Data privacy & social media

Social Media, Web 2.0The end of Privacy ?

Jacques Folon

Partner Edge ConsultingLecturer ICHEC

Visiting professor Université de Liège & Université de

Find the presentation on

www.slideshare.net/folon

Table of ContentsTable of ContentsThe author

Social media & privacy ????

What’s data privacy?

Control of the employees

How are data collected?

Security & ISO 27002

Conclusion

Chargé de cours Partner

Auteur

http://be.linkedin.com/in/folon Jacques.folon@ichec.bewww.ichec.be

Jacques.folon@edge-consulting.bizwww.edge-conulting.biz

Administrateur

Follow me on scoop it for the latest news on data privacy and security

http://www.scoop.it/t/management-2-entreprise-2-0

The author

Conclusion

By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?'Data pricavy is outdated !

Mark Zuckerberg, CEO Facebook

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

Eric Schmidt, ex- CEO of Googe

So is it still a question?

• Yep...

• see on the web, you’ll find sooo many debates

• and by the way data privacy legal framework also is applicable in the social media environment

The author

Conclusion

What your boss thinks...

Good question ?

Employees share (too) many information and also with third

parties

Some news

Where the data areWhere the data are

Legal issues

Employee copy what they find on internet

Inappropriate posts against the company, colleagues, clients, suppliers,...

HR: recruitment, harassment, ...

Limitation of control by the employer

Archiving & e-discovery

Code of conducts

Source : https://www.britestream.com/difference.html.

Everything must be transparent

legal framework (s)

Some important legal definitionsSome important legal definitions

Personal data

Any information relating to an identified or identifiable person ('data subject') who can be identified, directly or indirectly, in particular by

reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).

Collecting and processing the personal data of individuals is only legitimate in one of the following circumstances:

•Where the individual concerned has unambiguously given his or her consent, after being adequately informed; or

•if data processing is needed for a contract, or

•if processing is required by a legal obligation; or

•if processing is necessary in order to protect the vital interest of the data subject, or

•if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or

•if the data controller or a third party has a legitimate interest in doing so, so long as this interest does affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.

When is it «legal»?

Source: http://ec.europa.eu/justice/data-protection/index_en.htm

Data subject

An identified or identifiable person to whom specific personal data relates.

It is someone who can be identified, directly or indirectly, in particular by reference to an

identification number or to one or more specific factors (physical, physiological,

mental, economic, cultural, social).

Processing of personal data

Processing of personal data means any operation or set of operations which is performed upon personal data, whether or not by automatic means (for example: collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deleting or destruction, etc.).

Controller

Natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The data controller must respect certain rules:

Source: http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm

• Personal Data must be processed legally and fairly;• It must be collected for explicit and legitimate purposes

and used accordingly;• It must be adequate, relevant and not excessive in relation

to the purposes for which it is collected and/or further processed;

• It must be accurate, and updated where necessary;• Data controllers must ensure that data subjects can

rectify, remove or block incorrect data about themselves;• Data that identifies individuals (personal data) must not be

kept any longer than strictly necessary;• Data controllers must protect personal data against

accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures. These protection measures must ensure a level of protection appropriate to the data.

What can you ask of data controllers?

•Data controllers are required to inform you when they collect personal data about you;•You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;•You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;•You are entitled to ask the data controller if he or she is processing personal data about you;•You have the right to receive a copy of this data in intelligible form;•You have the right to ask for the deletion, blocking or erasing of the data.

the law prohibits the processing of personal data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade-union membership, and the processing of data

concerning health or sex life unless one of the exception criteria is met.

exchange of data...exchange of data...

CoockiesCoockies

international transferinternational transfer

•Security managementSecurity management

– Security departementSecurity departement

– Consultant Consultant

– Security proceduresSecurity procedures

– Disaster recoveryDisaster recovery

Technical securityTechnical security– Risk analysisRisk analysis– Back-upBack-up– Procedures aganinst fire, theft, ...Procedures aganinst fire, theft, ...– Identity access managementIdentity access management– Authentification (identity management)Authentification (identity management)– Loggin and passwordLoggin and password

Legal securityLegal security

– Employment contractsEmployment contracts– sub contractorssub contractors– Code of conductCode of conduct– employee’s controlemployee’s control– Full respect of the legal frameworkFull respect of the legal framework

Privacy statement confusion•53% of consumers consider that a

privacy statement means that data will never be sell or give

•43% only have read a privacy statement

•45% only use different email addresses

•33% changed passwords regularly

•71% decide not to register or purchase due to a request of unneeded information

•41% provide fake info 4433

Source: TRUSTe survey

The author

Conclusion

How many information?How many information?

Could the employer control everything?

Control

Privacy vs right to controlCC-CAO 81Same rules for public and private

sector

CONTROL

•Purpose (4)•proportionality•procedure•information•individualization•Penalties

Are posting on social media private?

It is on a public site and as such not privatethe employer may check what happens on social media with some limitations:

ok for linkedin, viadeo, etc.ok for others if complaints for by instance sexual harassmentno if it is for dicrimination or to find sensistive information

need for a code of conduct

TELEWORKING

The author

Conclusion

They know where you are ...

Source: http://www.slideshare.net/peterkaptein/post-privacy-era

Elvira Berlingieri | Peter Kaptein December 5, 2009 Donnaèweb - Viareggio

Making sure you can call

GSM Cell

Tool: Triangulation

Database

“You are here”

Database

Tracking: defining actions

Friday, 12:45Friday, 12:45

Phone IDPhone IDPaymentPaymentFace recog.Face recog.

12:4712:47

12:5212:52

13:3013:30

13:5013:50

13:2513:25

13:4513:45PurchasePurchase

PurchasePurchase

Phone callPhone call

Tracking: Matching

GSM Cell data

Payment data

Biometric data

- Identity- Action- Location- Time

Tracking: Data collection

Friday, 12:45Friday, 12:45

Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleYouYou

Filtering the data

Sunday, 12:45Dam Square

Phone IDPhone IDPaymentPaymentFace recog.Face recog.Other peopleOther peopleMaybe youMaybe you

Monday, 14:15Abbey road

YouYou

Tuesday, 09:45Johns Bagels

Matches now + pastMatches now + past

Result

phone ID

+ biometrical data (camera)

+ payments + purchased items

= You + your wherabouts

DATA THEFT

Where do one steal data?

•Banks•Hospitals•Ministries•Police•Newspapers•Telecoms•...

Which devices are stolen?

•USB •Laptops•Hard disks•Papers•Binders•Cars

What do they know?

Building your profile

MedicMedical dataal dataMedicMedical dataal data

FinancFinancial ial

datadata

FinancFinancial ial

datadata

FamilyFamilyFriendFriend

Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences

Private Private stuffstuff

IncriminIncrimina-ting a-ting stuffstuff

IncriminIncrimina-ting a-ting stuffstuff WhereWhere

--aboutsabouts

WhereWhere--

aboutsabouts

Photo’sPhoto’sPhoto’sPhoto’s

MedicMedical dataal dataMedicMedical dataal data

FinancFinancial ial

datadata

FinancFinancial ial

datadata

FamilyFamilyFriendFriend

Prefe-Prefe-rencesrencesPrefe-Prefe-rencesrences

Private Private stuffstuff

IncriminIncrimina-ting a-ting stuffstuff

ExpensExpenseses

BudgetBudgetss

WhereWhere--

aboutsabouts

WhereWhere--

aboutsabouts ConnecConnect-ionst-ions

ConnecConnect-ionst-ions

OpinionOpinionss

TravelsTravelsTravelsTravels CommuCommutestes

CommuCommutestes

SexualSexualSexualSexual

LiteratuLiteraturere

LiteratuLiteraturere ConsuConsu

mermerConsuConsumermer

PeoplePeoplePeoplePeople

DiseaseDiseasess

Current Current statestate

PersonaPersonal datal data

GSM Cell dataPhone calls

Payment data

Whereabouts via

biometric data

Bonus card data

Medical data

Browsing data

Profile databaseProfile database

Travel data

Google searchesSource: http://www.slideshare.net/peterkaptein/post-privacy-era

The author

Conclusion

Implication for HR

8.1 before recruiting

8.1.1. roles & responsibilities

Contracts

Réglement de travail/arbeidsreglement

security policyCC/CAO 81

«forgotten» contracts

•consultants•subcontractors•auditors•accountants•cleaning

TESTSASSESMENTSSOCIAL MEDIA CHECKCV Screening

Employees’ responsibilities

Applicable rules before and after the contract

Privacy information

Mobiles, laptop,etc.

8.1.3 employment conditions

8.2 during the contract

Procedures

Control update security

manager Sponsorin

8.2.1 Management responsibilities

8.2.2 Training and awareness

Limit for control? Private emails? CC/CAO 81

8.2.3 Disciplinary process

8.3.1 End of contract

internal moveconfidentiality after the

endwhat is confidential

8.3.3.Cancel access rights

110000

The author

Conclusion

Is this your data security ?

Social media are there...

+500 M users todayreaching 1 billion by 2012

85 M users today

70 M users today

120 M users today

74 M users today

10 M users today

Géolocalisation

http://projectvirginia.com/infographic-emerging-media-in-2011/

It’s not only the so-called generation Y

Recrutement et media sociaux

Source: http://www.doppelganger.name

Your boss thinking of data privacy ?Your boss thinking of data privacy ?

Or ?Or ?

Remember that security of personnal data is a legal requirement...

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

C. Darwin

QUESTIONS ?QUESTIONS ?

Data privacy & social media

Education

Social Media Privacy Personal Branding

Social Media and Privacy Online

Social media, recht en privacy

Patient Privacy and Social Media

Privacy & Social Media

Privacy and Security in Online Social Media : Privacy and Social Media

Engage EMEA 2010 - Social Media Privacy

Hum 140: Social Media: Privacy

Social media and privacy

Social media + privacy

Social Media Privacy: Personal and Professional

Privacy and Security in Online Social Media : Misinformation on Social Media

STIMA - Social Media Privacy and Social Media Policy

CSIAC - Social Media Analysis and Privacy

Class 6 Internet Privacy Law Social Media Privacy

Privacy and Security in Online Social : Privacy and Pictures on Online Social Media

Privacy Issues in Social Media

Social Media & Privacy (Nov 2012)

Social media privacy issues

Mcom 1.3 social media en privacy