PRIVACY, DATA PROTECTION AND FREEDOM OF INFORMATION
In considering privacy, data protection, and freedom of information laws, we need to consider normative and ethical issues as well as legal ones.
Privacy is something we all seem to want in some cases and all seem to be willing to give up in others. “Privacy is an important, but illusive concept in law. The right to privacy is acknowledged in several broad-based international agreements. Article 12 of the Universal Declaration of Human Rights and Article 17 of the United Nations International Covenant on Civil and Political Rights both state that, ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks’” (Stratford & Stratford, 1998).
Stratford and Stratford note, “The term “privacy” does not appear in the U.S. Constitution or the Bill of Rights. However, the U.S. Supreme Court has ruled in favor of various privacy interests-deriving the right to privacy from the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the Constitution” (1998).
As stated by the Global Network Initiative:
Privacy: Privacy is defined using Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR)
UDHR: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
ICCPR: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.
The Global Network Initiative notes, ““Privacy is a human right and guarantor of human dignity. Privacy is important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.
Everyone should be free from illegal or arbitrary interference with the right to privacy and should have the right to the protection of the law against such interference or attacks.
The right to privacy should not be restricted by governments, except in narrowly defined circumstances based on internationally recognized laws and standards. These restrictions should be consistent with international human rights laws and standards, the rule of law and be necessary and proportionate for the relevant purpose” (2009).
“The Privacy Act (PL 93-579) is a companion to and extension of the Freedom of Information Act (FOIA) of 1966. FOIA was primarily intended to provide access to government information. It did exempt the disclosure of personnel and medical files that would constitute “a clearly unwarranted invasion of personal privacy” . This provision was initially used to deny access to people requesting their own records. So the Privacy Act was also adopted both to protect personal information in federal databases and to provide individuals with certain rights over information contained in those databases. The act has been characterized as “the centerpiece of U.S. privacy law affecting government record-keeping” . The act was developed explicitly to address the problems posed by electronic technologies and personal records systems and covers the vast majority of personal records systems maintained by the federal government. The act set forth some basic principles of “fair information practice,” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It requires that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The act also requires federal agencies to publish an annual list of systems maintained by the agency that contain personal information” (Statford & Stratford, 1998).
Statford and Stratford continue, “The Computer Security Act of 1987 (PL 100-235) also deals with personal information in federal record systems. It protects the security of sensitive personal information in federal computer systems. The act establishes government wide standards for computer security and assigns responsibility for those standards to the National Institute of Standards. The law also requires federal agencies to identify systems containing sensitive personal information and to develop security plans for those systems” (1998).
In regard to Web 2.0 (Social Media) Use
As JISC Legal notes, “Many web 2.0 technologies place users at a point where submission of personal data is necessary to use the tool. This brings with it risks concerning the privacy and personal data of individuals” (JISC Legal, 2008b). This causes a number of data protection and freedom of information issues. In essence, “Data protection law allows individuals to control the collection, use and transfer of personal information about them. There may be situations where the setting up of student accounts by staff on externally Web 2.0 sites is a transfer of personal data, which must be done in compliance with the relevant legislation” (JISC Legal, 2008a).
The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use and secure consumers' personal information. Under the Gramm-Leach-Bliley Act, the Commission has implemented rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting (Federal Trade Commission).
Some questions to ask ourselves:
- What records does the activity generate for which institutions are responsible?
- Do they contain data that carry obligations of confidentiality, limitations on use or disclosure, requirements for ready access/availability?
- How and where are they maintained?
- Can materials be accessed when needed for course and institutional purposes?
- What do hosting sites do with the data created by course participants?
- When are you or your students conducting human subjects research? (Cate, 2008).
In regard to Web 2.0 (Social Media) Use
U.S. SAFE WEB ACT OF 2006
Congress approved S. 1608, the “Undertaking Spam, Spyware, And Fraud Enforcement with Enforcers beyond Borders Act of 2006,” (the US SAFE WEB Act of 2006) on December 9, 2006. The US Safe Web Act amends the Federal Trade Commission Act (FTCA) and improves the Federal Trade Commission (FTC)’s ability to protect consumers from international fraud by: (1) improving the FTC’s ability to gather information and coordinate investigation efforts with foreign counterparts; and (2) enhance the FTC’s ability to obtain monetary consumer redress in cases involving spam, spyware, and Internet fraud and deception (Brownlee, 2006).
“Where departments process the sensitive personal data, for example, collect information or details regarding a persons ethnic origin or religious beliefs, sex life etc in order for them to use a Web 2.0 tool, explicit consent from the users should be obtained prior to processing any sensitive personal data. Processing of data for marketing and advertising purposes is one other risk which departments need to be aware of. Such a risk could arise in situations where the personal data collected for or during Web 2.0 use is used for purposes of advertising or marketing. It should be understood here that users have the right to object to this and therefore they should be given the option to opt out of being exposed to such marketing or advertising material” (JISC, 2008).
Brownlee, C. (2006, December 13). U.S. Safe Web Act of 2006. Privacy and Security Law Blog. Retreived November 4, 2009 from http://www.privsecblog.com/2006/12/articles/spam/us-safe-web-act-of-2006/
Cate, B. (2009, January 22). The Law and Policy of Web 2.0: Much Old, Some New, Lots Borrowed, So Don't Be Blue. Educuase Learning Initative. Retrieved from http://hosted.mediasite.com/mediasite/Viewer/?peid=98e83dc76b9749f3a08996bfb0f5904b
Federal Trade Commission (2010). Federal Trade Commission. Retrieved April 22, 2010 from http://www.ftc.gov/
Global Network Initiative (2010). Global Network Initiative. Retrieved April 22, 2010 from http://www.globalnetworkinitiative.org/
JISC Legal (2008a, Sept 18). Web 2.0 and the law for HE policy makers. Retrieved from http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/Web2_HE_Policy_Makers.pdf
JISC Legal. (2008, September 18). Social media and the Law for HE Policy Makers. Retrieved from http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/Web2_HE_Policy_Makers.pdf
Stratford, J.S. & Stratford, J (1998, Fall). Data Protection and Privacy in the United States and Europe. IASSIST Quarterly. 22(1). Retrieved October 21, 2009 from http://www.iassistdata.org/downloads/iqvol223stratford.pdf