See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338331380

An Ethical Approach to Data Privacy Protection

Article  in  ISACA Journal · January 2016

CITATIONS READS
15 1,965

3 authors, including:

Wanbil Lee
The Computer Ethics Society
17 PUBLICATIONS   150 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Ethical Computing View project

All content following this page was uploaded by Wanbil Lee on 22 January 2020.

The user has requested enhancement of the downloaded file.

feature
feature An Ethical Approach to
Data Privacy Protection
Privacy, trust and security are closely intertwined,
as are law and ethics. Privacy preservation and
• Accuracy and completeness when collecting data
security provisions rely on trust. (e.g., one will
about a person or persons (corporations included)
allow only those whom one trusts to enter one’s
by technology
zone of inaccessibility; one will not feel secure
unless one trusts the security provider). Violation of • Availability of data content, and the data subject’s
privacy constitutes a risk, thus, a threat to security. legal right to access; ownership
Law provides a resolution when ethics cannot
• The rights to inspect, update or correct these data
(e.g., ethics knows that stealing is wrong; the law
punishes thieves); ethics can provide context to law
Data privacy is also concerned with the costs if data
(e.g., law allows trading for the purpose of making a
privacy is breached, and such costs include the so-
profit, but ethics provides input into ensuring trade is
called hard costs (e.g., financial penalties imposed
conducted fairly). Privacy breaches disturb trust and
by regulators, compensation payments in lawsuits
run the risk of diluting or losing security; it is a show
such as noncompliance with contractual principles)
of disrespect to the law and a violation of ethical
and the soft costs (e.g., reputational damage, loss of
principles.
client trust).
Data privacy (or information privacy or data
Though different cultures put different values on
protection) is about access, use and collection of
privacy or make it impossible to define a stable,
data, and the data subject’s legal right to the data.
universal value, there is broad consensus that privacy
This refers to:
does have an intrinsic, core and social value. Hence,
• Freedom from unauthorized access to private data a privacy approach that embraces the law, and ethical
principles, and societal and environmental concerns
• Inappropriate use of data
is possible despite the complexity of and difficulty in
upholding data privacy.

Wanbil W. Lee, DBA, FBCS, FHKCS, FHKIE, FIMA Data Privacy Protection
Is principal director of Wanbil & Associates, founder and president of
The Computer Ethics Society, and cofounder and Life Fellow of the Indeed, protecting data privacy is urgent and
Hong Kong Computer Society. He serves on committees of several complex. This protection is necessary because
professional bodies, editorial boards and government advisory of the ubiquity of the technology-driven and
committees. He has held professorial and adjunct appointments in a
information-intensive environment. Technology-
number of universities. His expertise is in information systems, and he
has a strong interest in information security management, information driven and information-intensive business operations
systems audit and ethical computing. are typical in contemporary corporations. The
benefits of this trend are that, among other things,
Wolfgang Zankl, Ph.D. the marketplace is more transparent, consumers
Is a professor of private and comparative law at the University of Vienna are better informed and trade practices are more
(Austria) and associate lecturer for social media law at the Quadriga fair. The downsides include socio-techno risk, which
University (Berlin, Germany). He founded and runs the European Center originates with technology and human users (e.g.,
for E-commerce and Internet Law (e-center.eu) and is a board member of identity theft, information warfare, phishing scams,
The Computer Ethics Society. cyberterrorism, extortion), and the creation of more
opportunities for organized and sophisticated
Henry Chang, CISM, CIPT, CISSP, DBA, FBCS cybercriminals to exploit. This risk results in
Is an adjunct associate professor at the Law and Technology Centre, the
University of Hong Kong. Chang is an appointed expert to the Identity information protection being propelled to the top of
Management and Privacy Technologies Working Group (SC27 WG5) of the corporate management agenda.
the International Organization for Standardization (ISO). His research
interests are in technological impact on privacy, accountability and Asia The need for data privacy protection is also urgent
privacy laws. due to multidirectional demand. Information

ISACA JOURNAL VOL 6 1

©2016 ISACA. All rights reserved. www.isaca.org
protection becomes an essential information security Methods for Data Privacy
function to help develop and implement strategies Protection
to ensure that data privacy policies, standards,
guidelines and processes are appropriately The method is modeled on a framework originally
enhanced, communicated and complied with, and perceived and developed to provide a fresh view to
effective mitigation measures are implemented. The decision makers and is based on the following three
policies or standards need to be technically efficient, major instruments:
economically/financially sound, legally justifiable,
• The International Data Privacy Principles (IDPPs)1
ethically consistent and socially acceptable since
for establishing and maintaining data privacy
many of the problems commonly found after
policies, operating standards and mitigation
implementation and contract signing are of a
measures
technical and ethical nature, and information security
decisions become more complex and difficult. • Hong Kong’s Data Protection Principles of
personal data (DPPs) for reinforcing those policies,
Data privacy protection is complex due to socio- standards and guidelines2
techno risk, a new security concern. This risk occurs
with the abuse of technology that is used to store • The hexa-dimension metric operationalization
and process data. For example, taking a company framework for executing policies, standards and
universal serial bus (USB) device home for personal guidelines
convenience runs the risk of breaching a company
regulation that no company property shall leave
company premises without permission. That risk
becomes a data risk if the USB contains confidential
corporate data (e.g., data about the marketing
Data privacy can
strategy, personnel performance records) or employee be achieved through
data (e.g., employee addresses, dates of birth). The
risk of taking the USB also includes theft or loss.
technical and social
solutions.
Using technology in a manner that is not consistent
with ethical principles creates ethical risk, another new
type of risk. In the previous example, not every staff
member would take the company USB home, and
those who decide to exploit the risk of taking the USB International Data Privacy
may do so based on their own sense of morality and Principles
understanding of ethical principles. The ethical risk
Data privacy can be achieved through technical
(in addition to technical risk and financial risk) arises
and social solutions. Technical solutions include
when considering the potential breach of corporate
safeguarding data from unauthorized or accidental
and personal confidentiality. This risk is related partly
to technology (the USB) and partly to people (both the access or loss. Social solutions include creating
perpetrator and the victims) and is, therefore, a risk of acceptability and awareness among customers
a technological-cum-social nature—a socio-techno about whether and how their data are being used,
risk. Hence, taking home a USB is a vulnerability that and doing so in a transparent and confidential
may lead to a violation of data privacy. way. Employees must commit to complying with
corporate privacy rules, and organizations should
However, the problem of data privacy is not instruct them in how to actively avoid activities that
unsolvable. The composite approach alluded to may compromise privacy.
earlier that takes into consideration the tangible
physical and financial conditions and intangible Next to technical and social solutions, the third
measures against logical loopholes, ethical element of achieving privacy is complying with
violations, and social desirability is feasible, and the data protection laws and regulations, which
method suggested in this article, which is built on a involves two issues. The first concern is that
six-factor framework, can accomplish this objective legal regulation is slow and, thus, unable to keep

ISACA JOURNAL VOL 6 2

©2016 ISACA. All rights reserved. www.isaca.org
up with the rapid developments of information between what is given and what is received. That
technology. Legal solutions are usually at least one philosophy explains why companies such as Google
step behind technological developments. Data or Facebook, for whose services the customer does
privacy by electronic means should, therefore, not pay, have the right to use personal data.
be based not only on traditional jurisdiction, but In other words, that tradeoff—data for services—
also on soft law, i.e., self-binding policies such as is the balance.3
the existing data privacy principles. Soft law may
be more effective than hard law. The reactions of The consumer being less protected when receiving
disappointed customers, especially when those free services is a basic element of the European
reactions are spread by social media, and the fact E-Commerce Directive, which does not apply to
that noncompliance with corporate governance may services that are offered free of charge. But this
result in unfair competition and/or liability toward consideration is only a first step. Applied to a
affected customers (unfair competition by not modern data environment, a balance also has to
complying with self-binding policies/liability toward be struck in relation to other parameters relevant to
customers by breach of contract) will often be more contractual aspects of data privacy. Since data are a
effective than mere fines or penalties. contract matter, it is important to consider what kind
of personal data are in consideration (e.g., sensitive
The second problem of data protection has and nonsensitive data have to be distinguished
to do with the fact that these regulations are and treated differently), and since contracts are
not internationally harmonized, causing severe concluded by mutual consent, the extent of
complications (especially between the United States such consent also has to be taken into account.
and the European Union) on a cross-border basis, For example, does consent have to be declared
which is the rule rather than the exception in modern explicitly or is accepting the terms of use sufficient?
business. To make data privacy rules work in a
global environment, the principles outlined in this
article consider US standards (e.g., the US Federal
Trade Commission’s Fair Information Practices),
European standards (e.g., Data Protection Directive Common data privacy
95/46/EC and the General Data Protection
Regulation [GDPR]), Asian regulations (e.g., Hong
regulations, especially in Europe,
Kong Personal Data Privacy Ordinance [PDPO]) and tend to focus on a traditional
international benchmarks (e.g., the Organization for
Economic Co-operation and Development [OECD]
human rights approach, neglecting
Privacy Framework Basic Principles). the fact that nowadays, data are
This article also considers the fact that common usually given away voluntarily.
data privacy regulations, especially in Europe, tend
to focus on a traditional human rights approach,
neglecting the fact that nowadays, data are usually
The IDPPs approach takes into consideration
given away voluntarily upon contractual agreement.
the Asian, European, US and international data
When using sites such as Google, Baidu, Amazon,
protection standards and focuses on personal
Alibaba or Facebook, users agree with the terms
data, but can apply to corporate data as well.
and conditions of these companies. Data privacy
These principles suggest that the three parameters
should consider not only mere data protection, but
(payment, consent and data category) should
also contractual principles, among which one of the
be balanced and combined with the previously
oldest and most fundamental is do ut des, meaning
mentioned, Asian, European, US and international
a contract in which there is a certain balance

ISACA JOURNAL VOL 6 3

©2016 ISACA. All rights reserved. www.isaca.org
 11. Do not transfer personal data to countries
standards, putting them into a set of privacy rules.
with inadequate or unknown data protection
Organizations in compliance with international data
standards unless the customer is informed about
privacy standards should commit to the following 13
these standards being inadequate or unknown
IDPPs:4
and agrees to such a transfer.
1. Comply with national data protection or privacy
12. In the case of a contract between the company
law, national contract law, and other legal
and the customer in which the customer
requirements or regulations relating to data
commits to pay for services or goods:
privacy.
– Inform the costumer individually and as soon
2. Comply with current security standards to as reasonably possible in the event of a data
protect stored personal data from illegitimate or breach.
unauthorized access or from accidental access, – Inform the customer upon request about which
processing, erasure, loss or use. specific data are stored, and delete such
data upon request unless applicable laws or
3. Implement an easily perceptible, accessible and
regulations require the company to continue
comprehensible privacy policy with information
storing such data.
on who is in charge of data privacy and how
– Do not use or divulge content-related
this person can be individually contacted, why
personal data.
and which personal data are collected, how
– Do not use or divulge any other personal data
these data are used, who will receive these data,
without the customer’s explicit, separate and
how long these data are stored, and whether
individual consent.
and which data will be deleted or rectified upon
– Do not store, use or divulge any customer
request.
data, unless applicable laws or regulations
4. Instruct employees to comply with such privacy require the company to continue storing such
policies and avoid activities that enable or data.
facilitate illegitimate or unauthorized access in
terms of IDPPs.

5. Do not use or divulge any customer data

(except for statistical analysis and when the
customer’s identity remains anonymous), unless
the company is obliged to do so by law or the
customer agrees to such use or circulation.

6. Do not collect customer data if such collection is

unnecessary or excessive.

7. Use or divulge customer data in a fair way and

only for a purpose related to activities of the
company.

8. Do not outsource customer data to third

parties unless they also comply with standards
comparable to these IDPPs.

9. Announce data breaches relating to sensitive

data.

10. Do not keep personal data for longer than

necessary.

ISACA JOURNAL VOL 6 4

©2016 ISACA. All rights reserved. www.isaca.org
13. In the absence of a contract between the take on the same principles-based approach.
company and the customer in which the For example, the UK’s Data Protection Act uses
customer commits to pay for services or goods: eight DPPs,7 Australia’s Privacy Act has 13 privacy
– Inform the customer as soon as reasonably principles,8 and the Canadian Personal Information
possible in the event of data breaches. Protection and Electronic Documents Act has 10
– Inform the customer upon request what principles.9
types of sensitive data are stored and delete
such data upon request when such data are For the purpose of illustration, the remaining part
outdated, unless applicable laws or regulations of this article will use Hong Kong’s PDPO, enacted
require the company to continue storing such in 1995 and Asia’s first privacy law, to highlight the
data. salient points on how ethical considerations are built
– Do not use or divulge sensitive data without within the implementation of privacy legislation that
the customer’s explicit, separate and individual is compatible with the OECD Privacy Guidelines.
consent.
The Six Data Protection Principles
The Hong Kong Personal Data of PDPO
Privacy Ordinance
An explanation of the DPPs is provided by the Hong
The 1980 OECD Guidelines on the Protection of Kong,10 Office of the Privacy Commissioner for
Privacy and Transborder Flows of Personal Data Personal Data, and can be summarized as:
(the OECD Privacy Guidelines)5 are often the
1. Data Collection and Purpose Principle:
standard that data protection laws of many countries
• Personal data must be collected in a lawful
reference.6
and fair way for a purpose directly related to a
function/activity of the data user (i.e., those who
The OECD Privacy Guidelines have eight basic
collect personal data).
principles:

1. Collection Limitation Principle

2. Data Quality Principle

3. Purpose Specification Principle

4. Use Limitation Principle

5. Security Safeguards Principle

6. Openness Principle

7. Individual Participation Principle

8. Accountability Principle

Being a framework with the aim of providing

guidelines to jurisdictions to enact their own privacy
laws, the definitions of these principles are at a high
level deliberately. When these high-level principles
are converted to national laws, many jurisdictions

ISACA JOURNAL VOL 6 5

©2016 ISACA. All rights reserved. www.isaca.org
 • Data subjects (i.e., individuals from whom relativistic judgement will, in turn, be influenced by
personal data are collected) must be notified the society’s acceptable behavior and value, i.e.,
of the purpose and the classes of persons to its collective ethical belief.
whom the data may be transferred.
• DPP2 states that collected personal data are not
• Data collected should be necessary, but not
to be kept for longer than is necessary. As there
excessive.
is also an element of judgment on necessity, it
2. Accuracy and Retention Principle—Personal can be argued on utilitarian grounds that there
data must be accurate and should not be kept could be an ethical dilemma in deciding on a short
for a period longer than is necessary to fulfill the retention period that is protective of the individuals
purpose for which they are used. or a longer period that is protective of the interests
(commercial or otherwise) of the organization that
3. Data Use Principle—Personal data must be used
collects the personal data.
for the purpose for which the data are collected
or for a directly related purpose, unless voluntary • DPP3 states that data use that is not directly
and explicit consent with a new purpose is related to the original purpose may be carried
obtained from the data subject. out only with the consent of the individual. This
may be translated as respecting the wishes of the
4. Data Security Principle—A data user needs
individuals. Even if the organization thinks that the
to take reasonably practical steps to safeguard
changed use would be beneficial to individuals,
personal data from unauthorized or accidental
the organization has no right to take away the
access, processing, erasure, loss or use, while
individual’s free will and choice.
taking into account the harm that would affect the
individual should there be a breach.

5. Openness Principle­­­—A data user must make

personal data policies and practices known to the
public regarding the types of personal data it holds
Knowing the
and how the data are used. underlying ethical
6. Data Access and Correction Principle—Data considerations
subjects must be given access to their personal
data and allowed to make corrections if the data
for each principle
are inaccurate. will help an
The PDPO is principle-based and is not a piece of organization to
prescriptive law. Knowing the underlying ethical better understand
considerations for each principle will help an
organization to better understand the spirit and the the spirit and the
letter of the law when developing a compliance
program. In particular, ethical relevance is clearly
letter of the law.
evident in the implications of PDPO privacy
protection principles:

• DPP1 explains that the collection of personal • DPP4 states that organizations should implement
data must be fair and that personal data collected reasonable security protection on the collected
should not be excessive. Whether the collection personal data to prevent data leakage. While
is fair and excessive will have to be assessed leaving aside the decision on how many resources
under the circumstance. Given that fairness and and how much effort an organization should use
excessiveness for one person may not be the to protect the personal data collected, DPP4 asks
same for another person, there is, inevitably, organizations to balance the resources and effort
a judgment involved in the assessment. That against the likely harm to individuals.

ISACA JOURNAL VOL 6 6

©2016 ISACA. All rights reserved. www.isaca.org
In 2010, ethical considerations related to data in enforcing those rules or standards; they rely
protection played a major role in testing existing purely on the moral obligation of the stakeholders
laws. The Octopus card is an “electronic wallet” concerned, because violation by itself does not,
that many Hong Kong residents use for daily in general, attract any criminal charges in the legal
transportation and everyday purchases. In 2010, sense. However, despite the good intention and
it was discovered that Octopus Cards Limited, the official adoption, the code by itself cannot guarantee
company that owned the cards, was selling card more ethical behavior, and auxiliary measures must
owners’ loyalty membership to insurance companies be in force to operationalize the rules and standards
for direct marketing purposes. As a result of public effectively.
outcry, the privacy commissioner investigated and
concluded that while the sales of customer records
was not prohibited by the law at the time, the
company failed to make a meaningful effort to seek
consent from customers when it informed them of
this data use in a privacy policy statement.

The company denied contravening the law, but

accepted that its actions felt short of customer
expectations. Two major officers of the company
stepped down during the investigation.11, 12

The heightened public awareness of personal data

rights that arose in the wake of the incident changed
expectations of organizational behavior. No longer
will people accept companies doing only the bare
minimum required by law; they must also act ethically.
The chief executive officer (CEO) who took over
Octopus Cards Limited after the incident captured the
new expectations succinctly: “We need to do not just
[what is] legal, but what is right.”13 Organizations of all varieties might have some
kind of code of practice in place. However, the
The Hexa-dimension Code of extant codes invariably tend to focus on technical,
Conduct financial and legal issues and are insufficient when
considering the ethical, social and ecological
A code of conduct serves a variety of functions, concerns that rapidly emerge and ascend to the
one of the most important of which is to serve as top of corporate and IT management agendas.
a guide for stakeholders based on a set of rules Different organizations have their own unique
and standards. Despite official adoption, company policies and a unique code of conduct; there can
policies and standards, which tend to be difficult be no universal recipe, only a general guideline.
for stakeholders, including employees to absorb, As a general guideline for designing a code
are not easy to enforce effectively and are probably of conduct, the hexa-dimension framework
ignored in the end. A code of conduct, if formulated is recommended. This framework comprises
and articulated well, should serve to communicate two major components: the theoretical hexa-
the policies and standards to stakeholders in a dimension metric for measuring legal validity,
relatable way. While such codes may serve to social desirability, ecological sustainability, ethical
deter potential offensive actions, they are limited acceptability, technical effectiveness and financial

ISACA JOURNAL VOL 6 7

©2016 ISACA. All rights reserved. www.isaca.org
viability (the six requirements/factors) and a individuals and society at large; not wasteful of the
scheme for operationalizing the framework. The resources available including the computer facilities,
operationalization scheme is carried in three major the workforce, the budget; and not harming the
steps including: environment).

• Identify the relevant critical factors depending on

the target end users (corporatewide or a functional
unit or nature of operation). For example,
environmental impact is critical for a mining While a code may
company or a factory, but could probably be
skipped for an information security unit. deter potential
• Secure the support of the board of directors offensive actions,
with respect to corporate policy aspects and
the supporting infrastructures that include
it is limited in
the organization’s human resources (HR) enforcing the rules
management, legal, finance, and information and
communications technology functional units with
or standards.
respect to technical support and reference. An
appraisal of ethical consistency in conduct should
be included during annual performance reviews
(by HR). Conclusion
• Determine a schedule for quantifying the elements Information security professionals are in urgent need
of each factor for measuring, prioritizing and of effective and pragmatic guidance for developing
balancing the factors. The attributes/factors with data privacy protection standards for two major
help determine the steps to be taken to measure reasons. The first is that the information security
the effectiveness. function in a technology-driven information-intensive
environment becomes more complicated due to
If properly and appropriately formulated and new risk (e.g., socio-techno risk); the second is that
articulated, the code can be useful in disseminating data privacy protection becomes a primary concern
the policies and standards throughout the to information security management as privacy
organization and beyond, thus cultivating infringement occurs frequently and attracts wide
corporatewide ethical, professional conduct. While coverage in the media. Viewing privacy from the
a code may deter potential offensive actions, it perspective of ethics can help enterprises establish
is limited in enforcing the rules or standards. The and improve their code of conduct. Considering
limitation exists because the code can rely only privacy from an ethical point of view and
on the stakeholders’ sense of morality because establishing a code of conduct makes all individuals
violation of the code does not entail any criminal in an organization, not just security personnel,
charges. Auxiliary measures must be put in place to accountable for protecting valuable data.
arrive at desirable results, such as executive actions
that provide rewards and impose punishment (e.g., Endnotes
discussing the hexa-dimensional code of conduct
during an annual performance appraisal when 1 Zankl, W.; The International Data Privacy
those being appraised are asked to exemplify Principles, presented at Harvard University,
that their assigned duties were carried out in a Cambridge, Massachusetts, USA, October
manner consistent with data privacy protection 2014, www.e-center.eu/static/files/moscow-
policies, i.e., not breaking the law; not harmful to dataprivacy-handout-russian.pdf

ISACA JOURNAL VOL 6 8

©2016 ISACA. All rights reserved. www.isaca.org
 2 The Personal Data (Privacy) Ordinance, 8 Office of the Austrailian Information
Chapter 486 , https://www.pcpd.org.hk/english/ Commissioner, Australian Privacy Principles,
files/pdpo.pdf and https://www.pcpd.org. https://oaic.gov.au/privacy-law/privacy-act/
hk/english/data_privacy_law/ordinance_at_a_ australian-privacy-principles
Glance/ordinance.html 9 Office of the Privacy Commissioner of
3 It has been argued that companies using, Canada, PIPEDA Fair Information Principles,
for instance, their Internet platforms for September 2011, https://www.priv.gc.ca/en/
advertising purposes are already being paid by privacy-topics/privacy-laws-in-canada/the-
the advertisers so there is no need for further personal-information-protection-and-electronic-
payment with data. This point of view neglects documents-act-pipeda/p_principle/
the fact that do ut des refers to a balance 10 Office of the Privacy Commissioner for Personal
between quid pro quo of the contracting parties Data, Six Data Protection Principles, Hong
and not between these parties and third parties. Kong, https://www.pcpd.org.hk/english/data-
That is why readers have to pay for magazines privacy_lau/6_data_protection/principles.html
despite the publisher receiving payments from 11 Ng, J.; “Octopus CEO Resigns Over Data Sale,”
third parties (advertisers). The Wall Street Journal, 4 August 2010,
4 Op cit, Zankl https://www.pcpd.org.hk/english/data_privacy_
5 Organization for Economic Co-operation and law/6_data_protection_principles/principles.html
Development, Guidelines on the Protection of 12 Chong, D.; “Second Octopus Boss Quits Amid
Privacy and Transborder Flows of Personal Data, Scandal,” The Standard, 20 October 2010,
www.oecd.org/sti/ieconomy/cdguidelinesonthe www.thestandard.com.hk/news_detail.asp?pp_
protectionofprivacyandtransborderflowsof cat=30&art_id=104016&sid=29979255&con_
personaldata.htm type=1&d_str=20101020&sear_year=2010
6 Greenleaf, G; “Global Data Privacy Laws 13 Cheung, S.; “The Challenges of Personal Data
2015: 109 Countries, with European Laws Privacy in A New Era,” International Conference
Now a Minority,” 133 Privacy Laws & Business on Privacy Protection in Corporate Governance,
International Report, February 2015, p. 14-17 11 February 2014, https://www.pcpd.org.hk/
7 Information Commissioner’s Office, Data privacyconference2014/programme.html
Protection Principles, United Kingdom,
https://ico.org.uk/for-organisations/guide-to-
data-protection/data-protection-principles/

ISACA JOURNAL VOL 6 9

©2016 ISACA. All rights reserved. www.isaca.org
View publication stats