XXX

DATA PRIVACY
By Shivangi Nadkarni Founder & CEO Arrka e-Security Solutions Shivangi.nadkarni@arrka.com
Arrka e-Security Solutions Pvt Ltd
Privacy : Setting The Context
WHY PRIVACY?
What do you do online?
Partial List?
Email Social Networking Facebook / Linked in / Twitter
Search
Shop Pay bills
Do your banking / investing / etc

Play Games Simply Surf
In each of these services, you are required to provide real
data about yourself at some point in time

thats ok!....
Obviously, for eg, if you are shopping, you have to provide your
real address, right?
But How Do You Know

that the info you provide to one website wont end up somewhere else? that beyond the personal info you willingly provide, how much info about you is being collected without your knowledge?
Behind the Scenes What Goes On?
Heard of or seen
Terms of Use agreements? Privacy Policies?
Ever read them?

Dont worry most people dont!
If you did, you will understand how much of privacy is actually
available or rather, not available - online
Sample : Flipkart
.You are responsible for any notes, messages, e-mails, billboard postings, photos, drawings, profiles, opinions, ideas, images, videos, audio files or other materials or information posted or transmitted to the Sites (collectively, "Content").
Such Content will become the property of Flipkart.com throughout the universe. Flipkart.com shall be entitled to, consistent with our Privacy Policy, use the Content or any of its elements for any type of use forever, including but not limited to promotional and advertising purposes and in any media whether now known or hereafter devised, including the creation of derivative works that may include Content you provide.
.Our site links to other websites that may collect personally identifiable information about you. Flipkart.com is not responsible for the privacy practices or the content of those linked websites.
Email
294 Billion emails are sent everyday
Copies of ALL of them go into permanent storage EVEN the ones you delete!!
Companies who send you email can see

When you open messages Where you are when you open them Based on your IP Address
Gmail
The ads you see are
Based on the content of your emails
This doesnt mean that a person is reading your mails

It is full automated
But, by scanning your mail content, email services can start
to understand who you are Some will restrict this to dishing out appropriate ads Others will take this knowledge and apply it elsewhere
So ads based on your emails can showing up even beyond your
mailbox
As soon as data collected from one website starts to wander,
it can end up ANYWHERE
Facebook
800 Million people globally 700 status updates per second Every move you make on fb is analysed and put into
permanent storage
-status, comments, likes, info, messages, photos -deleted messages, events, date/time/location of logins, multiple users on one comp....
How is this info used?

Ads you see are customised based on every piece of info
you share Remember, every piece of info you put on fb is permanently stored even what you delete So what? The info is what you post yourself right?
Wrong! FB collects all sorts of background info It even knows which pages you visit even if you dont hit the like button
With FB going public, pressure has increased to put this data
to even more use
SEARCH
34,000 Searches per second, 9 billion per day Google stores
Your search history What you click after a search Your location (upto your IP Address)
Google Search terms are used to build behavioral advertising
profiles of people
Which, in turn is used by 80% of ad agencies (in 2010)
So, is Privacy a concern only with the Online, ConsumerFocused World?
What does it have to do with you and me and the enterprises we are associated with?
How many times have you written down your mobile
number while collecting a courier?

Ever given out your passport number while collecting a credit/ debit
card??
Ever filled out a credit card application and never heard
from the DSA again?

What happens to that data you have given out?
How many times have you dropped your visiting card for a
lucky draw
Ever wondered how many people get hold of that info before it
reaches the marketing folks collecting it Who further use it / share it with God-Knows-Who?
Now what if your company is responsible and liable for all
such data that is being collected in its name?

Will it continue to be as lax as ever?
Privacy Straddles
The Online World
The Digital world where data may/ may not be available
online
The Physical world
Privacy - Some Basic Concepts
Classes of Privacy
Information Privacy Communication Privacy Bodily Privacy
Territorial Privacy
* Our focus is on Information Privacy
Personal Information (PI) / Personally Identifiable Information (PII)

Any information that Relates to an individual Identifies or can be used to identify an individual Typical examples: Name, age, gender, address, mail id, tel number, PAN number, etc Forms of existence: Electronic, Paper, etc
Sensitive Personal Information (SPI)

A Subset of PI Specifically refers to sensitive data Elements of Sensitive PI (SPI) defined differently in different countries Typical examples : Racial / ethnic origins Religious & Political beliefs Health Information Criminal data
Sources of PII
Public Records Collected and maintained by a govt entity Available to the general public Eg : property records Publicly Available Information Info generally available without restriction Eg : Names & Addresses from Tel Directories, newspapers, etc Non-Public Information Not easily available or accessed Eg : financial data, medical records, etc
Categories of Data
Secret, Private or Sensitive Data Government Filings IT Returns, etc National Identifiers PAN Card, Passport details Criminal Records Health Data Consumer Data Data Collected Online Aggregate or Anonymous Data
Anonymous Data
Not unique or tied to a specific individual Eg : colour of eyes, product choices, browser configuration, etc Data is anonymous when It is not possible to determine what individual it refers to from a sufficiently large set of people
i.e., you cannot pick an individual from a crowd
Pseudonymous Data
Unique Information that - by itself - does not identify a specific
individual
But could be associated with an individual
Eg: product or service usage trends
Identified data can be converted to pseudonymous data By replacing real identifiers with pseudonyms Though it may be easy to reverse this process
Aggregate Data
Compiled or Statistical Information that is not personally identifiable
Egs:
Demographics Domain Names
Website traffic counts
The Concept of a Privacy Notice

Description of an organisations information mgmnt practices Typically lets an individual whos data is being collected know: WHAT data is being collected HOW the data would be USED Whether the data would be DISCLOSED or TRANSFERRED to third parties If so, to WHOM What CHOICES the individual has wrt use, disclosure and onward transfer Whether and how the individual can access / update the info Why a Notice? Consumer Education Corporate Accountability
Concept of Choice
The ability of an individual to specify:
Whether personal info will be collected How will it be used or shared Generally appropriate when used in marketing
communication May not be appropriate in other situations

Eg: offering choice about sharing name & add with a courier
company that is delivering an order to an individual
Manifestation of Choice
Opt-in
Individual makes an affirmative indication of choice Eg :You specifically tick on a box that states you wouldnt mind your info being shared with a third party Opt-Out Individuals failure to object to a use or disclosure implies
that a choice has been made

Eg : Unless you specifically tick or untick a box, your
information would be shared with 3rd parties

Eg Of Opt-In The Economist
Eg Of Opt-Out Indigo
The Concept of Access

Ability of an individual to
View Personal Info held by an orgn
Update and correct it
Note : Companies may not always offer Access

Can be very costly or difficult to retrieve
Concept of Data Minimisation

The idea that the collection, use, disclosure and retention of personal information should be minimized wherever, and to the fullest extent, possible
The Indian Scenario
India has an omnibus law the Information Technology Act 2008
Amended (IT Act)

Covers everything from Digital Signatures to Data Protection to
Electronic Records to Cybersecurity to Cybercrime

Most countries have separate legislations for each of the above
No separate privacy law either Work is on for an overall law on privacy

Sensitive Data Protection Rules passed in April 2011 popularly
referred to as Privacy Rules

These changed the privacy landscape in India overnight!
Scope
Applies to:
All Organizations who collect, use and process personal data and
information in India Includes service providers who collect & process info on behalf of other organizations also Includes information of individuals not residing in India but collected by an entity in India
Personal Information (PI)

Defined as : Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person
Also what is commonly referred to as Personally Identifiable Information
(PII)
Sensitive Personal Information (SPI)

Information relating to : Passwords Financial information such as Bank account or credit card or debit card or other payment instrument details Physical, physiological and mental health condition Sexual orientation Medical records and history; Biometric information;
If any of the above is available in the public domain or under RTI/ any other law, then would not be considered SPI
Policy for Privacy and Disclosure of Info

Orgn should have a privacy policy
Whether the orgn collects PI/SPI or merely processes that collected
by another orgn
Policy should outline: Statement of its practices and policies clearly and in an easily
accessible manner
Type of PI/SPI collected Purpose for Collection & Usage Disclosure to 3rd parties Security practices & procedures followed by the orgn to safeguard the PI/SPI
Collection of SPI
Should obtain consent - in writing- from the individual
About Purpose of Usage Before collection
In writing Letter / fax / email / any mode of electronic
communication
Collect Info only
If absolutely necessary For a lawful purpose
If connected with the function of the orgn
The Individual should have Full Knowledge of

The fact that the information is being collected;
The purpose of collection Who are the intended recipients of the information
The name and address of

the agency that is collecting the information; and the agency that will retain the information.
Very pertinent for India!
Use of the SPI

Orgn should
Use the SPI only for the purpose for which it has been collected Hold the SPI only
As long as required for the purpose
As required by law
Enable the individual to review the PI/SPI provided and amend/correct it

However, the orgn si not responsible for the authenticity of the info provided
Orgn should give the individual an option to:

Not provide PI/SPI in the first place
Withdraw the info & consent provided earlier
In writing
Orgn has the option to not provide the service to the individual in the above
circumstances
Grievance Officer
Every Orgn should designate a Grievance Officer
To address any discrepancies / grievances of the individual
Within a month from the date of receipt of the grievance
The Name and contact details of the grievance officer should be
published on the orgns website
Disclosure of SPI
Disclosure to 3rd Parties only with prior permission
Obtained via the consent
Unless:
Agreement has been a part of a contract between the individual and the
orgn Disclosure is required for legal compliance

To govt agencies mandated under law Govt agencies required to give purpose of collection in writing to the orgn And also commit that it will not share the info further
Transfer of PI/SPI
Only to 3rd parties who have the same level of data protection as
the orgn
Only if necessary to fulfill its contractual requirements Or if consent has been obtained from the individual
Data Protection
Orgn has to adopt and comply with reasonable security practices &
procedures
That is - have a documented Information Security Program &
implemented security practices & standard

In case of a data breach, the orgn may need to demonstrate that they
have implemented the security measures documented

ISO 27001 is accepted as a standard
Any orgn with ISO 27K is deemed to have adopted reasonable security
practices
Provided audited annually
Global Legal Perspectives
Models of Data Protection Legislations

Comprehensive Laws (EU, India) Sectoral Laws (US) Co-Regulatory Models
Self-Regulatory Model Online Privacy Alliance Seal Programs : Truste, WebTrust, etc
EU & US key diff in approach

EU : The user / citizen is the owner of the data even if it
resides with an organisation that collects it

US: The orgn that collects the data is the owner but is
accountable to the user
THE EUROPEAN UNION
Overview
Has one of the strongest and most evolved legal regimes on privacy and data
protection Past history a big driver

Based on the protection of privacy as a fundamental human right General rule : no one can collect or use personal data unless permitted by
law
The EU sets the Floor level each member state enacts its own national
laws based on this

The EU Data Protection Directive of 1995 the basic, comprehensive
directive
Supported by the Electronic Communications Directive and the E-Privacy Directive
Key Points of the Directive

Imposes strict requirements on any person collecting or processing
personal data
Governed by individual DPAs (Data Protection Authorities) in every country
Permitted if Unambiguous consent is obtained

Notice & Choice key elements Strictly enforced
Necessary for the performance of a contract where the data subject is party When necessary for the legitimate interests of the company balanced with the
fundamental rights & freedoms of the customer
Notification to the DPA before carrying out any processing
Data Transfers Outside the EU

Directive extremely strict about data transfers outside the EU Conditions for transfer: Adequacy of data protection in the destination countrys
jurisdiction
Argentina, Canada, Switzerland, Guernsey, Isle of Man
Unambiguous Consent freely given - from the individual Strictly necessary for the Performance of a Contract Eg : data of a credit card holder being transferred to an issuing bank outside the EU during an authorization process
Data Transfers Outside the EU

Model Contracts : Put in certain safeguards & std clauses
approved by the EU commission

DPAs are notified
Authorization from DPAs
Safe Harbour Framework

Specific between the EU & US
EU : THE NEW DRAFT REGULATIONS
One of the earliest to take up Data Protection & Privacy
and has served as a model
However, the famous EU Data Protection directive was
passed in 1995
Technology has dramatically changed since then
Hence, the EU has recently (Jan 25th 2012) released a draft
data protection regulation
Expected to come into effect by 2015 latest Incorporating feedback and inputs from various stakeholders
THE NEW REGULATION : KEY ASPECTS
Firstly, it is a regulation and not a directive

A directive : Served as a minimum or Floor level Individual member states could modify it/ add onto it and then pass as laws in their respective countries Result: Currently, every EU country has its own version of the Data Protection act o A nightmare for businesses working across multiple countries A regulation Implies Individual member states have to follow it as is Cannot introduce their own localised version of the law
New Draft Regulation : Key Points

The notion of consent by the user has been strengthened
Currently, it can be implied Eg: An individual who uses a website is assumed to have agreed to the privacy policy of that website New Regime: Consent has to be specific, informed, and explicit Data Controller has to prove that the user has given consent o for companies, it means the having to retain evidence or obtain specific consent if not taken earlier
Focus of the new regulations:

Increases the rights of the individual Increases the powers of the supervisory authorities
Special provision to protect the rights of children Right to be forgotten

A special right introduced for users
includes the right to obtain erasure of any public Internet link
to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service
The right to object to the processing of personal data would
be supplemented by a right not to be subject to measures based on profiling.

These reflect the pressures of the current times
Where users do not have control over how their data is being
used by social networks and other online entities
Implications for BPOs:

data controllers that are not established in the European Union
and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union
Who would be accountable
Notification of breaches
If a users data has been compromised or suspected to have been
compromised, he/she would need to be informed
Significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1
million Euros or up to 2% of the global annual turnover of an enterprise.

This is much more than the penalties currently in place
throughout the European Union
EU & THE COOKIE LAW
Cookies & the Law

In the EU:
Rather than the "Opt out" option for website visitors, websites
need to specifically gain the consent of their visitor and they must "Opt In" to be able to store cookies on their computer or other devices
Rules passed in May 2011 Member countries have given further deadlines for compliance UK May 2012 Fines upto 500K Pounds for non-compliance
Other Geographies
US - Background
Does not explicitly provide a right to privacy as a
fundamental right
General approach : Laws do not restrict collection but focus on
preventing harmful uses of information

Two-level legal system: Central (known as Federal) where a lot of sector-specific laws and regulations have been passed State Level most states have their own privacy laws. Tend to be sector-agnostic
US Law : Approaches
FIPS-based Approach
notice & choice as cornerstones Process-oriented
Permissible Purpose Approach

Limits usage of data to purposes permitted under the
laws
Hybrid
US Major Laws
FCRA Fair Credit Reporting Act For entities that compile & use consumer reports
Limits use of consumer reports only for permissible purposes Requires notification to consumers especially when adverse actions are taken
HIPAA Health Insurance Portability & Accountability Act Entire Healthcare sector Strict Privacy Rules for PHI (Personal Health Information)
Notices, Authorisations for use & disclosure from consumer, security safeguards, etc
GLBA (Financial Services Modernisation Act) Strict rules for usage of NPI (Non-Public Personal Info)
COPPA (Childrens Online Privacy Protection Act) Eg : Requires Parental Consent before collecting personal data from children under 13 yrs State Security Breach Notification Laws
APEC & LATIN AMERICA

APEC:
APEC Privacy framework approved in 2004 Similar principles largely based on FIPS & OECD
Non-binding (unlike the EU)

Individual countries have passed their own laws
Latin America
No common framework but most countries have passed data protection
laws Generally based on rights of Habeas Data

Constitutional guarantees that citizens may have the data archived about them
by the govt / commercial entities
Challenges with Legal Systems
Challenges
Most existing privacy & data protection laws are 10-15 years
old
Yet technology has evolved dramatically in the meantime
We have seen how people are losing control over how info
abt them is being collected and used

I value knowing what information is collected from me and how it is
used.
People want to know if their data is being used the right way.
And they want to know that the products and services they use
are built with privacy in mind.
Basically, the law needs to continue to evolve in ways that

put people first by giving them control over the uses of their
data and
reinforces the responsibility of organizations to protect
appropriately the privacy and the security of that data.
We also need to recognize that laws cannot do everything. Technology industry leaders need to continue to consider
how they can put people first when we design and deploy technologies. We need to incorporate privacy protections early in the technology development cycle, and we need to enhance transparency so individuals can make fully informed and meaningful choices about how their data are used.
@ Peter Steiner in the New Yorker in 1993
Questions?
shivangi.nadkarni@arrka.com

XXX

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

XXX

Hochgeladen von

Copyright:

Verfügbare Formate

DATA PRIVACY

By Shivangi Nadkarni Founder & CEO Arrka e-Security Solutions Shivangi.nadkarni@arrka.com

Arrka e-Security Solutions Pvt Ltd

Privacy : Setting The Context

Arrka e-Security Solutions Pvt Ltd

What do you do online?

Arrka e-Security Solutions Pvt Ltd

Do your banking / investing / etc

Arrka e-Security Solutions Pvt Ltd

In each of these services, you are required to provide real

data about yourself at some point in time

real address, right?

Arrka e-Security Solutions Pvt Ltd

But How Do You Know

Arrka e-Security Solutions Pvt Ltd

Behind the Scenes What Goes On?

Ever read them?

If you did, you will understand how much of privacy is actually

available or rather, not available - online

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

Companies who send you email can see

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

This doesnt mean that a person is reading your mails

But, by scanning your mail content, email services can start

it can end up ANYWHERE

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

How is this info used?

With FB going public, pressure has increased to put this data

to even more use

Arrka e-Security Solutions Pvt Ltd

Google Search terms are used to build behavioral advertising

Arrka e-Security Solutions Pvt Ltd

So, is Privacy a concern only with the Online, ConsumerFocused World?

Arrka e-Security Solutions Pvt Ltd

How many times have you written down your mobile

number while collecting a courier?

Arrka e-Security Solutions Pvt Ltd

Ever filled out a credit card application and never heard

from the DSA again?

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

Now what if your company is responsible and liable for all

such data that is being collected in its name?

Arrka e-Security Solutions Pvt Ltd

The Digital world where data may/ may not be available

Arrka e-Security Solutions Pvt Ltd

Privacy - Some Basic Concepts

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

Personal Information (PI) / Personally Identifiable Information (PII)

Sensitive Personal Information (SPI)

Arrka e-Security Solutions Pvt Ltd

Arrka e-Security Solutions Pvt Ltd

Website traffic counts

Arrka e-Security Solutions Pvt Ltd

The Concept of a Privacy Notice

communication May not be appropriate in other situations

company that is delivering an order to an individual

Arrka e-Security Solutions Pvt Ltd

that a choice has been made

information would be shared with 3rd parties