MSIN1007 – Information Management for Business

Intelligence

Business Intelligence Individual Coursework

Legal and Ethical Issues Pertaining to the

Storage of Personal data

Yiwei Zhou

23rd November 2016

1
Contents:

Introduction

1. The definition of personal data

2. The definition of sensitive personal data

3. The concerns of the public

4. The definition of ethics and ethical research

5. The development of EU data protection laws

Management Summary

Method/ Approach

Part One - Preparing for the GDPR

1. Findings: the key facts of the GDPR

2. Conclusions: the implications of the GDPR for companies

3. Recommendations: the compliance of companies to the GDPR

Part Two - Data Protection Issues

1. Findings: the key facts of the DPA

2. Conclusions: ethical issues around the protection of personal data

3. Recommendations: the guidelines for companies to deal with data breaches

Bibliography

2
Introduction

We are living in a digital age with the proliferation of data collection and data storage. It is common

for people to browse activities and locations posted by their friends on smartphone apps, and deal

with daily tasks such as paying bills or shopping. As Gordon and Wiseman argued, “personal data is

much easier to obtain than ever before” (2003, p.2). As a result, the wealth of information can

sometimes cause security issues, which can lead to the public’s demand for stronger controls to

companies and governments’ access to personal information. In order to impose restrictions on the

use of personal data, and to provide the safeguards within the European Union, the General Data

Protection Regulation (GDPR) was introduced by the EU and was expecting to come into power by

June 2018.

1. The definition of personal data

European Commission (2015) defined personal data as “any information relating to an individual”,

which could be presented in various forms, such as “a name, a photo, an email address, bank details,

your posts on social networking websites, your medical information, or your computer's IP address”.

2. The definition of sensitive personal data

Sensitive personal data, which are usually preferred “not to be shared with wider society”, may

“incriminate a person” (Van Den Eynden 2012, slide 5). These data contain individuals’ information

of “race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical

or mental health or condition, sexual life, commission or alleged commission of an offence,

proceedings for an offence committed, disposal of such proceedings or the sentence of any court in

such proceedings” (Information Commissioner’s Office).

3. The concerns of the public

3
Viktor Mayer-Schönberger, a professor of Internet Governance and Regulation at the University of

Oxford, pointed out that “data leakages have become the rule rather than the exception in a digital-

remembering age” (2011, p152). In a survey carried out by ICO (2015), the result shows that 85% of

people are concerned about the processing of their personal data. The survey also shows 77% of

people are worried about organisations not keeping their personal details safely. The reason which

arouses these concerns is that organisations fail to “maintain the balance between profit and privacy”

(Rossi 2016). Therefore, strengthening data protection within organisations to empower individual’s

ability in personal data is becoming increasingly necessary.

4. The definition of ethics and ethical research

Oxford Dictionaries define ethics as “moral principles that govern a person's behaviour or the

conducting of an activity.” Both individuals and companies are expected to process personal data with

high ethical standards with a sense of “duty of confidentiality towards informants and participants”

(Veerle Van Den Eynden 2012, slide 10)

5. The development of the EU data protection laws

The EU regards personal data protection as one of its fundamental responsibilities. In 1995, the EU

Data Protection Directive (DPD or Directive 95/46/EC), which was “a national regulation required to

implement Directive and differ widely across 27 member states” (Schmitt 2012, slide 4), was

published. In the UK, two acts including the Data Protection Act (DPA) 1998 and the Freedom of

Information Act 2000, were enacted to implement the DPD. The GDPR was then introduced in 2012,

which marked the end of “legal fragmentation” (ibid). Examining the differences between the DPD

and the GDPR, Dirk (2011) commented that the DPD was just “a directive that member states still

needed to translate into national law”; whereas the GDPR was “a full-blown regulation that does not

require any enabling legislation to be passed by governments.”

4
Management Summary

This report analysed and evaluated the legal and ethical issues of the storage of personal data.

The result shows the key facts of the GDPR, and the main principles of the DPA, which aim

to better secure personal data. Moreover, it also discussed the ethical issues regarding to the

protection of personal data.

Findings:

The report finds the following influences of regulations on companies:

Positive Influences:

• The regulation environment will be simplified

• The re-trust of customers to the companies

Negative Influences:

• The complexities of renewing policies

• The high cost of the implementing the act

Recommendations:

• Adding more roles such as data protection officers, in companies

• Extending existing roles’ responsibilities

• Launching a new project which aims to raise employees’ awareness of data protection

• Determining appropriate internal policies, and reviewing the implement periodically

• Having faster responses to data reaches

Limitations:

Since the GDPR was published recently, there was not sufficient number of real-world

examples to examine the feasibility of the act when the report was conducted.

5
Approach

From my studies in business intelligence at UCL, I found my interest in the application of the

big data in the business world. My attendance at Paul Denning’s speech confirmed my

interest, and inspired me to perform this report because I want to find the influence of

European Union data protection law on retailed companies.

I conducted my detailed research mainly through reading and attending lectures. One of the

most important sources in my report is the Business Intelligence lectures including “Week 5,

Data Security” hosted by Paul and “Week 7, Steve, Big data and data storage” hosted by

Steve. Browsing organisation’s official websites also help develop my report. For better

understanding the influence of big data, I read relevant books such as Delete written by

Viktor Mayer-Schönberger. I also read magazines, online news and some experts’ academic

articles. Reading the valid argument and theory written by professional people gives me a

deep insight into the implication of the data protection law, and help me form my own ideas

about what can companies do to show the compliance of the regulations.

6
Part One – The GDPR Section

In this section, I will firstly highlight the GDPR’s key changes. In terms of its changes, I will analyse

the potential effects on companies, and give corresponding advice.

1. Findings: the key facts of the GDPR

1.1 The main guiding principle of the GDPR

The main guiding principle of the GDPR was to harmonise EU data protection law, to protect

individuals against the abuse of personal data, to simplify the environment of enacting the law, and to

comply with the trend of globalisation and digitalisation.

1.2 The changes proposed in the GDPR

Comparing with the DPA, the GDPR brings a number of changes - including data subject rights,

organisations’ responsibilities and accountabilities, data transfer rules, and penalties.

1.2.1 Increased data subject rights

(1) “Right to be forgotten”

In the book Delete, Mayer-Schönberger argued that “with the help of widespread technology,

forgetting has become the exception, and remembering the default” (2011, p.2). The GDPR can tackle

this problem by enacting the law that “the data subject shall have the right to obtain … the erasure of

personal data … and the controller shall have the obligation to erase personal data without undue

delay” (Council Directive 2016/679, ch.III sec.3 art.17).

(2) Data subject consent

In comparison with the Directive 95/46/EC, the GDPR has stricter requirements on consent, which

should be given by “a clear affirmative act establishing a freely given, specific, informed and

unambiguous indication of the data subject's agreement to the processing of personal data relating to

7
him or her, such as by a written statement, including by electronic means, or an oral statement”

(Council Directive 2016/679, (32)).

(3) Data Protection Impact Assessments (DPIAs)

The GDPR makes the DPIAs mandatory: controllers are supposed to carry out a DPIA to evaluate

risks. However, the DPIAs should not be mandatory if “the processing concerns personal data from

patients or clients by an individual physician, other health care professional or lawyer” (Council

Directive 2016/679 (91)).

1.2.2 Increased data controller’s responsibilities and accountabilities

(1) Data controller/ processor

In GDPR, the responsibilities of data controller and processor are clearly defined and separated. The

data controllers should provide “documentation” (Council Directive 2016/679, ch.IV sec.2 art.33)

instead of “notification”, ensure data is secure, perform DPIAs to the supervisory authority (ibid),

appoint data protection officers, and audit effectiveness of processing security; while the processors

should act only on instructions of data controllers. For example, if a company choose to store and to

manage data using a cloud app, then this company will become the “controller” rather than a third

party cloud app. The company will have the responsibility of securing data under the law of GDPR.

“They are still responsible its protection and must demonstrate exactly how the data is protected in the

remote system,” said by Jon Geater, CTO at Thales e-Security.

(2) Data protection officer (DPO)

A DPO assists controllers and processors to “ensure internal compliance within this Regulation”

(Schmitt and Stahl 2012, slide12). DPOs “must have professional knowledge of law and practice and

give advices” (ibid).

(3) Data protection by design and by default

Controllers are not allowed to set defaults to disclose data to the public.

(4) Data Breach & Reporting

8
Data controllers must report data breaches to their supervisory authority “without undue delay and,

where feasible, not later than 72 hours after having become aware of it” (Council Directive 2016/679

ch.IV sec.2 art.33).

1.2.3 Transfer subject to appropriate safeguards

“Data can be transferred under a Commission adequacy decision. In addition, there are limited

possibilities to transfer data with consent.” (Heywood 2016)

1.2.4 Penalties

GDPR has stricter penalties for non-compliance, who shall be fined up to 20 million EUR, or up to

4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher).

(Council Directive 2016/679, ch.VIII art.83)

9
2. The implication of the GDPR for companies

Personal data are exposed under considerable risks in this digital age. “Nine out of ten

Europeans have expressed concern about mobile apps collecting their data without their

consent, and seven out of ten worry about the potential use that companies may make of the

information disclosed,” as reported by European Commission (2015). The GDPR has

profound implications for the future of companies.

2.1 Positive results

2.1.1 Simplification of the regulation environment

Firstly, the GDPR can facilitate companies by its pan-European characteristic. The reason is

that the GDPR removes obstacles during trans-border trades, which can help save both

money and time. As European Commission (2015) reported, “the benefits are estimated at

€2.3 billion per year”. Take the example of a multinational company with several

establishments in EU Member States, now its data controllers operating across borders do not

need to spend too much time and money “(for legal advice, and to prepare the required forms

or documents) to comply with 28 different, and sometimes contradictory, obligations” (ibid).

2.1.2 Re-trust of the customer

Secondly, businesses are provided with opportunities to rebuild customer’s trust by showing

the compliance with the GDPR. Providing individuals with clear, effective information will

help build their trust which can help thrive on businesses. For example, if supermarkets

follow the rule - data protection by design and by default when designing a membership card

system, then they can attract more fixed customers because these customers can find that

“privacy-friendly default settings will be the norm”

10
2.2 Negative results

2.2.1 The complexities of renewing policies

Although to be in compliance with the GDPR can help companies gain more trust and reputations, the

GDPR also brought some troubles to companies, especially large companies (diagrams given below

show the situation).

Source: computing.co.uk

Because of the change in consent, companies which have relied on consent as “a justification

for data processing” (Annereau, 2016) now should choose to “get renewed consent or find

another justification for their processing activities” (ibid).

2.2.2 The high cost

If companies fail to “meet the May 2018 compliance deadline”, they will be faced with heavy

penalties. “There is now more incentive than ever for companies to focus on data protection”

11
(Meelhuysen 2016). What’s more, other expenditure will include paying for protection law

advices and recruiting senior employees.

Part Two – Data Protection Issues

In the past few years, the internet has strongly developed. Hundreds of millions of users are

able to share their personal lives on social media such as Facebook and Twitter, and browse a

number of websites by registering personal information. When we enjoy the convenience

brought by big data, our personal data are also involved in the central database, and are under

the risk of being leaked. In this section, I will discuss how the DPA standardise data

processing, then I will analyse some data breaches to give recommendations to companies

about how to deal with data leakage and how to secure personal data.

1. Findings: the key facts of Data Protection Act (DPA)

Although DPA does not apply to privacy (anonymised data, which will be discussed below),

the act defines eight principles of the processing of personal data:

• Fairly and lawfully processed

• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

Source: ICO

1.2.1 Consent

12
The most significant change in DPA is the consent: “personal data may be processed only if

the data subject has unambiguously given his consent” (DIRECTIVE 95/46/EC sec.2 art.7).

For example, cookies, which used to gather personal data, is required to “inform users of a

website explicitly” and to “give then the opportunity of refusing to accept them” (Bott 2005,

p.184).

1.2.2 The Information Commissioner’s Office (ICO)

The role of the ICO is to uphold information rights in the public interest. The ICO’s work

includes register of data controllers, handling concerns, protecting data privacy, and working

with organisations in Europe. The DPA is covered by the ICO.

1.2.3 Anonymization

The DPA defines “anonymization” as the process of turning data into a form which does not

identify individuals. As to the way that companies use anonymization, companies are allowed

to use various techniques to convert personal data into anonymised data to process data in

bulk for research because fewer restrictions apply to anonymised data. For example, “some of

the location data will relate to phones in cars travelling on the roads. A telecommunications

provider can be able to release a data set to a research body that will analyse it to derive

information about traffic speeds on the roads - by calculating how fast individual phones are

moving between particular locations.” However, anonymization can be broken sometimes

and individuals can be caused loss, distress and embarrassment as a result of data being re-

identified.

13
2.Conclusions: ethical issues around the protection of personal

data

1. Anonymization allows for a wider use of information and a better protection of privacy.

For example, if health service organisations are required to protect the identities of individual

patients but also be required to publish statistics about patient outcomes, Anonymization will

help these organisations to comply with data protection obligations whilst enabling them to

make information available to the public. However, it is not always for organisations to use

anonymized data, in some cases there will be no alternative to using personal data for

research. When health service organisations figure out each patient’s health condition, they

may use personal data to identify individuals.

2. The current ways of managing consent are adequate. It is common that some companies

fail to comply with the data protection law. For example, among 339 million hacked accounts

in Adult Friend Finder, it includes 15 million “deleted” data and 7 million data from

Penthouse.com which has been sold to another company last February. If Adult Friend Finder

can delete unneeded data in time, the potential risk of data breaches will be lower.

3. Although attention paid to data breaches is increasing because of the awakening of public

awareness and the high penalties in the strict law, data breaches keep occurring. Recently, as

reported by Martin, Tesco would have a multimillion pound fine by City regulator because

Tesco bank failed to protect customers’ personal data, which gave rise to an attack that saw

money taken from about 20,000 current customers’ accounts. What’s more, Tesco Bank

refunded £2.5 million to 9,000 consumers. Therefore, nowadays data security is more likely

to be treated as an afterthought rather than a vital factor that companies will take into

consideration during their processing activities.

14
4. Clearly, some companies have not invested enough in securing personal data. “major data

breaches happened in the real world have never been more frequent or their impact greater”

(Martin, 2016), and the value of data theft now commonly reaches the millions. For example,

the devastating data breach of Yahoo came to light last month, but it actually happened in

2014 and saw the data of 500 million customers’ accounts exposed, which also affected

millions of Sky and BT broadband customers in the UK, as BT and Sky had used or still uses

Yahoo Mail for its email service.

If companies have their consumers’ data security compromised, not only will they be faced

with the trust crisis from customers, but also suffer the bad reputation or even collapse

themselves. As to Yahoo, this major data leak will have a huge negative effect on the theirs

ongoing acquisition with Verizon which earlier revealed that it would acquire Yahoo’s core

business for £3.86 billion (Tom 2016).

15
3. Recommendations: the compliance of companies to the GDPR

Some strategies are being enacted by companies. For example, Mozilla, a free-software

community which produces many products such as Firebox we browser and Thunderbird e-

mail client, demonstrated that “they are throwing its support behind the GDPR and using the

24-month compliance deadline to draw attention to some of the regulation’s highlights.”

However, the research conducted by DataIQ shows that “just 7 per cent of firms claiming to

be very prepared in this way” - there are many plans need to be done.

3.1 Secure customers’ personal information better:

(1) Classify and encrypt personal data

When an individual creates his/her account, all the data are automatically identified,

classified and encrypted. According to Peled’s experience (2004), “Customer information

systems may be the easiest places to start because “only a few specific systems typically own

the ability to update that information.”

(2) Perform risk assessment

Through working on assessment, companies can gain a better understanding of the threat

level they are currently comforted with.

(3) Determine appropriate and information-distribution polices

Polices means the rules within an organisation. These policies define who have rights to

“access, use or receive which type of content and when, as well as oversee enforcement

actions for violations of those policies” (ibid).

(4) Implement a monitoring system and review it periodically

16
The system has “the ability to stop unauthorised traffic” (ibid). Companies can review their

systems, policies and training regularly to secure personal data.

Except for monitoring external risks, internal risks should also be paid attention on. Only

authorised users in an organisation have rights to open and manage personal data. In addition,

auditing the trustable level of employees regularly can be regarded as “a key tenet of the

GDPR compliance” (Meelhuysen, 2016).

3.2 React to data breaches

About the reaction after data breaches, companies need to give quick response. For example,

they can perform an official report to relevant authority to identify the reason of data leakage,

and determine the next steps to reduce the possibilities of happening again; meanwhile, these

companies can choose post on their official websites or social media pages to present

apologizes and offer compensation for the data breaches, which can help show sincerity and

rebuild reputations.

17
Bibliography

Bishop, L., 2015. Ethic issues in accessing and using “big data” [Online]. Available from:
https://www.ukdataservice.ac.uk/media/455500/bd014_bishop_ethics_24aug2015.pdf.
[Accessed: 17 November 2016].

Bott, F., 2005. Professional Issues in Information Technology. Wiltshire: The British
Computer Society.

dataIQ, 2016. GDPR: Customer engagement and business process impacts [Online].
Available from: https://www.dataiq.co.uk/u/dataiq_discussion_report_1_dbs.pdf. [Accessed:
21 November 2016].

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data. Official Journal of the European Communities L 281 23.11.1995.

EditorDavid, 2016. Hack Exposes 412 Million Accounts on AdultFriendFinder [Online].

Available from: https://it.slashdot.org/story/16/11/13/2144229/hack-exposes-412-million-
accounts-on-adultfriendfinder-sites. [Accessed: 15 November 2016].

European Commission., 2015. Commission proposes a comprehensive reform of data

protection rules to increase users' control of their data and to cut costs for businesses
[Online]. Available from: http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.
[Accessed: 21 November 2016].

European Commission, 2015. Questions and Answers - Data protection reform [Online].
Available from: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm. [Accessed: 17
November 2016].

Gordon, J. and Wiseman, L., 2003. Guidelines for the Use of Personal Data in System
Testing. London: British Standards Institution.

18
Heywood, D., 2016. The GDPR - an overview [Online]. Available from: https://united-
kingdom.taylorwessing.com/globaldatahub/article-gdpr-overview.html. [Accessed: 18
November 2016].

Information Commissioner’s Office. Anonymisation: managing data protection risk code of

practice [Online]. Available from: https://ico.org.uk/media/for-
organisations/documents/1061/anonymisation-code.pdf. [Accessed: 23 November 2016].

Information Commissioner’s Office, 2015. Consumers concerned about how their personal
details are shared, survey shows [Online]. Available from: https://ico.org.uk/about-the-
ico/news-and-events/news-and-blogs/2015/03/consumers-concerned-about-how-their-
personal-details-are-shared/. [Accessed: 21 November 2016].

Information Commissioner’s Office. Key definitions of the Data Protection Act [Online].
Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/.
[Accessed: 18 November 2016].

Jowitt, T., 2016. Yahoo Hack: Verizon Could Withdraw From $4.83 Billion Acquisition Deal
[Online]. Available from: http://www.techweekeurope.co.uk/e-enterprise/merger-
acquisition/yahoo-verizon-deal-affected-199084#4KhwpcLSiHSxRprD.99. [Accessed: 17
November 2016].

Leonard, J., 2016.

GDPR heads security focus for large companies, disaster recovery for small – research
[Online]. Available from: http://www.computing.co.uk/ctg/analysis/2477967/gdpr-heads-
security-focus-for-large-companies-disaster-recovery-for-small-
research?utm_medium=email&utm_campaign=CTG.Daily_RL.EU.A.U&utm_source=CTG.
DCM.Editors_Updates&im_edp=live.co.uk. [Accessed: 22 November 2016].

Martin, B. and Titcomb, J., 2016. Regulators could fine Tesco Bank over cyber attack
[Online]. Available from: http://www.telegraph.co.uk/business/2016/11/07/tesco-bank-to-
freeze-customer-transactions-after-hacking-attack/. [Accessed: 20 November 2016].

Mayer-Schönberger, V., 2011. Delete: The Virtue of Forgetting in the Digital Age. Princeton:
Princeton University Press.

19
Peled, A., 2004. Five steps your company can take to keep information private [Online].
Available from: http://www.computerworld.com/article/2563307/security0/five-steps-your-
company-can-take-to-keep-information-private.html. [Accessed: 21 November 2016].

Praet, D., 2016. Should We Allow Bulk Searching of Cloud Archives? [Online]. Available
from: https://www.schneier.com/blog/archives/2016/01/should_we_allow.html. [Accessed:
19 November 2016].

Prime, R., 2015. 10 ways businesses can protect customer data [Online]. Available from:
http://www.information-age.com/10-ways-businesses-can-protect-customer-data-
123459341/. [Accessed: 20 November 2016].

Professional Security, 2016. Data regulation comments [Online]. Available from:

http://www.professionalsecurity.co.uk/news/interviews/data-regulation-comments/.
[Accessed: 19 November 2016].

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation). Official Journal of the European Communities L 119/1 04.05.2016.

Rossi, B., 2016. Big data vs. privacy: the big balancing act [Online]. Available from:
http://www.information-age.com/big-data-vs-privacy-big-balancing-act-123461795/.
[Accessed: 21 November 2016].

Schmitt, J. and Stahl, F., 2012. How the proposed EU data protection regulation is creating a
ripple effect worldwide [Online]. Available from:
https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf. [Accessed: 15
November 2016].

Sullivan, B., 2016. What Is GDPR And What Do You Need To Do About It? [Online].
Available from: http://www.techweekeurope.co.uk/e-regulation/what-is-gdpr-and-what-do-
you-need-to-do-about-it-192850#8hSFGQZCq2Bq8ebM.99. [Accessed: 22 November 2016].

20
Van Den Eynden, V., 2012. Managing sensitive data for sharing – the UK data archive
experience [Online]. Available from:
www.bl.uk/aboutus/stratpolprog/digi/.../DataCitationSensitiveData.ppt. [Accessed: 20
November 2016].

Wilson, M., 2016. Mozilla throws support behind privacy-boosting GDPR updates [Online].
Available from: http://www.itproportal.com/2016/05/27/mozilla-throws-support-behind-
privacy-boosting-gdpr-updates/. [Accessed: 20 November 2016].

21