1.2. Protecting personal data and privacy

Module 2: Protecting personal data and privacy (ORBIS and Tarsus CII)

  Learning objectives:

https://en.wikipedia.org/wiki/Information_privacy

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.^[1] It is also known as data privacy^[2] or data protection.

Data privacy is challenging since it attempts to use data while protecting an individual's privacy preferences and personally identifiable information.^[3] The fields of computer security, data security, and information security all design and use software, hardware, and human resources to address this issue.

In this module, participants will learn how personal data is used, how to protect personal data and privacy in digital environments, to understand how to use and share personally identifiable information while being able to protect oneself and others from damages, and to understand that digital services use a “Privacy policy” to inform how personal data is used.

This module has 3 sub-sections….

 Learning Content

https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/

Data protection and online privacy

EU data protection rules guarantee the protection of our personal data whenever they are collected – for example, when we buy something online, apply for a job or request a bank loan. These rules apply to both companies and organisations (public and private) in the EU and those based outside the EU who offer goods or services in the EU, such as Facebook or Amazon, whenever these companies request or re-use the personal data of individuals in the EU.

It doesn't matter what format the data takes – online on a computer system or on paper in a structured file – whenever information directly or indirectly identifying us as an individual is stored or processed, our data protection rights have to be respected.

When is data processing allowed?

EU data protection rules, also known as the EU General Data Protection Regulation (or GDPR), describe different situations where a company or an organization is allowed to collect or reuse your personal information:

• they have a contract with you – for example, a contract to supply goods or services (i.e. when you buy something online), or an employee contract
• they are complying with a legal obligation – for example, when processing your data is a legal requirement, for example when your employer gives information on your monthly salary to the social security authority, so that you have social security cover
• when data processing is in your vital interests – for example when this might protect your life
• to complete a public task – mostly relating to the tasks of public administrations such as schools, hospitals, and municipalities
• when there are legitimate interests – for example, if your bank uses your personal data to check whether you'd be eligible for a savings account with a higher interest rate

In all other situations, the company or organization must ask for your agreement (known as "consent") before they can collect or reuse your personal data.

Agreeing to data processing – consent

When a company or organization asks for your consent, you have to make a clear action agreeing to this, for example by signing a consent form or selecting yes from a clear yes/no option on a webpage. 

It is not enough to simply opt-out, for example by checking a box saying you don't want to receive marketing emails. You have to opt-in and agree to your personal data being stored and/or re-used for this purpose.

You should also be given the following information before you decide to opt-in:

• information about the company/organization that will process your data, including their contact details, and the contact details of the Data Protection Officer (DPO) if there is one
• the reason why the company /organization will use your personal data
• how long do they intend to keep your personal data
• details of any other company or organization that will receive your personal data
• information on your data protection rights (access, correction, deletion, complaint, withdrawal of consent)

All this information should be presented in a clear and understandable way.

Withdrawing consent to use personal data and the right to object

If you previously gave your consent for a company or organization to use your personal data, you can contact the data controller (the person or body handling your personal data) and withdraw your permission at any time. Once you've withdrawn your permission, the company or organization can no longer use your personal data.

When an organization is processing your personal data on the basis of their own legitimate interest or as part of a task in the public interest or for an official authority, you may have the right to object. In some specific cases, public interest may prevail and the company or organization may be allowed to continue using your personal data. For example, this could be the case for scientific research and statistics, a task performed as part of the official role of a public authority.

For direct marketing emails that promote particular brands or products, your prior consent is required. However, if you are an existing customer of a particular company, they can send you direct marketing emails about their own similar products or services. You have the right to object at any time to receiving such direct marketing and the company have to stop using your data immediately.

In all cases, you should always be given information about the right to object to the use of your personal data the first time that the company or organization contacts you.

Sample story

You can object to your data being used for direct marketing

Anatolios bought two tickets online to see his favorite band play in a live concert. Since buying the tickets, Anatolios started receiving emails with adverts for concerts and events that he wasn't interested in. He contacted the online ticketing company and asked them to stop sending him these advertising emails. The company immediately removed him from their direct marketing lists. Anatolios was happy that he didn't get any more advertising emails from them.

Specific rules for children

If your children want to use online services, such as social media, downloading music or games, they will often need approval from you, as their parent or legal guardian, as these services use the child's personal data. Your child will no longer need parental consent once they're aged over 16 (in some EU countries this age limit might be as low as 13). Controls to check parental consent have to be effective, for example by using a verification message sent to a parent's email address.

Access to your personal data

You can request access to the personal data a company or organization has about you, and you have the right to get a copy of your data, free of charge, in an accessible format. They should reply to you within 1 month and have to give you a copy of your personal data and any relevant information about how the data has been used or is being used.

Sample story

You have a right to know what data is stored about you and how it's used

Maciej, from Poland, recently subscribed to his local supermarket's loyalty scheme. Shortly after joining the scheme, he noticed he started receiving better discount vouchers for his shopping. He wondered if this was related to the loyalty scheme, so he asked the supermarket's data protection officer to tell him which information was being stored about him and how it was being used. Maciej discovered that the supermarket kept data on the products he bought every week and then was able to give him discounts related to the specific products he liked to buy.

Correcting your personal data

If a company or organization has stored personal data about you that isn't correct or is missing some information, then you can ask them to correct or update your data.

Sample story

You have the right to correct incorrect data about yourself

Alison wanted to buy a new house in Ireland and applied for a mortgage from her bank. When completing the registration form, she made a mistake entering her date of birth and the bank registered her age incorrectly in their system.

When Alison got the offers for her new mortgage and associated life insurance, she realized the mistake, as her insurance premium was much higher than her current one. She contacted the bank and asked them to correct her personal data in their system. She then received a new version of the insurance offer that correctly indicated her date of birth.

Transferring your personal data (right to data portability)

In certain situations, you can ask a company or organisation to return your data to you or to transfer it directly to another company, if this is technically possible. This is known as "data portability". For example, you can use this right if you decide to switch from one service to another similar service – for example moving from one social media site to a new one – and you'd like your personal information to be quickly and easily transferred to the new service. 

Deleting your personal data (the right to be forgotten)

If your personal data is no longer needed or is being used unlawfully then you can ask for your data to be erased. This is known as "the right to be forgotten". 

These rules also apply to search engines, such as Google, as they're also considered to be data controllers. You can ask for links to web pages including your name to be removed from search engine results, if the information is inaccurate, inadequate, irrelevant or excessive.

If a company has made your personal data available online and you ask for them to be deleted, the company also has to inform any other websites where they've been shared that you've asked for your data and links to them to be deleted.

To protect other rights, such as freedom of expression, some data may not be automatically deleted. For example, controversial statements made by people in the public eye, might not be deleted if the public interest is best served by keeping them online.

Sample story

You can ask for your personal data to be deleted and removed from other websites

Alfredo decided he no longer wanted to use any social media, so he deleted his profile from the social media sites he was using. However, a few weeks later he found his old profile photos from his social media accounts were still visible when he looked up his name in an internet search engine. Alfredo contacted the social media companies and asked them to ensure that these photos were removed. When he searched a month later, the photos had indeed been removed and they no longer appeared in the search engine results.

Unauthorized access to your data (data breach)

If your personal information is stolen, lost or illegally accessed – known as a 'personal data breach – the data controller (the person or body handling your personal data) must report it to the national data protection authority. The data controller must also inform you directly if there are serious risks related to your personal data or privacy due to the breach.

Making a complaint

If you think your data protection rights have not been respected, you can make a complaint directly to your national data protection authority which will investigate your complaint and give you a response within 3 months.

You can also choose to file a case directly in court against the company or organization concerned instead of first going to your national data protection authority.

You may be entitled to compensation if you suffer material damage, such as financial loss, or non-material damage, such as psychological distress, due to a company or organization not respecting EU data protection rules.

What about cookies?

Cookies are small text files that a website asks your browser to store on your computer or mobile device. Cookies are widely used to make websites work more efficiently by saving your preferences. They are also used to follow your internet use as you browse, make user-profiles, and then display targeted online advertising based on your preferences.

Any website wishing to use cookies has to obtain your consent before installing a cookie on your computer or mobile device. A website is not allowed to simply inform you that they use cookies, or explain how you can deactivate them.

Websites should explain how the cookie information will be used. You should also be able to withdraw your consent. If you choose to do so, the website still has to provide some sort of minimum service for you, for example, providing access to a part of the website.

Not all cookies require your consent. Cookies used for the sole purpose of carrying out the transmission of communication do not require consent. This includes, for example, cookies used for "load balancing" (enabling web server requests to be distributed over a pool of machines instead of just one). Cookies that are strictly necessary to provide an online service that you explicitly requested also do not need consent. This includes, for example, cookies used when you fill in an online form or when you use a shopping basket when shopping online.

FAQs

• FAQs - Data protection and online privacy

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

-        We can add something from this FAQ if needed

EU legislation

• EU General Data Protection Regulation (GDPR)
• EU Directive on privacy and electronic communications

 Digital footprint and digital signature

https://en.wikipedia.org/wiki/Digital_footprint

Digital footprint or digital shadow refers to one's unique set of traceable digital activities, actions, contributions, and communications manifested on the Internet or digital devices.^[1][2][3][4] Digital footprints can be classified as either passive or active. The former is composed of a user's web-browsing activity and information stored as cookies. The latter is often released deliberately by a user to share information on websites or social media.^[5] While the term usually applies to a person, a digital footprint can also refer to a business, organization or corporation.^[6]

The use of a digital footprint has both positive and negative consequences. On the one hand, it is the subject of many privacy issues.^[7] For example, without an individual’s authorization, strangers can piece together information about that individual by only using search engines. Corporations are also able to produce customized ads based on browsing history. On the other hand, others can reap the benefits by profiting off their digital footprint as social media influencers. Furthermore, employers use a candidate’s digital footprint for online vetting and assessing fit due to its reduced cost and accessibility. Between two equal candidates, a candidate with a positive digital footprint may have an advantage. As technology usage becomes more widespread, even children generate larger digital footprints with potential positive and negative consequences such as college admissions. Since it is hard not to have a digital footprint, it is in one’s best interest to create a positive one.  

Types of digital footprints

Passive digital footprints can be stored in various ways depending on the situation. A footprint may be stored in an online database as a "hit" in an online environment. The footprint may track the user's IP address when it was created, where it came from, and the footprint later being analyzed. In an offline environment, administrators can access and view the machine's actions without seeing who performed them.

Active digital footprints can also be stored in a variety of ways depending on the situation. A footprint can be stored by a user being logged into a site when making a post or change, with the registered name being connected to the edit in an online environment. In an offline environment, a footprint may be stored in files when the owner of the computer uses a keylogger. Logs can show the actions performed on the machine and who performed them. One feature of the keylogger monitors the clipboard for any changes. Though, this may be problematic if the user intends to copy passwords or take screenshots of sensitive information, which is then logged.

Príručka digitálnej bezpečnosti (pre učiteľov)

·        A passive digital footprint is information that the user leaves unknowingly in the online space and is not directly visible. An example of a passive digital footprint can be the type of browser, device, language used, operating system, or IP address stored in the ISP's database or on the servers of the online service provider that the user has visited. An IP address helps identify a user's approximate location or ISP, but can often be unreliable because it can be masked in a targeted manner.

·        The active digital footprint includes all knowingly provided and published data on the Internet. When a user sends an email, publishes a blog, likes a photo/comment, shares a video or text on a social network, or writes through a chat, all of this and similar information becomes an active digital footprint. The user should also be aware that big players such as Google and Facebook have their own codes on a number of websites, which help the site owner to analyze traffic. In addition, they help giants to collect a wider range of digital footprints and thus a more accurate picture of online user behavior. Whether a given track is considered active or passive often depends on the technical level of the user. The more experienced user is aware that his or her behavior on the web can be tracked and therefore consciously avoids certain sites or online services or uses tools that prevent tracking.

 Privacy issues

Digital footprints are not a digital identity or passport, but the content and metadata collected impacts internet privacy, trust, security, digital reputation, and recommendation. As the digital world expands and integrates with more aspects of life, ownership and rights concerning data become increasingly important. Digital footprints are controversial in that privacy and openness compete.^[8] Scott McNealy, CEO of Sun Microsystems, said in 1999 Get Over It when referring to privacy on the Internet.^[9] The quote later became a commonly used phrase in discussing private data and what companies do with it.^[10] Digital footprints are a privacy concern because they are a set of traceable actions, contributions, and ideas shared by users. It can be tracked and can allow internet users to learn about human actions. ^[11]

Interested parties use Internet footprints for several reasons; including cyber-vetting,^[12] where interviewers could research applicants based on their online activities. Internet footprints are also used by law enforcement agencies to provide information unavailable otherwise due to a lack of probable cause.^[13] Also, digital footprints are used by marketers to find what products a user is interested in or to inspire ones' interest in a particular product based on similar interests.^[14]

Social networking systems may record the activities of individuals, with data becoming a life stream. Such social media usage and roaming services allow digital tracing data to include individual interests, social groups, behaviors, and location. Such data is gathered from sensors within devices and collected and analyzed without user awareness.^[15] When many users choose to share personal information about themselves through social media platforms, including places they visited, timelines, and their connections, they are unaware of the privacy setting choices and the security consequences associated with them.^[16] Many social media sites, like Facebook, collect an extensive amount of information that can be used to piece together a user's personality. Information gathered from social media, such as the number of friends a user has, can predict whether or not the user has an introvert or extrovert personality. Moreover, a survey of SNS users revealed that 87% identified their work or education level, 84% identified their full date of birth, 78% identified their location, and 23% listed their phone numbers. ^[16]

While one's digital footprint may infer personal information, such as demographic traits, sexual orientation, race, religious and political views, personality, or intelligence^[17] without individuals' knowledge, it also exposes individuals' private psychological spheres into the social sphere.^[18] Lifelogging is an example of an indiscriminate collection of information concerning an individual's life and behavior.^[19] There are actions to take to make a digital footprint challenging to track.^[20] An example of the usage or interpretation of data trails is through Facebook-influenced creditworthiness ratings,^[21] the judicial investigations around German social scientist Andrej Holm,^[22] advertisement-junk mails by the American company OfficeMax^[23], or the border incident of Canadian citizen Ellen Richardson.^[24]

 Bibliography

Digital citizenship / digital citizen

https://en.wikipedia.org/wiki/Digital_citizen

Digital signature

https://en.wikipedia.org/wiki/Digital_citizen