Personal Information Protection has become increasingly important during the past few decades, resulting from the fast pace technological advancements throughout the globe. Both individuals and organizations have been continuously falling victims of information security breaches. Mostly, information security breaches have been affecting organizations and prominent individuals whose personal information would attract attention to our society, significantly.
However, such breaches have managed to contribute to raising societal awareness to protect personal data, as much as, encouraging individuals to undergo protective measures when providing their personal information online. Consequently, such level of concern has pushed the formation of many legal acts at the Government Level, in favor of personal information protection. Hence, beginning in Germany from the Federal Data Protection act in mid-sixties, such laws have been continuing to develop across nations while emphasizing the importance of personal privacy and federal secrecy.
Regardless, information security policies are reported to be violated, igniting so this never-ending debate. Without question, violators will always find a way to break the rules/laws; however, having a viable security system in place that strategically prevents, controls, and mitigates the risk of massive damage to business, is simply crucial.
The European Union has established legal regulations on personal information protection, as a major daily concern of its citizens, based on the Council of Europe Convention 108, European Union (EU) instruments, as well as the case-law of the European Court of Human Rights (ECtHR) and of the Court of Justice of the European Union (CJEU). This directive has indeed served as a reference model for good practice and its way of giving a very structured, legally binding shape to the argument against various information protection breaches among the Europeans.
Under EU law, personal information protection can be gathered only under strict legal conditions as well as for legitimate purposes. Entrenched at Treaty on the functioning of the European Union, the personal information protection act has also left flexibility areas by not concentrating on the provisions this law applies to specific sectors of the economy. Thus, this can be applied in a variety of technological contexts. A descriptive example of it may be the use of RFID’s, leading to regulating information protection in terms of bilateral trade negotiations between EU and other countries.
Known as the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian act of information privacy has based its formulation upon the EU directive for personal information protection. Under ‘PIEPDA’, personal information includes information of identifiable individuals such as; name, ID number, origin, blood type, opinions, comments, social status, employee files, credit and loan records, medical records, commercial disputes and a number of other related information with respect to an individual’s personal identity.
However, it’s very worthy of noting that personal information collected by a federal government to both individuals and organizations are legally bound to the Privacy Act, differing so from ‘PIPEDA’.
Harmoniously, organizations covered by this act have to obtain individual consent to collect or disclose any individual’s personal information. Moreover, the Privacy Commissioner of Canada holds the responsibility to oversee both the Privacy Act and ‘PIPEDA’. Given the governance model of Canada, the Federal Government may exempt from PIPEDA various organizations based in provinces that already implement similar privacy legislation. Similarly to EU privacy acts; the Internet, Global Positioning Systems (GPS), and Radio Frequency Identification (RFID) tags are considered to be ways to store information which governments may use as additional collective data for the purpose of national security and public safety.
The United States
Different from the European Union and Canada, the United States does not have in place a specific legislative framework for Personal Information Protection. Instead, such policies are regulated based on the industry an organization operates in. Likewise, there is no specific authority responsible for the regulation of the law in question. Therefore, different industries have different regulatory frameworks in regards to Information Security. The financial services sector is a prime example to be used to illustrate these sorts of regulations.
The Consumer Financial Protection Bureau and other financial services regulators implement various standards, falling in conformity with the Gramm-Leach-Bliley Act (GLB), dictating how firms may collect, or disclose personal information. In the same way, the Department of Health and Human Services holds responsibility for ensuring the effective implementation of Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Concerning as much as evident in the United States are the interception of personal communications which claim to be regulated at the federal level by ‘ECPA’; a combined framework of Wiretap Act, the Stored Communication Act, and the Penn Register Act. Besides the above, the Federal Trade Commission (FTC) Act is established to prohibit unfair or deceptive practices to online, offline, and data security policies. The FTC is also the base for creating the policy of online information collection for behavioral advertising.
In Hong Kong, the legal framework for privacy, information, and cyber security is comprised as well as regulated through one piece of legal framework, known as Personal Data Privacy Ordinance (PDPO). The enforcement of this particular framework is a competence of ‘The Office of the Privacy Commissioner for Personal Data’ (PCPD), as an independent statutory body. Basically, the PDPO incorporates all aspects of information protection in either individual or organizational aspects while regulating data centers, cooperation, the outsourcing of digital activities, privacy policies, data access and, direct and behavioral marketing among others.
What is more, these regulations are followed by substantial fines, both in financial and imprisonment terms. This law also prohibits any data transfer outside of Hong Kong, unless we are talking about extraordinary circumstances. However, the PDPO is also regulating the compensations to individuals who have experienced any losses or misuse of their personal data. Due to these strict and significant measures permitted to be undertaken by Hong Kong authorities, organizations operating in Hong Kong are highly advised to undergo their process of establishing secure networks through extensive care.
Optimizing Information Protection
Regardless of legal regulations, individuals, as much as members of any organization, must be aware of the Information Security importance. Having said that, information security is continuously being threatened, even though there are a variety of different regulatory frameworks established.
In order to optimize protection of information be it public or private, the first step is to increase awareness of the various attacks, starting with phishing and malware as the most common techniques of threat. Additionally, certifying against various standards related to Information Security is highly advised to increase qualification levels besides just raising the awareness level. Check out www.pecb.com for more information on various training and certification of Management Systems.