Sunteți pe pagina 1din 29

Ethics and Information

Glenn A. Asuncion
MSIT
Systems’ Security
Ethics and Information Systems
Security

• Ethics and Information Security


• Relevant Philippine Laws
• International Laws and
• Ethical Hacking
Law and Ethics in Information Security

Laws are rules that mandate or prohibit certain


behavior; they are drawn from ethics, which
define socially acceptable behaviors.

The key difference between laws and ethics is that laws carry the authority of a
governing body, and ethics do not. Ethics in turn are based on cultural mores.
Organizational Liability and
the Need for Counsel

• What if an organization does not demand or even


encourage strong ethical behavior from its
employees?

• What if an organization does not behave


ethically?
Organizational Liability and
the Need for Counsel

Liability is the legal obligation of an entity that


extends beyond criminal or contract law. It includes
the legal obligation to make restitution, or to
compensate for wrongs committed.
Organizational Liability and
the Need for Counsel

Due care standards are met when an organization makes


sure that every employee knows what is acceptable or
unacceptable behavior, and knows the consequences of
illegal or unethical actions.

Due diligence requires that an organization make a valid


effort to protect others and continually maintains this level
of effort.
Policy Vs Law

Policies — guidelines that describe acceptable and


unacceptable employee behaviors in the workplace —
function as organizational laws, complete with penalties,
judicial practices, and sanctions to require compliance.
Because these policies function as laws, they must be crafted
and implemented with the same care to ensure that they are
complete, appropriate, and fairly applied to everyone in the
workplace.
Policy Vs Law

Dissemination (distribution) — The organization must be able to demonstrate that


the relevant policy has been made readily available for review by the employee.
Common dissemination techniques include hard copy and electronic distribution.

Review (reading) — The organization must be able to demonstrate that it


disseminated the document in an intelligible form, including versions for illiterate,
non-English reading, and reading-impaired employees. Common techniques include
recordings of the policy in English and alternate languages.

Comprehension (understanding) — The organization must be able to


demonstrate that the employee understood the requirements and content of the
policy. Common techniques include quizzes and other assessments.
Policy Vs Law

Compliance (agreement) — The organization must be able to


demonstrate that the employee agreed to comply with the policy through act
or affirmation. Common techniques include logon banners, which require a
specific action (mouse click or keystroke) to acknowledge agreement, or a
signed document clearly indicating the employee has read, understood, and
agreed to comply with the policy.

Uniform enforcement — The organization must be able to demonstrate


that the policy has been uniformly enforced, regardless of employee status
or assignment.
Types of Law
Civil law comprises a wide variety of laws that govern a nation or state and deal
with the relationships and conflicts between organizational entities and people.
Criminal law addresses activities and conduct harmful to society, and is actively
enforced by the state
.
Law can also be categorized as private or public.
Private law encompasses family law, commercial law, and labor law, and regulates
the relationship between individuals and organizations.
Public law regulates the structure and administration of government agencies and
their relationships with citizens, employees, and other governments. Public law
includes criminal, administrative, and constitutional law.
Relevant Philippine Law
In 2012 the Philippines passed the Data Privacy Act 2012,
comprehensive and strict privacy legislation “to protect the fundamental
human right of privacy, of communication while ensuring free flow of
information to promote innovation and growth.” (Republic Act. No. 10173,
Ch. 1, Sec. 2). This comprehensive privacy law also established a
National Privacy Commission that enforces and oversees it and is
endowed with rulemaking power. On September 9, 2016, the final
implementing rules and regulations came into force, adding specificity
to the Privacy Act.
Republic Act 10173
(Data Privacy Act of 2012)
CHAPTER I – GENERAL PROVISIONS
– SECTION 1. Short Title.
– SECTION 2. Declaration of Policy.
– SECTION 3. Definition of Terms.
– SECTION 4. Scope.
– SECTION 5. Protection Afforded to Journalists and Their Sources.
– SECTION 6. Extraterritorial Application.
CHAPTER II – THE NATIONAL PRIVACY COMMISSION
– SECTION 7. Functions of the National Privacy Commission.
– SECTION 8. Confidentiality.
– SECTION 9. Organizational Structure of the Commission.
– SECTION 10. The Secretariat.
CHAPTER III – PROCESSING OF PERSONAL INFORMATION
– SECTION 11. General Data Privacy Principles.
– SECTION 12. Criteria for Lawful Processing of Personal Information.
– SECTION 13. Sensitive Personal Information and Privileged Information.
– SECTION 14. Subcontract of Personal Information.
– SECTION 15. Extension of Privileged Communication.
Republic Act 10173 (Data Privacy Act of 2012)
CHAPTER IV – RIGHTS OF THE DATA SUBJECT
– SECTION 16. Rights of the Data Subject.
– SECTION 17. Transmissibility of Rights of the Data Subjects.
– SECTION 18. Right to Data Portability.
– SECTION 19. Non-Applicability.
CHAPTER V – SECURITY OF PERSONAL INFORMATION
– SECTION 20. Security of Personal Information.
CHAPTER VI – ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
– SECTION 21. Principle of Accountability.
CHAPTER VII – SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT
– SECTION 22. Responsibility of Heads of Agencies.
– SECTION 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal
Information.
– SECTION 24. Applicability to Government Contractors.
Republic Act 10173 (Data Privacy Act of 2012
CHAPTER VIII – PENALTIES
– SECTION 25. Unauthorized Processing of Personal Information and Sensitive Personal Information.
– SECTION 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence.
– SECTION 27. Improper Disposal of Personal Information and Sensitive Personal Information.
– SECTION 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized
Purposes.
– SECTION 29. Unauthorized Access or Intentional Breach.
– SECTION 30. Concealment of Security Breaches Involving Sensitive Personal Information.
– SECTION 31. Malicious Disclosure.
– SECTION 32. Unauthorized Disclosure.
– SECTION 33. Combination or Series of Acts.
– SECTION 34. Extent of Liability.
– SECTION 35. Large-Scale.
– SECTION 36. Offense Committed by Public Officer.
– SECTION 37. Restitution.
CHAPTER IX – MISCELLANEOUS PROVISIONS
– SECTION 38. Interpretation.
– SECTION 39. Implementing Rules and Regulations (IRR).
– SECTION 40. Reports and Information.
– SECTION 41. Appropriations Clause.
– SECTION 42. Transitory Provision.
– SECTION 43. Separability Clause.
– SECTION 44. Repealing Clause.
– SECTION 45. Effectivity Clause.
Privacy Act of 2012

The Data Privacy Act is broadly applicable to individuals and legal entities that
process personal information, with some exceptions. The law has extraterritorial
application, applying not only to businesses with offices in the Philippines, but
when equipment based in the Philippines is used for processing. The act further
applies to the processing of the personal information of Philippines citizens
regardless of where they reside.
One exception in the act provides that the law does not apply to the processing of
personal information in the Philippines that was lawfully collected from residents
of foreign jurisdictions — an exception helpful for Philippine companies that offer
cloud services.
Privacy Act of 2012

The Philippines law takes the approach that


“The processing of personal data shall be
allowed subject to adherence to the principles
of transparency, legitimate purpose, and
proportionality.”
Privacy Act of 2012

The act states that the collection of personal data “must be a


declared, specified, and legitimate purpose” and further provides
that consent is required prior to the collection of all personal data. It
requires that when obtaining consent, the data subject be informed
about the extent and purpose of processing, and it specifically
mentions the “automated processing of his or her personal data for
profiling, or processing for direct marketing, and data sharing.”
Consent is further required for sharing information with affiliates or
even mother companies.
Privacy Act of 2012

* Consent must be “freely given, specific, informed,” and the definition further
requires that consent to collection and processing be evidenced by recorded
means. However, processing does not always require consent.
* Consent is not required for processing where the data subject is party to a
contractual agreement, for purposes of fulfilling that contract. The exceptions of
compliance with a legal obligation upon the data controller, protection of the vital
interests of the data subject, and response to a national emergency are also
available.
* An exception to consent is allowed where processing is necessary to pursue the
legitimate interests of the data controller, except where overridden by the
fundamental rights and freedoms of the data subject.
Privacy Act of 2012

The law requires that when sharing data, the sharing


be covered by an agreement that provides adequate
safeguards for the rights of data subjects, and that
these agreements are subject to review by the
National Privacy Commission.
Privacy Act of 2012

The law defines sensitive personal information as being:


• About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
• About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding or any offense committed or alleged to
have committed;
• Issued by government agencies “peculiar” (unique) to an individual,
such as social security number;
• Marked as classified by executive order or act of Congress.
Privacy Act of 2012

Interestingly, the Philippines law states that the country’s


Human Security Act of 2007 (a major anti-terrorism law
that enables surveillance) must comply with the Privacy
Act.
Privacy Act of 2012

The law requires that any entity involved in data processing and
subject to the act must develop, implement and review procedures
for the collection of personal data, obtaining consent, limiting
processing to defined purposes, access management, providing
recourse to data subjects, and appropriate data retention policies.
These requirements necessitate the creation of a privacy program.
Requirements for technical security safeguards in the act also
mandate that an entity have a security program.
Privacy Act of 2012

The law enumerates rights that are familiar to privacy professionals as related to
the principles of notice, choice, access, accuracy and integrity of data.
* The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising this right requires “substantial
proof,” the burden of producing which is placed on the data subject. This right is expressly
limited by the fact that continued publication may be justified by constitutional rights to
freedom of speech, expression and other rights.

* Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.

* A right to data portability is also provided.


Privacy Act of 2012

The law defines “security incident” and “personal data breach” ensuring
that the two are not confused. A “security incident” is an event or
occurrence that affects or tends to affect data protection, or may
compromise availability, integrity or confidentiality. This definition includes
incidents that would result in a personal breach, if not for safeguards that
have been put in place.
A “personal data breach,” on the other hand, is a subset of a security
breach that actually leads to “accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed.
Privacy Act of 2012

The law places a concurrent obligation to notify the National Privacy


Commission as well as affected data subjects within 72 hours of
knowledge of, or reasonable belief by the data controller of, a personal
data breach that requires notification.

It is unclear at present whether the commission would allow a delay in


notification of data subjects to allow the commission to determine whether
a notification is unwarranted. By the law, this would appear to be a
gamble.
Privacy Act of 2012

The contents of the notification must at least:


• Describe the nature of the breach;
• The personal data possibly involved;
• The measures taken by the entity to address the breach;
• The measures take to reduce the harm or negative consequence of the
breach;
• The representatives of the personal information controller, including
their contact details;
• Any assistance to be provided to the affected data subjects.
Privacy Act of 2012

The law provides separate penalties for various violations, most of which also
include imprisonment. Separate counts exist for unauthorized processing,
processing for unauthorized purposes, negligent access, improper disposal,
unauthorized access or intentional breach, concealment of breach involving
sensitive personal information, unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to
imprisonment ranging from three to six years as well as a fine of approximately
1,000,000 to 5,000,000 pesos.
Notably, there is also the previously mentioned private right of action for damages,
which would apply.
Privacy Act of 2012

Persons having knowledge of a security breach involving sensitive


personal information and of the obligation to notify the commission
of same, and who fail to do so, may be subject to penalty for
concealment, including imprisonment for 1 1/2 to five years of
imprisonment, and a fine of approximately 500,000 – 1,000,000
pesos.
Depending upon the circumstances additional violations might
apply.
Ethics and Information Systems Security
Glenn A. Asuncion
MSIT

https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-regulations/

S-ar putea să vă placă și