act

The data protection act is a policy which gives the right of access to the data which Organization’s hold about an author and specifies how these data can be gathered, used and disseminated. The policy can explain how a user can request an access to any personal data which an Act holds about an author, including the form which should be used when submitting an access request. It further binds on all staff and students, and specifies the steps taken necessary to conform to the requirements of the data protection act. If someone is transferring personal data to a third party, who is going to process it, then a data processing agreement must be in place. This agreement should set out the terms of service between both parties, and an act that will comply with data protection law.

The Data Protection Act also can prohibit the transfer of personal information from one country to another, unless those countries to ensure the same level of protection. For instance, if the use of data in a research project is linked to another individual who is in the upcountry, then the data protection act should be adhered. However, some of data protection principals can be exempted in case of the following;

The information is being used exclusively for research purposes and no other use. This type of data can be statistical or historical

• The information being used is not for supporting measures or decisions relating to any identifiable living individual
• The information being used is not going to cause, or likely to cause substantial damage or distress to any subject matter

Normally, if any, research activity meets the above conditions, then the personal data may be used for a new purpose, or be kept for a research purpose.

Data processing

When processing personal data, a University must do so in accordance with its data protection Principles. Generally, data must be fairly and lawfully processed, processed for limited purposes, adequate, relevant and not excessive, accurate, not kept for longer than is necessary, processed in line with author’s rights, secure and not transferred to countries without adequate protection.

The University may have data or information from individuals and sometimes may contain a listing of authorised recipients of the data concerned. These are the individuals and bodies to which, if appropriate, the University may disclose this data within the terms of their registration. This does not mean that these authorised recipients have an automatic right to disclose them. For example, when the information requested contains sensitive or personal material relating to another individual whose own rights must be protected under the Act.

Activity 4.3

Objective (AIM): To familiarise yourself with data protection policies when processing student’s personal data in academic institutions Motivation (WHY): To be aware of policies that protect student’s personal data and academic creations. WHO: You may take this activity individually on in groups. Resources: A PC connected to the internet Tool: Discussion forum. Duration: 60 minutes. Activity: WHAT: The central legal pre-condition for processing student’s creation is and ought to be obtaining the student’s authority with respect to the processing. Prepare a discussion document of two pages Identify and discuss the data protection measures for online publications as described in data protection act of the institution or at the national or international level. Prepare a discussion document of two pages. HOW:  Contribute your group's responses by attaching your documents to your post in the discussion forum. Although only 1 person will submit the response, make sure that you include the names of ALL the group members at the top of your assignment. FEEDBACK: Read at least two posts given by other contributors and comments on their findings

 

Summary

We have seen that, information privacy is among the important aspects to deal with when we consider academic discipline. The challenge is when the internet can be used as a tool for fabrication and falsification of data and information. However, protecting data privacy and ensuring confidentiality is a relevant issue in addressing data storage, and it should always be put into consideration. Higher education institutions should focus on storage, security and plagiarism as it is crucial to maintaining data and information privacy, as well as, the integrity of intellectual property and academic authenticity. Thus, preserving the integrity of the institution and publishers should act as a central part in ensuring their success and longevity of institutions. We have also seen that by using the internet, authors and users are gaining the benefits of freely sharing their knowledge, hence realize the effectiveness of learning experience when the knowledge is designed for the need of users.

 

Review Questions

Based on the Data Protection Act of your country, do parents have a right to see information relating to their children when it is held by an organisation? Give reasons for your answer In the context of the Data Protection Act of your country, can the police request and expect to receive information from an organisation about a suspect in a burglary? What should an organisation consider under the Act when it receives such a request from the Police? A recruitment company has decided to outsource its payroll function to another company. What are the main implications of this decision? A company selling personal life insurance products wants to increase business through marketing both existing and potential new customers by telephone and fax. What are the main implications of this marketing strategy under the Privacy of Electronic Communications Regulations? The School is considering commissioning a survey of its students. The survey data will be gathered and analysed by an external contractor. Certain data will need to be transferred to the survey contractor to carry out the survey (assume that it is a web based survey which will be publicized by email: the contractor will get students’ names, email addresses and certain demographic information to allow the data to be analysed, e.g. by sex and nationality). Assume that two companies are in an argument, one in Tanzania and the other in South Africa. What are the Data Protection issues that we would need to consider in order to do this legally?

 

Topic Four Reflection

Please use the MOODLE course blog facility to reflect on the following questions on this topic (Time 30 minutes).

• What have you learned in this topic and how it will assist you in preserving your data and information privacy?
• How do data and information privacy affect academic, social and business-related activities of an individual and society at large?
• How is data and information privacy practiced in your institution, academic work and work life?

 

References

Ahmetoglu, S. & Khedher, A. (2015). How Technology Affected Our Privacy, International Journal of Science and Research (IJSR) 4 (12), 406-410 Bohaker, H.,Austin, L.,Clement, A. & Perrin, S. (2015)SEEING THROUGH THE CLOUD: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World, Toronto: The University of Toronto Boyle, J. (2003). "The Second Enclosure Movement and the Construction of the Public Domain”. Law & Contemporary Problems, 63 (33), 33-74. Retrieved from <http://www.law.duke.edu/pd/papers/boyle.pdf> on 13th December, 2015. Clement, A. & Obar, J. (2014) Keeping internet users in the know or in the dark: A report on the data privacy, transparency of Canadian internet service providers, Toronto: The University of Toronto Ermakova, T., Fabian, B., Kelkel, S., Wolff, T., & Zarnekow, R. (2015). Antecedents of Health Information Privacy Concerns. Procedia Computer Science, 63, 376-383. Forest, J. J. (2002). Higher Education in the United States. A-L. Santa Barbara, Calif.: ABC-CLIO. Jung, Y & Rader, E. (2016). The Imagined Audience and Privacy Concern on Facebook: Differences Between Producers and Consumers, Social Media + Society April-June: 1–15 https://bitlab.cas.msu.edu/papers/SocialMedia+Society-2016-Jung-Rader.pdf Retrieved 7.8.2016 Miron, E., & Ravid, G. (2015). Facebook Groups as an Academic Teaching Aid: Case Study and Recommendations for Educators. Educational Technology & Society, 18 (4), 371–384. Sharari, S., & Faqir, R. S. A. (2014). Protection of Individual Privacy under the Continental and Anglo-Saxon Systems: Legal and Criminal Aspects. Beijing Law Review, 5, 184-195. http://dx.doi.org/10.4236/blr.2014.53018