Beruflich Dokumente
Kultur Dokumente
WHY PRIVACY?
Partial List?
Email Social Networking Facebook / Linked in / Twitter
Search
Shop Pay bills
Heard of or seen
Terms of Use agreements? Privacy Policies?
Sample : Flipkart
.You are responsible for any notes, messages, e-mails, billboard postings, photos, drawings, profiles, opinions, ideas, images, videos, audio files or other materials or information posted or transmitted to the Sites (collectively, "Content").
Such Content will become the property of Flipkart.com throughout the universe. Flipkart.com shall be entitled to, consistent with our Privacy Policy, use the Content or any of its elements for any type of use forever, including but not limited to promotional and advertising purposes and in any media whether now known or hereafter devised, including the creation of derivative works that may include Content you provide.
Arrka e-Security Solutions Pvt Ltd
.Our site links to other websites that may collect personally identifiable information about you. Flipkart.com is not responsible for the privacy practices or the content of those linked websites.
Email
294 Billion emails are sent everyday
Copies of ALL of them go into permanent storage EVEN the ones you delete!!
Gmail
The ads you see are
Based on the content of your emails
to understand who you are Some will restrict this to dishing out appropriate ads Others will take this knowledge and apply it elsewhere
So ads based on your emails can showing up even beyond your
mailbox
As soon as data collected from one website starts to wander,
Facebook
800 Million people globally 700 status updates per second Every move you make on fb is analysed and put into
permanent storage
-status, comments, likes, info, messages, photos -deleted messages, events, date/time/location of logins, multiple users on one comp....
you share Remember, every piece of info you put on fb is permanently stored even what you delete So what? The info is what you post yourself right?
Wrong! FB collects all sorts of background info It even knows which pages you visit even if you dont hit the like button
SEARCH
34,000 Searches per second, 9 billion per day Google stores
Your search history What you click after a search Your location (upto your IP Address)
profiles of people
Which, in turn is used by 80% of ad agencies (in 2010)
What does it have to do with you and me and the enterprises we are associated with?
card??
How many times have you dropped your visiting card for a
lucky draw
Ever wondered how many people get hold of that info before it
reaches the marketing folks collecting it Who further use it / share it with God-Knows-Who?
Privacy Straddles
The Online World
online
The Physical world
Classes of Privacy
Information Privacy Communication Privacy Bodily Privacy
Territorial Privacy
* Our focus is on Information Privacy
Sources of PII
Public Records Collected and maintained by a govt entity Available to the general public Eg : property records Publicly Available Information Info generally available without restriction Eg : Names & Addresses from Tel Directories, newspapers, etc Non-Public Information Not easily available or accessed Eg : financial data, medical records, etc
Arrka e-Security Solutions Pvt Ltd
Categories of Data
Secret, Private or Sensitive Data Government Filings IT Returns, etc National Identifiers PAN Card, Passport details Criminal Records Health Data Consumer Data Data Collected Online Aggregate or Anonymous Data
Arrka e-Security Solutions Pvt Ltd
Anonymous Data
Not unique or tied to a specific individual Eg : colour of eyes, product choices, browser configuration, etc Data is anonymous when It is not possible to determine what individual it refers to from a sufficiently large set of people
i.e., you cannot pick an individual from a crowd
Pseudonymous Data
Unique Information that - by itself - does not identify a specific
individual
But could be associated with an individual
Eg: product or service usage trends
Identified data can be converted to pseudonymous data By replacing real identifiers with pseudonyms Though it may be easy to reverse this process
Aggregate Data
Compiled or Statistical Information that is not personally identifiable
Egs:
Demographics Domain Names
Concept of Choice
The ability of an individual to specify:
Whether personal info will be collected How will it be used or shared Generally appropriate when used in marketing
Manifestation of Choice
Opt-in
Individual makes an affirmative indication of choice Eg :You specifically tick on a box that states you wouldnt mind your info being shared with a third party Opt-Out Individuals failure to object to a use or disclosure implies
Eg Of Opt-Out Indigo
Scope
Applies to:
All Organizations who collect, use and process personal data and
information in India Includes service providers who collect & process info on behalf of other organizations also Includes information of individuals not residing in India but collected by an entity in India
(PII)
by another orgn
Policy should outline: Statement of its practices and policies clearly and in an easily
accessible manner
Type of PI/SPI collected Purpose for Collection & Usage Disclosure to 3rd parties Security practices & procedures followed by the orgn to safeguard the PI/SPI
Collection of SPI
Should obtain consent - in writing- from the individual
About Purpose of Usage Before collection
communication
Collect Info only
If absolutely necessary For a lawful purpose
As required by law
Orgn has the option to not provide the service to the individual in the above
circumstances
Grievance Officer
Every Orgn should designate a Grievance Officer
To address any discrepancies / grievances of the individual
Within a month from the date of receipt of the grievance
Disclosure of SPI
Disclosure to 3rd Parties only with prior permission
Obtained via the consent
Unless:
Agreement has been a part of a contract between the individual and the
Transfer of PI/SPI
Only to 3rd parties who have the same level of data protection as
the orgn
Only if necessary to fulfill its contractual requirements Or if consent has been obtained from the individual
Data Protection
Orgn has to adopt and comply with reasonable security practices &
procedures
That is - have a documented Information Security Program &
practices
Provided audited annually
Arrka e-Security Solutions Pvt Ltd
Self-Regulatory Model Online Privacy Alliance Seal Programs : Truste, WebTrust, etc
Overview
Has one of the strongest and most evolved legal regimes on privacy and data
law
The EU sets the Floor level each member state enacts its own national
directive
Supported by the Electronic Communications Directive and the E-Privacy Directive
Arrka e-Security Solutions Pvt Ltd
personal data
Governed by individual DPAs (Data Protection Authorities) in every country
Necessary for the performance of a contract where the data subject is party When necessary for the legitimate interests of the company balanced with the
jurisdiction
Argentina, Canada, Switzerland, Guernsey, Isle of Man
Unambiguous Consent freely given - from the individual Strictly necessary for the Performance of a Contract Eg : data of a credit card holder being transferred to an issuing bank outside the EU during an authorization process
Arrka e-Security Solutions Pvt Ltd
passed in 1995
Expected to come into effect by 2015 latest Incorporating feedback and inputs from various stakeholders
to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service
and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union
Who would be accountable
Notification of breaches
If a users data has been compromised or suspected to have been
Significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1
need to specifically gain the consent of their visitor and they must "Opt In" to be able to store cookies on their computer or other devices
Rules passed in May 2011 Member countries have given further deadlines for compliance UK May 2012 Fines upto 500K Pounds for non-compliance
Other Geographies
US - Background
Does not explicitly provide a right to privacy as a
fundamental right
General approach : Laws do not restrict collection but focus on
US Law : Approaches
FIPS-based Approach
notice & choice as cornerstones Process-oriented
laws
Hybrid
Arrka e-Security Solutions Pvt Ltd
US Major Laws
FCRA Fair Credit Reporting Act For entities that compile & use consumer reports
Limits use of consumer reports only for permissible purposes Requires notification to consumers especially when adverse actions are taken
HIPAA Health Insurance Portability & Accountability Act Entire Healthcare sector Strict Privacy Rules for PHI (Personal Health Information)
Notices, Authorisations for use & disclosure from consumer, security safeguards, etc
GLBA (Financial Services Modernisation Act) Strict rules for usage of NPI (Non-Public Personal Info)
COPPA (Childrens Online Privacy Protection Act) Eg : Requires Parental Consent before collecting personal data from children under 13 yrs State Security Breach Notification Laws
Arrka e-Security Solutions Pvt Ltd
Latin America
No common framework but most countries have passed data protection
Challenges
Most existing privacy & data protection laws are 10-15 years
old
Yet technology has evolved dramatically in the meantime
We have seen how people are losing control over how info
used.
People want to know if their data is being used the right way.
And they want to know that the products and services they use
data and
reinforces the responsibility of organizations to protect
We also need to recognize that laws cannot do everything. Technology industry leaders need to continue to consider
how they can put people first when we design and deploy technologies. We need to incorporate privacy protections early in the technology development cycle, and we need to enhance transparency so individuals can make fully informed and meaningful choices about how their data are used.
Questions?
shivangi.nadkarni@arrka.com