adam's notes

General Principles for Privacy Protection in Information Systems

Fair Information Practice Principles

  • Organizations can use the fair information practice principles to help define the best way to approach privacy

Data Life Cycle Management Principles

  • Many information system activities impact personal data privacy
  • Data collection, storage, use, retention, and destruction practices must be reviewed to make sure that privacy is ensured at each stage in the data life cycle

Data Life Cycle

  • Data collection
    • organizations must clearly state the types of data that they need to collect
    • must determine how they are going to collect data from their customers
    • Active data collection practices should be used
      • are obvious to the customer
      • E.g., use of web-based forms clearly indicates to a customer that data collection activities are taking place
    • avoid passive data collection methods
      • secret data collection
        • E.g., cookies and web beacons
  • Data use
    • use the data that they collect in ways that the customer has approved
    • need configuration so that the collected data is available only for its approved use
    • make sure that only authorized individuals have access to the data
    • must not be disclosed to employees who have no business need for the data
    • Data must not change when processed in the system
      • include system checks that verify that the personal data collected remains accurate
  • Data storage
    • Personal data must be stored securely to protect it from disclosure
      • e.g., encryption
    • retain personal data only as long as it is needed
    • dispose of the data when the retention period expire
  • Data retention
  • Data destruction

Privacy Policies

  • Organizations that collect personal data from customers should develop a privacy policy
    • clearly explains:
      • all the protections the organization uses at each stage in the data life cycle
      • informs customers about personal data collection practices
      • how the organization uses the data that it collects
    • manages the privacy expectations of customers and the security obligations of the organization

International Privacy Laws

  • United States does not have a comprehensive data privacy law
  • European nations recognize privacy as a basic human right
  • European Union’s (E.U.) General Data Protection Regulation (GDPR) is a revolutionary and comprehensive data privacy law
    • approved in 2016 and came into force in May 2018
    • sets limits on the collection and use of personal data belonging to an E.U. data subject
    • grants significant rights to E.U. data subjects
      • right to be forgotten
        • data subjects can request that organizations permanently delete the data subject’s personal information
    • revolutionary because it attempts to regulate organizations outside of the E.U. that collect the data of E.U. data subjects
    • Organizations located in the E.U. must comply with the GDPR
    • organizations that offer goods or services to people in the E.U. or that collect data on people located in the E.U. also must follow the law
      • even if the organization is not located in the E.U.

Graph View

Backlinks