Personal information security in Europe
Rapporteur_Hessam Karbasian: Like most people in Europe, you probably spend many hours of their day surfing the internet and you're in it. It is interesting to know that young people less than 24, spend more time there than they do.
Have you ever encountered this question for you is that the information in this virtual space where they are sent? How long this information is stored on the server? Who can access it? Private companies, hackers, governments? And in what order should these people have access to this information?
In particular, there is a clear constitutional and legal framework for the protection of this information online in Europe.
Rules and regulations have been developed to ensure the security of personal information public in May 2018 will be considered. Regardless of the data are confidential or not, or where they are headed or what processing is done on them, even outside the Europe Union.
The Organization for Security and Co-operation in Europe (OSCE) is the world's largest security-oriented intergovernmental organization. Its mandate includes issues such as arms control and the promotion of human rights, freedom of the press and fair elections. It employs around 3,460 people, mostly in its field operations but also in its secretariat in Vienna, Austria and its institutions. It has its origins in the 1975 Conference on Security and Co-operation in Europe (CSCE) held in Helsinki, Finland.
The OSCE is concerned with early warning, conflict prevention, crisis management, and post-conflict rehabilitation. Its 57 participating states are located in Europe, northern and central Asia and North America and cover much of the land area of the Northern Hemisphere. It was created during the Cold War era as an East–West forum.
How a Spanish man took on Google over privacy concerns and won
Another landmark improvement will be the right to be forgotten. You will have the right to ask internet companies to delete inaccurate or obsolete content about you. This particular right we owe to a Spanish citizen who relentlessly battled the US giant Google over damaging personal information that kept popping up on the search engine.
The ‘Snoopers’ Charter’: Assessing Britain’s new mass surveillance powers
Not everything is fine and dandy when it comes to online privacy in Europe. Increasingly hit or threatened by terrorism, European governments have toughened their surveillance laws.
Fourteen nations – among them France, the UK, Germany and Poland – have been singled out by Amnesty international for allowing the mass interception of – and possible access to – data of millions of people. Our reporter Valerie Gauriat travelled to the UK where a law with sweeping surveillance powers came into force late last year drawing a strong rebuke from The European Court of Justice.
Your data protection rights in Europe with Jan Philipp Albrecht MEP
Finally, to further discuss data protection, Insiders spoke with Jan Philipp Albrecht MEP, who also serves as rapporteur for the EU’s general data protection regulation.
Everyone has the right to the protection of personal data.
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.
Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.
The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.
In light of current and evolving technologies, electronic data privacy is a global issue and there is a growing public concern surrounding the infringement of personal privacy rights and information security in the way data are transmitted, stored and used across borders on the Internet and with wireless devices (e.g., mobile phones, interactive TV, global positioning systems [GPSs]). The concern is that the electronic data that are captured from these sources can be used for unintended purposes to the detriment of the individuals using the services. Based on research performed by the Ponemon Institute, it appears that mobile devices, coupled with ubiquitous access to sensitive personal data, present a significant risk to the invasion of privacy in the digital landscape. This article explores the threats as well as the policy measures that are universally applied to protect users’ data from privacy infringement.
What Types of Personal Data are at Risk?
Examples of personal data at risk include, but are not limited to, name, date of birth, home address, telephone number, ethnic group, sexual orientation, political affiliations, religion, social security number, driver’s permit number, identification numbers for various systems, customer credit information, medical information on applicants for jobs, qualifications and experience, employee performance appraisals, Internet browsing history, and emails.
Privacy Rights Clearinghouse describes incidents of personal data security breaches in organizations between 2005 and 2012 as a result of:
- Unintended disclosure—Information inadvertently sent to the wrong parties
- Insider information—Data deliberately leaked from persons with legitimate access
- Physical documents—Lost, discarded or stolen printed documents
- Portable devices—Lost, discarded or stolen laptops, hard drives, flash drives, CDs and smartphones
What is Privacy?
Privacy is “freedom from unauthorized intrusion.In the conduct of business, organizations must acquire personal information about individuals, companies and other institutions.
Privacy protection is to be managed on three fronts: users, consumers and employees. On the users front, it is expected that their records will be protected from unauthorized persons/entities. From the consumers’ perspective, trust and confidence must be maintained wherever business is conducted. And, from the employees’ perspective, they should be assured that their information is not disclosed without their consent.
Where sensitive data are processed, additional protection measures should be in place, in particular strong encryption of data transmission and recording of access to sensitive data. The best defense, however, is not the application of technical security controls, but information security training and awareness. Encouraging users to be security-savvy could be a primary concern for service providers and organizations. Users can be considered to be a weak link in information security as it relates to keeping information confidential. Between 2005 and the writing of this article in 2012, there were 364 instances recorded in the chronology of data breaches that resulted from insider information.
Data Privacy Legislation: Protective Measures
In recent years, new legislation has been introduced following publicly announced privacy violations in order to provide security to users, consumers and employees whose data could be manipulated and their privacy invaded in data security incidents.
The Code of Fair Information Practices established in 1972 by the US Department of Health, Education and Welfare provided the basis for subsequent legislation, such as the US Data Privacy Act (1974) and UK Data Protection Act (1998). The Code of Fair Information Practices is based on five principles:
1. There must be no personal data record-keeping systems whose very existence is secret.
2. There must be a way for a person to find out what information about the person is in a record and how it is used.
3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
4. There must be a way for a person to correct or amend a record of identifiable information about the person.
5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
The US and UK legal frameworks supporting good privacy practices were extended to include industry-specific legislation to address the inherent risk associated with particular types of data. Examples of those practices include:
- The Gramm-Leach-Bliley Act (GLBA)of 1999 for US financial institutions
- The Sarbanes-Oxley Act of 2002 enacted in the US, also known as the Public Company Accounting Reform and Investor Protection Act and Corporate and Auditing Accountability and Responsibility Act
- The Health Insurance Portability and Accountability Act (HIPAA) of 2006 for US health insurance companies and medical providers
- UK Privacy and Electronic Communications Regulations (EC Directive) of 2003 to prohibit direct marketing via telephone, email or text messages without prior consent of the user
Regulatory demands of US and UK legislation coupled with growing concern about privacy and information security have stimulated companies and government institutions toward compliance with national laws or, alternatively, intergroup agreements in countries where there is no legislation on the matter. Legal requirements and compliance standards are examples of externally driven mandates, which serve as a framework for implementations of privacy policies across international borders, and are designed to defend individuals’ rights to privacy by prohibiting unauthorized disclosure of personal information.
An additional concern in the legal framework is the duty of organizations to notify persons whose personal data have been compromised. This requirement varies from state to state in the US and is generally enforced if the data are unencrypted (i.e., it can be read in clear text). The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws in the US.
The European Network and Information Security Agency (ENISA) published a report in January 2011 on the status of the data breach notification laws in European countries. The report states that data breach notifications are not yet mandatory in most European Union (EU) countries, as the member states are still preparing to transpose the directives of the EU telecommunications regulation reform package, which was passed in November 2009. The reform package requires EU member states to introduce mandatory data breach notifications into local legislation.
To effectively implement the policies of the legislative framework in addressing the technology risk, industry-specific standards have emerged. These standards are updated based on the industry risk profile and published for use as a baseline in conducting digital operations. Examples of these standards include:
- Payment Card Industry Data Security Standard (PCI DSS)
- National Institute of Standards and Technology (NIST)
- ISO/IEC 27001 Information technology—Security techniques—Information security management systems—Requirements
How Do Data Privacy Breaches Occur?
Unauthorized access or inadvertent disclosure of sensitive personal data occurs universally in digital communications.
Data Privacy Breaches
At times, stories appear in key media highlighting instances of data security breaches and identity fraud, placing enterprises, celebrities and public officials in a hall of shame or leaking information that is considered confidential or secret.
“Solitude and privacy have become more essential to the individual, but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.
Recent examples of media reports of data security incidents occurring across a range of sectors include the following:
- Google “in breach” of UK data privacy agreement (July 2012)
- Wyndham Hotels sued by the US Federal Trade Commission over alleged data breach (June 2012)
- Elections Ontario’s discovery of privacy breach of voter data (July 2012)
An ISACA white paper emphasizes the risk that perpetrators can use geolocation systems to track an individual’s whereabouts for the purposes of committing crime. This type of information is highly personal and should be classified as sensitive with the appropriate restricted access.
Every time persons sign up for a discount card at a store or complete a form to obtain some preferential service, the potential for personal information being proliferated in unknown places increases. Protection of personal data to some extent largely depends on each individual.
Preparing for Breaches
User education on key information security concepts, such as social engineering, e-privacy and cybersecurity, is critical. With respect to company monitoring, access to digital communications and electronic files should be carried out only for legitimate business reasons, such as technical maintenance; monitoring system security; complying with company policy and/or legal requirements; and investigating allegations of misconduct, fraud or other wrongdoing. Users should be aware that their electronic communications may be accessed for such purposes.
Where data are being used for marketing purposes, the individual should be given the opportunity to opt out from this arrangement at any time.
It is important that data custodians be provided with training that is specific to their role and function in order to ensure that the appropriate safeguards are maintained over the data under their responsibility. Custodians hold accountability for appropriate data classification and approval of access to sensitive data.
Performing regular information security reviews, auditing data privacy policies and procedures, and actively monitoring for new security vulnerabilities helps to ensure that the appropriate data protection standards are being maintained. Upper-level management support is a key strategy in the successful implementation of information security initiatives.
Given the type and extent of the damage that can result from personal data security breaches, continuous risk assessments need to be performed by privacy professionals as communication technologies evolve. Alongside this effort is the need for stricter policies and regulations to mitigate growing threats.
“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual,” according to Earl Warren (former US Chief of Justice). Thus, the protection and security of personal private information must be a priority for privacy professionals who can influence the development of policies and laws against privacy invasion.
Privacy law is still in its infancy in many territories and every major entity should be engaged in sustainable initiatives aimed at preventing and detecting abuses of personal data. Continuous information security campaigns must be in place to educate users about the risk of having their personal data stolen as well as the controls for protecting it. A key success factor in user awareness initiatives is C-level support—demonstrating leadership by example and accountability. This mission can be extended through stakeholder partnership with nonprofit privacy organizations to disseminate public information media releases geared toward the education of users universally. To put it simply, data privacy is everyone’s responsibility.