ISSUES OF PRIVACY AND DATABASES IN THE EVER

BROADENING IT WORLD
SEMINARSKI RAD

Travnik,2019.
 TABLE OF CONTENTS

1. INTRODUCTION .................................................................................................................. 2

2. ELABORATION ................................................................................................................... 4

2.1. The concept of privacy .................................................................................................... 4

2.1.1. Categories of private informations ........................................................................... 5

2.2. Data privacy and IT ......................................................................................................... 6

2.2.1. Personal data ............................................................................................................ 7

2.2.2. Tips for protecting data .......................................................................................... 10

2.2.2.1. Control access to the database ......................................................................... 10

2.2.2.2. Identify sensitive and critical data ................................................................... 11

2.2.2.3. Encrypt information ........................................................................................ 11

2.2.2.4. Monitor your database activity ........................................................................ 12

3. CONCLUSION .................................................................................................................... 13

4. LITERATURE ..................................................................................................................... 14
1. INTRODUCTION

Human beings value their privacy and the protection of their personal sphere
of life. They value some control over who knows what about them. They certainly do
not want their personal information to be accessible to just anyone at any time. But
recent advances in information technology threaten privacy and have reduced the
amount of control over personal data and open up the possibility of a range of
negative consequences as a result of access to personal data. In the second half of the
20th century data protection regimes have been put in place as a response to
increasing levels of processing of personal data.

The 21st century has become the century of big data and advanced information
technology (e.g. forms of deep learning), the rise of big tech companies and the
platform economy, which comes with the storage and processing of exabytes of data.

We are currently living in the so-called information age which can be described as an
era were economic activities are mainly information based (an age of
informationalization). This is due to the development and use of technology. The
main characteristics of this era can be summarized as a rise in the number of
knowledge workers, a world that has become more open - in the sense of
communication and internationalization.

This paradigm shift brings new ethical and juridical problems which are mainly
related to issues such as the right of access to information, the right of privacy which
is threatened by the emphasis on the free flow of information, and the protection of
the economic interest of the owners of intellectual property.
In this paper the ethical questions related to the right to privacy of the individual
which is threatened by the use of technology will be discussed. Specific attention
will be given to the challenges these ethical problems pose to the information
professional. A number of practical guidelines, based on ethical norms will be laid
down.

2
The data used by organizations is stored in a database. The database typically
contains the crown jewels of any environment; it usually holds the most business-
sensitive information which is why it is a high priority target for any attacker.

This database contains all the information about the employer/client/individual that is
being entertained by that organization or the organization is collecting it without the
permission of the individual by using multiple means and resources without the
acknowledgment of the concerning person.

As the IT world is expanding the demand for online data gathering is also increasing
and with this, the threat to the privacy of data is also increasing rapidly.

There are thousands of databases floating around the Internet. Most contain Personal
Information about each of us. Driver’s license numbers, credit/debit card account
numbers, and social security numbers to name a few. Everyone knows that. What
may not be known is that our personal information is not as private as we would like
to think.

3
2. ELABORATION

2.1. The concept of privacy

Privacy can be defined as an individual condition of life characterized by

exclusion from publicity (Neetling et al., 1996, p. 36). The concept follows from the
right to be left alone states that such a perception of privacy set the course for
passing of privacy laws in the United States for the ninety years that followed. As
such privacy could be regarded as a natural right which provides the foundation for
the legal right. The right to privacy is therefore protected under private law.1
Privacy is an important right because it is a necessary condition for other rights such
as freedom and personal autonomy. There is thus a relationship between privacy,
freedom and human dignity. Respecting a person's privacy is to acknowledge such a
person's right to freedom and to recognize that individual as an autonomous human
being.
The duty to respect a person's privacy is furthermore a prima facie duty. In other
words, it is not an absolute duty that does not allow for exceptions. Two examples
can be given. Firstly, the police may violate a criminal's privacy by spying or by
seizing personal documents.2

Picture 1.: Privacy

Source:https://article.images.consumerreports.org/f_auto/prod/content/dam/CRO%2
0Images%202018/Electronics/June/CR-Electronics-InlineHero-privacy-resolutions-
1217

1
Stair, 1992., p.635; Shank, 1986., p.12
2
McGarry, 1993., p. 178

4
2.1.1. Categories of private informations

Based on the juridical definition of privacy, two important aspects which are
of specific relevance for the information profession must be emphasized. The first is
the fact that privacy as a concept is closely related to information - in terms of the
definition of Neethling privacy refers to the entirety of facts and information which
is applicable to a person in a state of isolation.

The fact that privacy is expressed by means of information, implies that it is possible
to distinguish different categories of privacy namely, private communications,
information which relates to the privacy of a person's body, other personal
information, and information with regard to a person's possessions. Each of these
categories will be briefly dealt with.

 Private communications: this category of privacy concerns all forms of

personal communication which a person wishes to keep private. The
information exchanged during a reference interview between the user and the
information professional can be seen as an example.

 Privacy of the body: this normally refers to medical information and enjoys
separate legal protection. According to this legislation a person has the right
to be informed about the nature of an illness as well as the implications
thereof. Such a person further has the right to privacy about the nature of the
illness and can not be forced to make it known to others. The only exception
is when the health, and possibly the lives of others may be endangered by the
specific illness - such as the case may be where a person is HIV positive and
the chance exists that other people may contract the virus. This category of
information is of specific importance for an information professional working
in a medical library.3

3
Westin, 1967., p.351

5
  Personal information : personal information refers to those categories of
information which refer to only that specific person, for example
bibliographic (name, address) and financial information. This type of
information is of relevance to all categories of information professionals.

 Information about one's possessions: This information is closely related to

property right. According to this a person does have control over the
information which relates to personal possessions in certain instances. For
example, a person may keep private the information about
the place where a wallet is kept.

2.2. Data privacy and IT

Data privacy, also called information privacy, is the aspect of information

technology that deals with the ability an organization or individual has to determine
what data in a computer system can be shared with third parties.4

As human beings, we all value our privacy and the protection of our private sphere of
life. We value some control over who knows what about us. We certainly do not
want our personal information to be accessible to just anyone at any time. But recent
advances in information technology threaten privacy and have reduced the amount of
control over private data and open up the possibility of a range of negative
consequences as a result of access to personal data.

The digitalization of everything has shown us that these worries are so real and that
the technical capabilities to gather, save and search a large amount of data
concerning mobile conversations, internet search histories, and electronic bill
payments are now in place and are routinely used by government agencies.

4
https://searchcio.techtarget.com/definition/data-privacy-information-privacy

6
Picture 2.: Data Privacy
Source:https://www.securityindustry.org/wp-content/uploads/2019/02/blog-data-
privacy-887x488.jpg

2.2.1. Personal data

For multi-national organizations or major companies, personal data about

customers is also a key asset.
Personal data, also known as personal information, personally identifying
information (PII), or sensitive personal information (SPI), is any information
relating to identifying a person.5

Personal information or data is information or data that is linked or can be linked to

individual persons. 6Examples include explicitly stated characteristics such as a
person‘s date of birth, sexual preference, whereabouts, religion, but also the IP
address of your computer or metadata pertaining to these kinds of information. In
addition, personal data can also be more implicit in the form of behavioural data, for
example from social media, that can be linked to individuals.

5
https://en.wikipedia.org/wiki/Personal_data
6
Olivier P., Flexible Approaches in Data, Information and Knowledge Management, p.143

7
Personal data can be contrasted with data that is considered sensitive, valuable or
important for other reasons, such as secret recipes, financial data, or military
intelligence. Data used to secure other information, such as passwords, are not
considered here.

Although such security measures (passwords) may contribute to privacy, their

protection is only instrumental to the protection of other (more private) information,
and the quality of such security measures is therefore out of the scope of our
considerations here.7

Picture 3.: Personal data/information

Source: https://codeable.io/wp-content/uploads/2018/02/gdpr-personal-data.png
2.2.1.1. Reasons for protecting personal data

Data is becoming more and more valuable. Also, skills and opportunities for
retrieving different types of personal data are evolving extremely fast. Unauthorized,
careless or ignorant processing of personal data can cause great harm to persons and
to companies.

7
Benjamin, L.M. (1991). Privacy, computers and personal information

8
Firstly, the purpose of personal data protection isn’t to just protect person’s data, but
to protect the fundamental rights and freedoms of persons that are related to that data.
Whilst protecting personal data it is possible to ensure that persons’ rights and
freedoms aren’t being violated. For example, incorrect processing of personal data,
might bring about a situation where a person is overlooked for a job opportunity or,
even worse, loses current job.8

Secondly, not complying with the personal data protection regulations can lead to
even harsher situations, where it’s possible to extract all the money from a person’s
bank account or even cause a life-threatening situation by manipulating health
information.

Thirdly, data protection regulations are necessary for ensuring and fair and
consumer friendly commerce and provision of services. Personal data protection
regulations cause a situation, where, for example, personal data can’t be sold freely
which means that people have a greater control over who makes them offers and
what kind of offers they make.9

Picture 4.: Personal data

Source:https://i.pinimg.com/originals/60/38/67/603867323c8a08eaf4211347b6d722
ac.png

8
https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/know-
your-rights/freedoms/protection-personal-data_en
9
http://www.codeofethics.sanofi/EN/protecting-privacy-and-personal-data

9
If personal data is leaked, it can cause companies significant damage to their
reputation and also bring along penalties, which is why it’s important to comply with
the person data protection regulations.

To ensure that personal data is secure, it’s important to know what data is being
processed, why it’s being processed and on what grounds. In addition, it’s important
to identify which safety and security measures are in use. All of this is possible
through a thorough data protection audit, which identifies the data flow and whether
the data protection regulations are being followed.

2.2.2. Tips for protecting data

When we give privacy or security advice, we usually talk about strong

passwords, backing up your data, using security applications, keeping systems up to
date, and avoiding default settings. In general, these are the most basic and essential
precautions any systems manager must consider. However, depending on the system
you want to protect, there are some additional issues to take into account.10

2.2.2.1. Control access to the database

Rigorous access control is the first step to keeping attackers away from your
information. In addition to basic system permissions, you should also consider:
 Limiting access to sensitive data for both users and procedures—in other
words, only authorizing certain users and procedures to make queries relating
to sensitive information.
 Limiting the use of key procedures to specific users only.
 Whenever possible, avoid simultaneous use and access outside normal or
office hours.

10
http://www.applicure.com/blog/database-security-best-practice

10
2.2.2.2. Identify sensitive and critical data

The first step, before considering protection techniques and tools, is

to analyze and identify what important information must be protected. To do so, it is
important to understand the logic and architecture of the database, to make it easier
to determine where and how sensitive data will be stored.

You should also keep an inventory of the company databases, being sure to take all
departments into account. The only way to administrate and avoid losing information
effectively is to know about all of the company’s instances and databases and keep a
record of them.11

2.2.2.3. Encrypt information

Once the sensitive and confidential data have been identified, it is good
practice to use robust algorithms to encrypt those data.
When attackers exploit a vulnerability and gain access to a server or system, the first
thing they will try to steal is the databases. These are a valuable treasure, as they
usually contain many gigabytes of valuable information; the best way to protect a
database is to make it illegible to any person who accesses it without authorization.

Picture 5.: Data encryption

Source:https://www.aureon.com/webres/Image/resources/article/IT-Encrypt-
YourData.png

11
Collier, G. (1994). Information privacy

11
2.2.2.4. Monitor your database activity

Being aware of auditing and recording actions and data movement means that
you know what information has been handled, when and how, and by whom. Having
a complete history of transactions allows you to understand data access and
modification patterns and thus avoid information leaks, control fraudulent changes
and detect suspicious activity in real time.12

Picture 6.: History of transactions

Source:https://www.interactivebrokers.com/en/software/am/am/images/transactionhi
story.jpg

12
Collier, G. (1994). Information privacy

12
3. CONCLUSION

When it comes to data privacy, there rarely is a universal law applicable to all
countries’ legislation. Over the past few years; there has been a slow, but steady
interest increase in data privacy around the world. Together with the new digital
revolution, the interest in the topic is expected to gain more attraction in a more
accelerated fashion.

It can thus be concluded that the use of technology in the processing of information,
poses important questions with regard to a person's right to privacy. This right is
directly linked to the right to freedom and human autonomy.
These problems relate mainly to the accessibility of information and the
manipulation thereof. This is of specific relevance to the information professional
who deals with private and personal information. Practical guidelines in the handling
of these problems can be formulated according to the norms of freedom, truth and
human rights.

13
4. LITERATURE

 Books:

 Stair, (1992).; Shank, (1986).

 McGarry, (1993).

 Westin, (1967).

 Olivier P., Flexible Approaches in Data, Information and Knowledge

Management

 Benjamin, L.M. (1991). Privacy, computers and personal information

 Collier, G. (1994). Information privacy

 Web:

 https://searchcio.techtarget.com/definition/data-privacy-information-privacy

 https://en.wikipedia.org/wiki/Personal_data

 https://ec.europa.eu/info/aid-development-cooperation-
fundamentalrights/yourrights-eu/know-your-rights/freedoms/protection-
personal-data_en

 http://www.codeofethics.sanofi/EN/protecting-privacy-and-personal-data

 http://www.applicure.com/blog/database-security-best-practice

14