Computer Ethics

Privacy and Information Technology

Outline of presentation on Privacy in Class:


Privacy as embodied in US Law encompasses both:

  1. Individual’s right to privacy, and
  2. Business privacy or security

FOUNDATION for PRIVACY under US Law:

Four recognized privacy actions:

  1. Intrusion upon a person’s physical solitude
  2. Appropriation of a person’s name or likeness for commercial benefit
  3. Public disclosure of private facts
  4. Placing a person in a false light in the public eye

PRIVACY Components in the Old Foundation:

  1. Individual’s interest in avoiding disclosure of personal information
  2. Individual’s interest in independence in making certain kinds of important decisions

PRIVACY balances:

Government needs

vs.

Individual needs

Conflicting Viewpoints:

  1. Legislation that protects privacy by prohibiting disclosure of information
  2. Legislation that provides access to information

FACTORS AFFECTING PRIVACY:

  1. Expectation of the holder in the extent of privacy
  2. Difference between the “content” of the communication and the “existence” of the communication itself

Opt-in vs. Opt-out

  1. "Opt-in" means the data subject must take an affirmative act to consent to the collection and use of personally identifiable data (for example, in an on-line form, the box must be checked by the data subject in order to consent to having emails sent by the vendor to the data subject).
  2. "Opt-out" means the data subject is assumed to have consented unless he/she takes an affirmative action to rescind consent (for example, in an on-line form, the box would already have a check-mark in it to indicate consent; the data subject would have to "un-check" the box to indicate no consent to receiving email updates).

SOURCE of PRIVACY RIGHTS In the US:

  1. 1st Amendment protecting freedom of religion, speech and peaceable assembly
  2. 4th Amendment protecting against unreasonable search and seizure
  3. Older Privacy Statutes:
    1. Limit data transfer between federal agencies
    2. Limit wiretapping
    3. Credit bureaus
    4. Educational institutions
    5. Videotape rental stores
    6. Cable service providers
    7. Driver's License Information

A little Privacy History: the US Federal government has, over the years, looked at protecting the privacy of personally identifiable data:

1973 - “Code of Fair Information Practices
1980 - “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
1998 - FTC study on privacy practices

 

Data Collection Guidelines:

The government bodies and trade groups that have looked at protecting the privacy of personally identifiable data from an ethical viewpoint have decided that data collectors should exercise certain steps to ensure ethically gathering, use, and maintenance of personally identifiable data. Those guidelines have been stated as multi-step guidelines, which can be basically "boiled down" to the following:

  1. Notice - the data collector must give notice to the data subject about the collection and use of personally identifiable data: a) what is being collected; b) how it will be used.
  2. Choice - the data subject must be given a choice about whether the data is collected and the extent to which it is used (no "invisible data gathering").
  3. Relevancy - the data collector must collect only the data necessary for the uses disclosed.
  4. Scrutiny - the data subject must be able to examine the collected data and request corrections and deletions (subject to legal compliance).
  5. Security - the data collector must exercise commercially reasonable security measures to protect the data from unauthorized disclosure.

Privacy Statutes

HIPAA

  1. Health Insurance Portability and Accountability Act of 199
  2. Covers:
    1. Electronic data interchange of health care information
    2. “Opt in” for use of protected health information; “minimum and necessary”Health care providers, health plans, clearinghouses, and “business associates”
  3. Proper HIPAA Administration requires:
    1. Privacy Official
    2. Training
    3. Safeguards
    4. Complaint Process
    5. Enforcement

GLB

  1. Graham-Leach-Bliley Act of 1999
  2. Applies to Financial Institutions and Insurance Companies
  3. Requires notice and opt-out to use personally identifiable information

Georgia Law Regarding Personally Identifiable Data:

O.C.G.A. §10-15-4.
“A business may not discard a record containing personal information unless it:
Shreds the customer’s record before discarding the record;
Erases the personal information contained in the customer’s record before discarding the record;
Modifies the customer’s record to make the personal information unreadable before discarding the record; or
Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer’s record for the period between the record’s disposal and the record’s destruction.”
A business that violates this law may be fined $500 to $10,000.

INTERNATIONAL CONSIDERATIONS - other countries have stricter laws regarding collection and use of personally identifiable data.

  1. European Union’s Directive on Data Protection: allows transfer of personally identifiable data to third countries only if they provide an “adequate” level of privacy protection. Compliance requirements: personal data may not be collected or recorded unless the individual has consented.
  2. Canada’s Personal Information Protection and Electronic Documents Act.

Information Technology Collection Issues

IT systems need to address the following issues , particularly if the systems collect or use personally identifiable data:

  1. Storage - central or dispersed
  2. Vulnerability - to theft or abuse
  3. Confidence - error factor in authentication process
  4. Authenticity - tampering
  5. Linking - with other databases
  6. Ubiquity - electronic trail

Last updated: August 9, 2007. Computer Ethics is a course taught in the CS/IS Department at Kennesaw State University, Kennesaw, Georgia. Opinions expressed on this Web site are those of the author, Ann K. Moceyunas. Certain Portions Copyright © 1996 -2007 Moceyunas P.C. All rights reserved. Have Questions? Contact Ann Moceyunas at ann@moceyunas.com.