Automatski - The Internet of Things - Privacy Standards
Data Protection Act: implications for monitoring technologies
1. Data Protection Act:
Implications for Monitoring Technologies
David Speakman
Liam Houston
Niall Kerrigan
March 2013
MSc. Information Systems Management, NUI Galway
2. Overview
• Evolution of DPA
• Current Implications
• Future Trends
3. The Need for Data Protection Laws
Every person has the right to privacy...
– Technology development has given greater potential for
gathering and processing of personal data
– This data being processed without considering the
risks, or worse having data taken from them without
realising
– Monitoring technology can track where you are, what you
do and when you do it at anytime it wishes – “Big Brother”
effect. Do you recall the film Enemy of the State?
– The world envisioned by George Orwell‟s novel 1984 is
now evident, without the correct and enforced
legislation, it is easily a possibility.
4. The Need for Data Protection Laws
TECHNOLOGICAL INNOVATION
The “Dot Com” boom
Increasing popularity
First Web Browser in Mobile phones
First CCTV system Development of the
Google Glass
Smart Phone
1965 1973 1992 1997 2001 2014
1949 1980 1988 1994 2003 2018
George Orwell’s novel OECD Guidelines
to EU Amendment to Further
EU Directive on
the DPA Legislation???
Data protection
Irish DPA
DATA PROTECTION LEGISLATION
5. Development of the DPA
The development of technology required data protection
legislation:
– 1981 - The Organisation for Economic Co-Ordination and
Development provide the EU with a set of guidelines
– 1988 – The Irish Government created the Data Protection Act
is the first legislation created to monitor data collection
– 1995 – The EU Data Protection Directive encourages all
member states to adapt a similar approach to Data Protection
Laws to allow for legal transborder data flow
– 2003 – The Irish Government amend the DPA to align with the
EU Directive and increase the rights of the Data Subject
6. Influence of OECD Guidelines on current DPA
OECD Guidelines Data Protection Act
8 key principles Laws to ensure
Lawful obtaining and
Collection Limitation
processing of data
Purpose Specification
Data is relevant to its
Use Limitation
purpose
Security Safeguards
Security
Data quality
Accuracy
Openness
Availability of data to the
Individual
Participation data subject
Accountability Data is not kept longer than
necessary
8. CCTV
– Monitoring 24/7, 365 days a year
– Records everything you do, where you do
it, when you do it.
– Captures vast amount of “personal data”
– Subject to DPA
– Act states CCTV must be “adequate, relevant
and not excessive” for its purposes
– How are CCTV systems justified?
9. Is CCTV justifiable?
• Proper Use of CCTV system
– Must consider what CCTV is being used for
– Acceptable: capturing intruders damaging/removing goods from
premises
– Unacceptable: monitoring employees, covert surveillance
• Suitable images being recorded
– Acceptable: Areas where security issues have arisen prior to
CCTV being installed
– Unacceptable: Directly at toilet cubicles/urinals
10. Is CCTV justifiable?
• Transparency
– Information must be provided to data subject prior to recording e.g.
usually a sign at premises entrance
• Storage and retention
– Retention period must be justifiable, usually one month
– Recordings must be kept in restricted, monitored and secure
environment
– Recordings must be in either tape, still images or disk.
• Access Requests
– Requests must be made available to data subject
– Must identify subject, display date/time/location
11. E-Communications
• Now in e-communication age - part of our
everyday lives
• Process “personal data” – companies subject
to DPA via special rules
• Rules in the areas of data
breaches, marketing, data retention and data
disclosure.
• Compliance issued via Privacy Policy
• Failure to comply results in severe penalties
13. Traffic Data
– Details of calls, texts, emails, Internet use
– Should only be retained for set amount of time
for payment and querying purposes
– Restrictions in place for marketing this “traffic
data”
14. Traffic Data
Recall the abuse of “Traffic Data” by the News of the World that
forced the closure of the newspaper
15. Cookies
• Personal data may not be removed unless
user:
– 1. Informed why cookies are being used
– 2. Has been given his/her consent
• The above not applicable where info is
required for communication transmission or for
info specifically required by the user e.g.
shopping cart
• Information on cookies should be readily
available to users
17. Location Data
• Gives a user‟s geographical location
• User must be given:
– Prior consent to location data being processed
– Reasons and duration of processing
– Whether data will be processed to a “third
party”
– Option to withdraw consent
19. Privacy vs. New Technology
• Cutting Edge Technologies – protecting privacy
becoming more difficult
• Era of „Big Data‟ – detailed info on our every movement
• “Personal data” on mobile devices collected and
analysed without consent – builds detailed user profiles
• “Golden Solution” – Correct Protection of civilian privacy
without halting new technological innovation
20. Strengthening Data Protection Laws
• European Commission – to reinforce EU data
legislation by 2014
“to put individuals in control of their own
personal data”
21. Future Technologies & Implications
• Google Glass
– Will make personal privacy and data protection impossible
– Recordings will be stored on Google servers
• The future of monitoring technology?
“It’s inevitable that surveillance drones will be deployed
over New York City. Get used to it”
-Michael Bloomberg, 2013