Documente Academic
Documente Profesional
Documente Cultură
Connect
T
here are no privacy directives worldwide that really • Data privacy is not just about “personal data need-
match that of the European Union. The Data Protec- ing protection”; it is about protecting your rights and
tion Directive1 facilitates harmonization of member freedom as an individual, i.e., your right to privacy.
states’ laws in providing consistent levels of protections for
citizens, and ensuring the free flow of personal data within With this in mind, your personal data is collected and stored
the European Union. The directive sets a baseline, a common by government authorities and private enterprises, (for the
level of privacy expectations that not only reinforces current purpose of this article I refer to these entities as data holding
data protection law for member states but also establishes a authorities). It is the data holding authority that is interested
range of rights for the data subject (you and me). enough in you to be motivated to collect your personal data,
and in the case of the European Union, is required to adhere
This article provides a high-level insight on best practices for to data privacy legislation of the member state where it is resi-
data privacy using the EU Data Protection Directive as an ex- dent.
ample, offering a graphical view, i.e., a collection, storage and
removal model, as a means to demonstrate in a simplistic way For the purpose of this article and for simplicity, the lifecycle
the EU directive in practice, and discussing briefly implica- of personal information that you share has been divided into
tions both within the EU and globally three distinct phases: collection, storage (and processing),
and removal of personal data. The key actors for all three
Let us start by questioning what we mean by data privacy, and phases are the data subject and the data holding authority.
how needs for data privacy differ from information security:
Before we dive in it is important to understand that a key
• It is not just about the intellectual property or infor- concept in a working data privacy model is enforceability:
mation belonging to an organization. That is covered data subjects have rights established in explicit rules.2 For
by information security requirements. example, in the EU this is made possible by the installation
• The information needing protection (personal data) for each member state a commissioner who is responsible for
is about you (the data-subject): who you are, what you data privacy. The commissioner’s toolbox is privacy legisla-
like, your health, your lifestyle; basically it is whatever tion, i.e., legislation that is at a minimum implemented to a
you share that is linked to your identity. All informa- level of privacy as prescribed in the EU directive.
tion linked to your identity is called personally iden-
tifiable information (PII).
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
17
A Simple Guide to European Union Data Privacy | Karen Öqvist ISSA Journal | December 2009
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
18
A Simple Guide to European Union Data Privacy | Karen Öqvist ISSA Journal | December 2009
are outside of the scope of what it was collected for, Asia-Pacific Economic Cooperation
e.g., for marketing activities.
The Asia-Pacific Economic Cooperation (APEC) is actively
engaged in developing the Asia-Pacific privacy standard.4 The
Personal data removal idea of the standard is to provide a practical policy approach
Finally, the data must be removed once the original purpose to enable accountability in the flow of data while preventing
of collection is no longer relevant. Furthermore, the data sub- impediments to trade. It provides technical assistance to those
ject has the right to ask for the removal of personal data. APEC economies that have not addressed privacy from a reg-
This data could be sanitized for the purpose of historical, ulatory or policy perspective.
statistical, or scientific purposes, i.e., with the removal of
any links to the data subject’s identity. Anonymous data is Latin America
not within the scope of data privacy directives such as those Ibero-American Data Protection has been motivated by the
found in the European Union. need to implement harmonized measures for the protection of
personal data that would enable the free flow of information,
Where this works in practice thus facilitating trade. Very few Latin American countries
have privacy legislation in this area.
The expectation for the right on privacy of personal data is
recognized at the highest levels in the European Union. Every
European Union country has a data protection commissioner
Conclusion
or agency that enforces the rules. In the UK, for example, these If you want to know more about the European Union data pri-
rules are codified as law in the Data Protection Act (DPA),3 vacy principles, you need to visit the website for the EU Data
which places pressure on governments and organizations to Protection Directive.5 Here you will find the directive along
have the necessary data privacy controls implemented. Other with exceptions, and links to how it is implemented by each
EU member states have their own DPA variants. individual member state.
It is expected that the countries with which EU member states
do business must provide a similar level of oversight concern- About the Author
ing data privacy. The consequences have been an impact on Karen Öqvist has over 20 years experience
the free flow of personal data from the European Union to in IT and information security and today
those countries with different data protection levels. works internationally as a senior security
architect for HP. She has a Masters Degree
United States of America in Information Security and is a published
author on the subject of information secu-
The U.S. “Safe Habor Agreement” has been defined to over- rity, identity, and privacy. She is a frequent speaker and hosts
come any deficiencies in the U.S. approach to information a blog at www.virtualshadows.com. She may be reached at kar-
privacy, which is mainly self-regulated with minimal federal en@virtualshadows.com.
legislation. The Safe Harbor provides United States compa-
nies the option to voluntarily self-certify to adhere to a set of
4 APEC (2005) What is the APEC Privacy Framework? http://74.125.77.132/
privacy principles. search?q=cache%3AX0w_Vw2O_DQJ%3Awww.apec.org%2Fapec%2Fnews___
media%2F2004_media_releases%2F201104_apecminsendorseprivacyfrmwk.
MedialibDownload.v1.html%3Furl%3D%2Fetc%2Fmedialib%2Fapec_media_library
%2Fdownloads%2Fministerial%2Fannual%2F2004.Par.0015.File.v1.1+apec+privacy
3 Information Commissioner’s Office (1998) The Data Protection Act – http://www. +framework&hl=en (accessed 24 November 2009).
ico.gov.uk/what_we_cover/data_protection.aspx (accessed 24 November 2009). 5 http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • All rights reserved
19