Week 12

Question 1

Four Major Categories of Information Rights Issues:

Answer 1

– Information rights – your personal info
– Property rights – how can it be enforced
– Governance –is internet subject to public law?
– Public safety and welfare; gambling, porn, child

Question 2

What is Privacy?

Answer 2

Moral right of individuals to be left alone, free from
surveillance or interference from other individuals
or organizations

Question 3

What is Information Privacy?

Answer 3

Information privacy
– Subset of privacy
– Includes:
* The claim that certain information should not be
collected at all
* The claim of individuals to control the use of
whatever information is collected about them

Question 4

Privacy Issues

Answer 4

• IS can collect, store, integrate, interchange and
  retrieve data very quickly
  – e.g. Tesco Club Card
• Beneficial effect:
  – Efficiency, effectiveness, competitive advantage
• Detrimental effect:
  – Individual’s right to freedom
• Major political issue:
  – Development of laws that govern relations between
  record-keepers and individuals

Question 5

What is a web cookie?

Answer 5

A web cookie is a small piece of data stored on the user’s computer by the web
browser while browsing a website. Cookies can also be used to remember
pieces of information that the user previously entered such as names,
addresses, passwords, phone numbers, etc.
While cookies offer convenience for users, they also facilitate tracking of users
and so have data protection implications.
GDPR does not prohibit cookies, but requires users to give permission to use
them when they first visit a website.

Question 6

Data Collected on E-commerce Sites

Answer 6

– Personally identifiable information (PII); any data
that can identify & locate an individual
– Anonymous information

Question 7

Types of Data collected on E-commerce sites

Answer 7

– Name, address, phone, e-mail, social security
– Bank accounts, gender, age, occupation, education
– Preference data, transaction data, clickstream
data, browser type

Question 8

What is Profiling?

Answer 8

Creation of digital images that characterize online
individual and group behavior

Question 9

What is Google’s adword program?

Answer 9

Businesses pay to get their advertisements ranked at the top
of the search results page, based on the keywords that want to target.

Question 10

What is CyberLaw?

Answer 10

Laws intended to regulate activities over the
Internet or via the use of electronic data
communications and storage
– Intellectual property
– Privacy
– Freedom of expression
– Jurisdiction

Question 11

Issues with Cyber Law

Answer 11

– Applicability of analogous legal principles and
precedent
– Internet regulation -national jurisdiction
– Unsettled body of law

Question 12

Data Protection Acts (1984, 1988, 2002)

Answer 12

• Obtain and process data fairly
• Specified purpose
• Disclose only if compatible with purpose
• Keep safe and secure
• Accurate, complete and up to date
• Relevant and not excessive
• Retain only as long as necessary
• Comply with access request

Question 13

What must those holding personal information do?

Answer 13

– Give individuals access to their personal data
– Allow individuals to correct or delete any
information about them that is inaccurate or
irrelevant
– Obtain information fairly, openly and transparently
– Use it only in ways compatible with the purpose for
which it was originally collected
– Secure it against unauthorised access or loss
– Ensure that it is kept accurate and up to date

Question 14

What must those holding personal data not do?

Answer 14

– Further process data in a manner incompatible with
the purpose for which it was given
– Retain it for longer than is necessary for the
purpose for which it was given

Question 15

Opt-in: EU standard

Answer 15

You must give your explicit consent to have data compiled about you

Question 16

Opt-out: US standard

Answer 16

Opt-out: US standard

Question 17

What is Pseudoanonymisation?

Answer 17

Preventing processing personal data being attri-
buted to an individual, without extra information.
* Pseudoanonymised data is encouraged
– extra security of the data
– used for statistical purposes.

Question 18

GDPR terminology: Personal data

Answer 18

‘personal data’ means any information, including
data that can be combined with other
information, relating to an identified or
identifiable natural person (‘data subject’);

Question 19

GDPR terminology: Natural Person

Answer 19

‘natural person’ is one who can be identified,
directly or indirectly, in particular by reference to
– an identifier such as a name, an identification
number, location data
– an online identifier or to one or more factors
specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that
natural person

Question 20

GDPR Terminology: Sensitive Data

Answer 20

‘Sensitive’ personal data
– racial or ethnic origin,
– political opinions
– religious or philosophical beliefs
– trade union membership
– processing of genetic data
– biometric data
– data concerning health
– data concerning a natural person’s sex life

Question 21

GDPR terminology: Processing

Answer 21

Processing: means performing any operation or
set of operations on personal data, including:
– obtaining, recording or keeping data;
– organising or altering the data;
– retrieving, consulting or using the data;
– disclosing the data to a third party (including
publication);
– erasing or destroying the data

Question 22

GDPR terminology : Data Controller

Answer 22

is the person or organisation
who decides the purposes for which, and the
means by which, personal data is processed.
* ‘purpose’ of processing data involves ‘why’ the
personal data is being processed
* ‘means’ involves ‘how’ the data is processed.

Question 23

GDPR terminology: Data Processor

Answer 23

A person or organisation that
processes personal data on behalf of a data
controller, but is not an employee of the DC above
Data might be outsourced to an external company.
Data processors might include
- Marketing agencies
- Offshore Data entry
- Analysts

Question 24

GDPR Principles

Answer 24

• processed lawfully, fairly and in a transparent
  manner in relation to individuals;
• collected for specified, explicit and legitimate
  purposes and not further processed in a manner
  that is incompatible with those purposes;
  – archiving shall not be considered to be
  incompatible with the initial purposes;
• adequate, relevant and limited to what is
  necessary in relation to the purposes for which
  they are processed;
• accurate and, where necessary, kept up to
  date
• Kept in a form which permits identification of
  data subjects for no longer than is necessary
  for the purposes for which the personal data are
  processed;
• Processed in a manner that ensures appropriate
  security of the personal data, including
  protection against unauthorised or unlawful
  processing and against accidental loss,
  destruction or damage, using appropriate
  technical or organisational measures.
  – poor security on other people’s data is illegal

Question 25

GDPR Controller Obligations

Answer 25

• Privacy by design
• Ensure processors are GDPR compliant
• Keep data control records
• Keep data secure
• Report data breaches
• Carry out impact assessments
• Appoint a data protection officer (DPO)
• Comply with certification
• Ensure data transfer outside the EU is sufficiently
  compliant.

Question 26

GDPR personal rights

Answer 26

• Transparency
• Subject access rights (no fee)
• Right to rectify
• Right to erasure
• Right to restriction of processing
• Right to data portability (new)
  – right of data transfer in machine readable format
• Right to object
• Right not to be subject to automated decision
  taking

Question 27

GDPR requirements of data holders

Answer 27

• Make an inventory of all personal data you hold
  and examine it under the following headings:
  – Why are you holding it?
  – How did you obtain it?
  – Why was it originally gathered?
  – How long will you retain it?
  – How secure is it, encryption and accessibility?
  – Do you share it with 3rd parties and on what basis?
  – How do we dispose of data?
• Many organisation don’t really know what data
  they have.
  – Word documents, Excel spreadsheets, laptops etc

Question 28

GDPR and Actuaries

Answer 28

• Actuaries must ensure that customers have given
  consent for any analysis that they wish to
  conduct.
  – Consent policies have to be updated
• Actuaries must be careful of local stores of data
  – Excel
• Pseudonymisation should be systematic
  – Just don’t allow access to unneeded data
• Customers have a right to know how their data is
  processed
  – System needed to explaining processing

Question 29

What is the EU Digital Markets Act?

Answer 29

DMA regulates large gatekeeper businesses
– Allow users install apps from other sources
– Prohibit the gatekeeper from favouring its services
– Prohibit data that is not available to third parties
* The DMA is regulated centrally by the EU
– Fines can be 10% of its total worldwide turnover

Question 30

What must Gatekeepers NOT do?

Answer 30

– treat gatekeeper services and products more
favourably than those offered by third parties
– prevent consumers from linking up to businesses
outside their platforms
– prevent users from un-installing any pre-installed
software or app if they wish so
– track end users outside of the gatekeepers’ core
platform service for targeted advertising, without
effective consent having been granted

Question 31

What Must Gatekeepers do?

Answer 31

– allow third parties inter-operate with the
gatekeeper’s own services
– allow their users to access the data that they
generate in their use of the gatekeeper’s platform
– provide companies advertising on their platform
with the tools for independent verification of their
advertisements hosted by the gatekeeper
– allow their business users to promote their offer
outside the gatekeeper’s platform

Question 32

What is the EU Digital Services Act?

Answer 32

• Regulates Very Large Online Platforms 45m users
  – illegal content
  – transparent advertising
  – disinformation