Industrial Management and Laws

Topic 2: Data Protection Act and Ethics

Data Protection Act 1998

The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines the
law on the processing of data on identifiable living people and is the main piece of legislation
that governs the data protection. Although the Act itself does not mention privacy, it was enacted
to bring British law into line with the 1995 EU Data Protection Directive on the protection of
individuals with regard to the processing of personal data and on the free movement of such data.
In practice it provides a way for individuals to control information about themselves. Most of the
Act does not apply to domestic use,[1] for example keeping a personal address book. Anyone
holding personal data for other purposes is legally obliged to comply with this Act, subject to
some exemptions. The Act defines eight data protection principles, which apply in various
contexts, to ensure that information is processed lawfully.

History
The 1998 Act replaced and consolidated earlier legislation such as the Data Protection Act 1984
and the Access to Personal Files Act 1987. At the same time it aimed to implement the European
Data Protection Directive. In some aspects, notably electronic communication and marketing, it
has been refined by subsequent legislation for legal reasons. The Privacy and Electronic
Communications (EC Directive) Regulations 2003 altered the consent requirement for most
electronic marketing to "positive consent" such as an opt in box. Exemptions remain for the
marketing of "similar products and services" to existing customers and enquirers, which can still
be given permission on an opt out basis.

Personal data
The Act's definition of "personal data" covers any data that can be used to identify a living
individual. Anonymised or aggregated data is not regulated by the Act, providing the
anonymisation or aggregation has not been done in a reversible way. Individuals can be
identified by various means including their name and address, telephone number or email
address. The Act applies only to data which is held, or intended to be held, on computers
('equipment operating automatically in response to instructions given for that purpose'), or held
in a 'relevant filing system’.
In some cases even a paper address book can be classified as a 'relevant filing system' for
example diaries used to support commercial activities, such as a salesperson's diary.
The Freedom of Information Act 2000 modified the act for public bodies and authorities, and
the Durant case modified the interpretation of the act by providing case law and precedent.
The Data Protection Act creates rights for those who have their data stored, and responsibilities
for those who store, process or transmit such data. The person who has their data processed has
the right to:

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |1
 View the data an organisation holds on them. A 'subject access request' can be obtained for a
nominal fee. As of January 2014, the maximum fee is £2 for requests to credit reference
agencies, £50 for health and educational request, and £10 per individual otherwise,[7]
 Request that incorrect information be corrected. If the company ignores the request, a court
can order the data to be corrected or destroyed, and in some cases compensation can be
awarded.[8]
 Require that data is not used in any way that may potentially cause damage or distress.
 Require that their data is not used for direct marketing.

Data protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be
processed unless:
1. at least one of the conditions in Schedule 2 is met, and
2. in the case of sensitive personal data, at least one of the conditions in Schedule 3
is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and
shall not be further processed in any manner incompatible with that purpose or those
purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6. About the rights of individuals e.g.[11] personal data shall be processed in accordance with
the rights of data subjects (individuals).
7. Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or
damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal data.

Exceptions
The Act is structured such that all processing of personal data is covered by the act, while
providing a number of exceptions in Part IV.[1] Notable exceptions are:

 Section 28 – National security. Any processing for the purpose of safeguarding national
security is exempt from all the data protection principles, as well as Part II (subject access
rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of
personal data).
 Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the
apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt
from the first data protection principle.

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |2
 Section 36 – Domestic purposes. Processing by an individual only for the purposes of that
individual's personal, family or household affairs is exempt from all the data protection
principles, as well as Part II (subject access rights) and Part III (notification).

Police and court powers

The Act grants or acknowledges various police and court powers.

 Section 29 - Consent of the Data Subject is not required when processing Personal Data to
prevent or detect crime, apprehend or prosecute offenders, the assessment and collection of
taxes and duties and to discharge a statutory function.
 Section 35 - Disclosures required by law or made in connection with legal proceedings. This
includes obeying court orders, other laws and are part of legal proceedings.

Necessity of data protection laws in Bangladesh

While exploring the data protection and privacy law framework of Bangladesh, one will
immediately spot a glaring gap which is not only frustrating but also raises economic and
national security concerns in relation to the processing of its citizens' personal data. With the
total number of internet users in Bangladesh reaching a 54-million at the end of September 2015
- a figure that is predicted to increase by millions every year - it is time we took personal data
protection seriously.

Take this straightforward example: imagine a scenario where an individual (data subject) filled
in an online application form with all her personal details. Intriguing as it may sound; this simple
online act could have a number of major implications. Firstly, the internet service provider (party
no. 1) of the data subject can divulge a host of information and capture any information sent
through its services. Secondly, the website (party no. 2) where the application form is hosted will
have access to the data as well as the organisation (party no. 3) that she has completed the form
for. Thirdly, to complicate matters further, the data centre (party no. 4) on which her data is
hosted may be based out of the country altogether. In such situations, without having proper
protection in the form of national legislation in the country where the data subject is based,
personal data becomes prone to exploitation by any of the parties in the chain of processing and
controlling it. Indeed, it has been recognized that, many big data companies have initiated and
implemented spying and espionage programs to ensure they maintain a country competitive
advantage.

Contrast this with the European Union which has an effective data protection and privacy legal
framework, allowing its courts to recently rule that one of the big data companies, Facebook Inc.,
violated its citizens' privacy for aiding the mass and indiscriminate surveillance carried out by
the US intelligence services. Needless to mention, without any protection in place, Bangladesh
may not be even aware of how seriously its citizens could be affected by such invasions.

It is no surprise that we are witnessing a constant rise in hacking incidents of databases of

governmental organisations in Bangladesh, making the whole situation of sharing personal data
online even more distressing. In 2013, for instance, some unknown hackers breached Bangladesh
Air Force's website and extracted the full database.

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |3
While Bangladesh is well protected by virtue of the Information and Communication
Technology (ICT) Act of 2006 to bring proceedings against perpetrators of such intrusion and
unauthorized access, what it fails to take into account is that these perpetrators carry out their
operations anonymously and thus, in most cases, it is difficult to identify them. In other words, a
preventive framework at the pre-breach level is simply non-existent. The mere presence of
legislation on post-breach offences will not in fact provide adequate protection given the
anonymity of the offender and the mass surveillance practices of big companies.

The only legislation that provides for the protection, albeit limited, of privacy in general terms is
the article 43 of the Constitution of the People's Republic of Bangladesh – right to “the privacy
of [one's] correspondence and other means of communication”. In addition, there are two
guidelines passed by the Bangladesh Bank covering ICT security and outsourcing arrangements,
providing a layer of protection in the financial sector.

It is worth noting that the neighbouring country India, has already enacted specific data
protection rules and a consolidated privacy bill is already in the pipeline. Given India's high
profile in the IT industry worldwide, rules regarding data protection have led to an increase in
investment by multinational data companies. Meanwhile, the lack of data protection and privacy
laws has effectively been a restriction to this market for Bangladesh, although we have all the
potential to become another influential South Asian player in the digital economy.

Bangladesh needs to act promptly not only to protect its citizens' personal data from flowing into
the hands of criminals and spying agencies both in and out of the country but also to be able to
participate in the data business estimated to be worth a trillion Euros by the year 2020. Any law
addressing data protection should clearly state the grounds for processing personal data, ensure
data subjects' rights to access, delete and object to such data, develop a culture regarding the
retention period of data, and establish a data protection authority. Bangladesh already has an
Information Commission formed under the Right to Information Act of 2009, which can be
vested with data protection responsibilities. In any event, institutions dealing with personal data
should be required to register with the Commission and give prior notification if there is a
possibility that such data will be processed outside of Bangladesh.

ACM Code of Ethics and Professional Conduct

GENERAL MORAL IMPERATIVES.

AnACM member will ....

1.1 Contribute to society and human well-being.

This principle concerning the quality of life of all people affirms an obligation to protect
fundamental human rights and to respect the diversity of all cultures. An essential aim of
computing professionals is to minimize negative consequences of computing systems, including
threats to health and safety. When designing or implementing systems, computing professionals

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |4
must attempt to ensure that the products of their efforts will be used in socially responsible ways,
will meet social needs, and will avoid harmful effects to health and welfare.

In addition to a safe social environment, human well-being includes a safe natural environment.
Therefore, computing professionals who design and develop systems must be alert to, and make
others aware of, any potential damage to the local or global environment.

1.2 Avoid harm to others.

"Harm" means injury or negative consequences, such as undesirable loss of information, loss of
property, property damage, or unwanted environmental impacts. This principle prohibits use of
computing technology in ways that result in harm to any of the following: users, the general
public, employees, employers. Harmful actions include intentional destruction or modification of
files and programs leading to serious loss of resources or unnecessary expenditure of human
resources such as the time and effort required to purge systems of "computer viruses."

Well-intended actions, including those that accomplish assigned duties, may lead to harm
unexpectedly. In such an event the responsible person or persons are obligated to undo or
mitigate the negative consequences as much as possible. One way to avoid unintentional harm is
to carefully consider potential impacts on all those affected by decisions made during design and
implementation.

To minimize the possibility of indirectly harming others, computing professionals must minimize
malfunctions by following generally accepted standards for system design and testing.
Furthermore, it is often necessary to assess the social consequences of systems to project the
likelihood of any serious harm to others. If system features are misrepresented to users,
coworkers, or supervisors, the individual computing professional is responsible for any resulting
injury.

In the work environment the computing professional has the additional obligation to report any
signs of system dangers that might result in serious personal or social damage. If one's superiors
do not act to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help
correct the problem or reduce the risk. However, capricious or misguided reporting of violations
can, itself, be harmful. Before reporting violations, all relevant aspects of the incident must be
thoroughly assessed. In particular, the assessment of risk and responsibility must be credible. It is
suggested that advice be sought from other computing professionals. See principle 2.5 regarding
thorough evaluations.

1.3 Be honest and trustworthy.

Honesty is an essential component of trust. Without trust an organization cannot function

effectively. The honest computing professional will not make deliberately false or deceptive
claims about a system or system design, but will instead provide full disclosure of all pertinent
system limitations and problems.

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |5
A computer professional has a duty to be honest about his or her own qualifications, and about
any circumstances that might lead to conflicts of interest.

Membership in volunteer organizations such as ACM may at times place individuals in situations
where their statements or actions could be interpreted as carrying the "weight" of a larger group
of professionals. An ACM member will exercise care to not misrepresent ACM or positions and
policies of ACM or any ACM units.

1.4 Be fair and take action not to discriminate.

The values of equality, tolerance, respect for others, and the principles of equal justice govern
this imperative. Discrimination on the basis of race, sex, religion, age, disability, national origin,
or other such factors is an explicit violation of ACM policy and will not be tolerated.

Inequities between different groups of people may result from the use or misuse of information
and technology. In a fair society,all individuals would have equal opportunity to participate in, or
benefit from, the use of computer resources regardless of race, sex, religion, age, disability,
national origin or other such similar factors. However, these ideals do not justify unauthorized
use of computer resources nor do they provide an adequate basis for violation of any other
ethical imperatives of this code.

1.5 Honor property rights including copyrights and patent.

Violation of copyrights, patents, trade secrets and the terms of license agreements is prohibited
by law in most circumstances. Even when software is not so protected, such violations are
contrary to professional behavior. Copies of software should be made only with proper
authorization. Unauthorized duplication of materials must not be condoned.

1.6 Give proper credit for intellectual property.

Computing professionals are obligated to protect the integrity of intellectual property.

Specifically, one must not take credit for other's ideas or work, even in cases where the work has
not been explicitly protected by copyright, patent, etc.

1.7 Respect the privacy of others.

Computing and communication technology enables the collection and exchange of personal
information on a scale unprecedented in the history of civilization. Thus there is increased
potential for violating the privacy of individuals and groups. It is the responsibility of
professionals to maintain the privacy and integrity of data describing individuals. This includes
taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized
access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be
established to allow individuals to review their records and correct inaccuracies.

This imperative implies that only the necessary amount of personal information be collected in a
system, that retention and disposal periods for that information be clearly defined and enforced,

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |6
and that personal information gathered for a specific purpose not be used for other purposes
without consent of the individual(s). These principles apply to electronic communications,
including electronic mail, and prohibit procedures that capture or monitor electronic user data,
including messages,without the permission of users or bona fide authorization related to system
operation and maintenance. User data observed during the normal duties of system operation and
maintenance must be treated with strictest confidentiality, except in cases where it is evidence
for the violation of law, organizational regulations, or this Code. In these cases, the nature or
contents of that information must be disclosed only to proper authorities.

1.8 Honor confidentiality.

The principle of honesty extends to issues of confidentiality of information whenever one has
made an explicit promise to honor confidentiality or, implicitly, when private information not
directly related to the performance of one's duties becomes available. The ethical concern is to
respect all obligations of confidentiality to employers, clients, and users unless discharged from
such obligations by requirements of the law or other principles of this Code.

Prepared by: Jamir Ahmed, Asst. Prof. Computer Science, SUB P age |7