For 50 years and counting,® has actually been helping information devices administration, regulate, hazard, security, audit/assurance and also organization and also cyberdefense experts, and also enterprises succeed. Our area of experts is committed to life time finding out, career progression and sharing specialization for the advantage of people and also institutions about the world.

You are watching: Which of the following basic ethical concepts plays an important role in defining privacy?

Today, we also aid construct the abilities of cyberdefense professionals; promote effective governance of indevelopment and also technology through our enterpclimb administration frame, COBIT® and assist institutions evaluate and improve performance through’s CMMI®. We serve over 145,000 members and enterprises in over 188 nations and awarded over 200,000 globally known certifications. is, and also will certainly continue to be, all set to serve you.

As an member, you have access to a netoccupational of dynamic indevelopment units specialists near at hand also via our even more than 200 local chapters, and around the human being via our over 145,000-solid worldwide membership community. Participate in chapter and also online groups to acquire new insight and also expand your expert influence. membership offers these and also many type of even more methods to help you all career long. delivers expert-designed in-perchild training on-website with hand-operated, Training Week courses across North America, via workshops and also sessions at conferences about the world, and also digital. Build on your expertise the method you choose via expert interactivity on-site or practically, digital via FREE webinars and digital summits, or on demand also at your own pace.

Available 24/7 with white papers, publications, blog articles, podcasts, webinars, virtual summits, training and also educational forums and even more, sources.

On the road to ensuring enterpclimb success, your best initially steps are to check out our services and also schedule a conversation with an Enterprise Solutions specialist.

Why &
Home / Reresources / Journal / Issues / 2016 / Volume 6 / An Ethical Approach to File Privacy Protection JOURNAL
Features An Ethical Approach to Data Privacy Protection

Author: Wanbil W. Lee, DBA, FBCS, FHKCS, FHKIE, FIMA, Wolfgang Zankl, Ph.D. and Henry Chang, CISM, CIPT, CISSP, DBA, FBCS Date Published: 24 December 2016 PDF

Privacy, trust and defense are carefully intertwined, as are law and ethics. Privacy conservation and also security provisions count on trust (e.g., one will allow only those whom one trusts to enter one’s zone of inaccessibility; one will not feel secure unless one trusts the protection provider). Violation of privacy constitutes a risk, thus, a danger to protection. Law offers a resolution as soon as ethics cannot (e.g., ethics knows that stealing is wrong; the legislation punishes thieves); ethics can provide context to regulation (e.g., legislation enables trading for the purpose of making a profit, but values offers input right into ensuring trade is conducted fairly). Privacy breaches disturb trust and run the hazard of diluting or losing security; it is a present of disrespect to the law and a violation of moral ethics.

Documents privacy (or information privacy or information protection) is about accessibility, use and also repertoire of information, and also the data subject’s legal appropriate to the data. This refers to:

Freedom from unauthorized accessibility to private dataIncorrect use of dataAccuracy and completeness as soon as collecting information around a perkid or persons (corporations included) by technologyAvailcapacity of information content, and the data subject’s legal right to access; ownershipThe civil liberties to check, upday or correct these data

File privacy is additionally concerned via the expenses if information privacy is bgot to, and such costs encompass the so-referred to as tough expenses (e.g., financial penalties applied by regulators, compensation payments in lawsuits such as noncompliance through contractual principles) and also the soft prices (e.g., reputational damage, loss of client trust).

Though various societies put various worths on privacy or make it impossible to specify a secure, global value, tbelow is broad agreement that privacy does have an intrinsic, core and social value. Hence, a privacy method that embraces the law, ethical ethics, and also societal and also eco-friendly pertains to is possible despite the intricacy of and challenge in upholding data privacy.

Documents Privacy Protection

Undoubtedly, protecting data privacy is urgent and also complex. This security is necessary bereason of the ubiquity of the technology-moved and also information-intensive setting. Technology-driven and also information-intensive company operations are typical in modern corporations. The benefits of this trend are that, among other things, the marketarea is more transparent, consumers are much better indeveloped and profession practices are more fair. The downsides incorporate socio-techno danger, which originates via technology and human customers (e.g., identification theft, indevelopment warfare, phishing scams, cyberterrorism, extortion), and also the creation of even more avenues for organized and innovative cybercriminals to manipulate. This danger outcomes in information defense being propelled to the peak of the corpoprice monitoring agenda.

The require for data privacy security is likewise immediate due to multidirectional demand also. Indevelopment security becomes an essential information protection feature to aid construct and implement strategies to ensure that data privacy policies, requirements, guidelines and procedures are accordingly magnified, interacted and adhered to, and reliable mitigation steps are imposed. The plans or requirements must be technically effective, economically/financially sound, legally justifiable, ethically continual and socially acceptable because many kind of of the problems frequently found after implementation and contract signing are of a technical and also honest nature, and information protection decisions come to be more complicated and also tough.

File privacy protection is facility due to socio-techno risk, a brand-new protection worry. This risk occurs through the abusage of technology that is provided to keep and process data. For instance, taking a firm universal serial bus (USB) tool house for personal convenience runs the hazard of bgetting to a firm regulation that no agency property shall leave agency premises without permission. That hazard becomes a file risk if the USB contains confidential corporate data (e.g., data about the marketing strategy, personnel performance records) or employee information (e.g., employee addresses, dates of birth). The danger of taking the USB additionally contains theft or loss.

Using modern technology in a manner that is not consistent with ethical principles creates moral threat, one more new form of hazard. In the previous instance, not eextremely staff member would certainly take the firm USB home, and those who decide to make use of the danger of taking the USB might do so based upon their very own feeling of morality and also expertise of moral values. The honest risk (in enhancement to technological risk and financial risk) arises as soon as considering the potential breach of corpoprice and personal confidentiality. This threat is associated partially to innovation (the USB) and partly to people (both the perpetrator and the victims) and is, therefore, a hazard of a technological-cum-social nature—a socio-techno threat. Hence, taking house a USB is a vulnercapacity that might lead to a violation of data privacy.

However, the difficulty of data privacy is not unsolvable. The compowebsite technique alluded to earlier that takes into consideration the tangible physical and also financial conditions and intangible measures versus logical loopholes, honest violations, and social desircapability is feasible, and the approach argued in this write-up, which is constructed on a six-aspect structure, deserve to achieve this objective.

Methods for Documents Privacy Protection

The approach is modeled on a frame originally regarded and also occurred to administer a fresh see to decision machines and is based on the adhering to 3 significant instruments:

International Data Privacy Principles

Data privacy have the right to be achieved with technical and also social remedies. Technical services incorporate safeguarding information from unauthorized or accidental accessibility or loss. Social services encompass developing acceptability and awareness among customers around whether and exactly how their information are being supplied, and doing so in a transparent and also confidential means. Employees must commit to complying with corporate privacy rules, and establishments should instruct them in how to actively stop activities that may deteriorate privacy.

Next to technological and social services, the third element of achieving privacy is complying with data defense regulations and also regulations, which requires 2 issues. The first concern is that legal regulation is slow and also, hence, unable to save up via the fast advancements of indevelopment technology. Legal solutions are generally at least one step behind technological advancements. Data privacy by digital means should, therefore, be based not only on conventional jurisdiction, but likewise on soft law, i.e., self-binding plans such as the existing data privacy principles. Soft legislation might be even more efficient than tough legislation. The reactions of disappointed customers, particularly as soon as those reactions are spread by social media, and the fact that noncompliance through corpoprice administration may cause unfair competition and/or liability toward influenced customers (unfair competition by not adhering to self-binding policies/licapability towards customers by breach of contract) will often be even more reliable than mere fines or penalties.

The second problem of data security hregarding do through the reality that these regulations are not worldwide harmonized, leading to severe complications (particularly in between the USA and also the European Union) on a cross-border basis, which is the rule rather than the exemption in modern-day business. To make data privacy rules job-related in a worldwide atmosphere, the values outlined in this article take into consideration US requirements (e.g., the US Federal Trade Commission’s Fair Information Practices), European standards (e.g., Data Protection Directive 95/46/EC and also the General File Protection Regulation ), Eastern regulations (e.g., Hong Kong Personal Data Privacy Ordinance ) and also global benchmarks (e.g., the Organization for Economic Co-procedure and also Advancement Privacy Frameoccupational Basic Principles).

This article additionally considers the truth that prevalent data privacy regulations, especially in Europe, tfinish to emphasis on a typical human civil liberties strategy, neglecting the reality that nowadays, information are usually provided ameans voluntarily upon contractual agreement. When using sites such as Google, Baidu, Amazon, Alibaba or Facebook, individuals agree via the terms and also conditions of these companies. Documents privacy have to consider not only mere data security, yet likewise contractual principles, among which among the earliest and most standard is do ut des, definition a contract in which tbelow is a particular balance between what is provided and also what is got. That approach describes why carriers such as Google or Facebook, for whose services the customer does not pay, have the right to usage individual information. In various other words, that tradeoff—data for services—is the balance.4

The customer being much less defended as soon as receiving free services is a basic aspect of the European E-Commerce Directive, which does not apply to solutions that are readily available complimentary of charge. But this consideration is just a very first action. Applied to a modern-day data atmosphere, a balance also has to be struck in relation to various other parameters pertinent to contractual facets of information privacy. Due to the fact that data are a contract matter, it is crucial to consider what kind of personal information are in consideration (e.g., sensitive and nonsensitive information need to be distinguished and also treated differently), and also since contracts are concluded by common consent out, the level of such consent out also has to be taken into account. For example, does consent have to be declared explicitly or is accepting the regards to use sufficient?

The IDPPs technique takes into consideration the Asian, European, US and international data security standards and focuses on individual information, yet can use to corporate data also. These values indicate that the three parameters (payment, consent and also data category) need to be well balanced and also linked via the abovementioned, Asian, European, US and also worldwide standards, putting them right into a collection of privacy rules. Organizations in compliance via international data privacy criteria must commit to the adhering to 13 IDPPs:5

Comply via nationwide information security or privacy regulation, national contract legislation, and other legal needs or regulations relating to data privacy.Comply through current protection criteria to safeguard stored individual information from illegitimate or unauthorized access or from accidental accessibility, processing, eracertain, loss or use.Implement an easily perceptible, accessible and comprehensible privacy policy with information on that is in charge of information privacy and also how this person deserve to be individually contacted, why and also which individual data are accumulated, how these information are provided, that will certainly get these data, just how lengthy these data are stored, and whether and also which information will be deleted or rectified upon research.Instruct employees to comply with such privacy plans and also stop activities that enable or facilitate illegitimate or unauthorized accessibility in regards to IDPPs.Do not usage or divulge any customer information (except for statistical evaluation and also as soon as the customer’s identity stays anonymous), unless the firm is obliged to perform so by regulation or the customer agrees to such use or circulation.Do not collect customer information if such arsenal is unimportant or too much.Use or divulge customer information in a fair means and only for a purpose regarded tasks of the company.Do not outresource customer data to 3rd parties unless they likewise comply through criteria comparable to these IDPPs.Announce data breaches relating to sensitive information.Do not store individual information for much longer than important.Do not transport personal data to nations with inadequate or unknown data security requirements unless the customer is increated around these requirements being inadequate or unwell-known and also agrees to such a move.In the situation of a contract in between the firm and the customer in which the customer commits to pay for services or goods: Indevelop the costumer individually and also as quickly as sensibly feasible in the occasion of a documents breach.Indevelop the customer upon research about which certain information are stored, and also delete such data upon repursuit unmuch less applicable laws or regulations need the firm to proceed storing such information.Do not use or divulge content-connected personal information.Do not use or divulge any type of other individual data without the customer’s explicit, separate and also individual consent.Do not save, usage or divulge any type of customer data, unmuch less applicable legislations or regulations call for the firm to continue storing such data. In the absence of a contract between the company and the customer in which the customer commits to pay for services or goods: Indevelop the customer as shortly as sensibly feasible in the event of information breaches.Inform the customer upon request what kinds of sensitive data are stored and also delete such information upon research once such data are outdated, unmuch less applicable legislations or regulations call for the agency to continue storing such data.Do not usage or divulge sensitive information without the customer’s explicit, separate and individual consent out.

The Hong Kong Personal Data Privacy Ordinance

The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Privacy Guidelines)6 are frequently the typical that data defense laws of many nations reference.7

The OECD Privacy Guidelines have actually eight basic principles:

Collection Limitation PrincipleFile Quality PrinciplePurpose Specification PrincipleUse Limitation PrincipleSecurity Safeguards PrincipleOpenness PrincipleIndividual Participation PrincipleAccountability Principle

Being a frame through the aim of providing guidelines to jurisdictions to enact their very own privacy regulations, the meanings of these values are at a high level deliberately. When these high-level ethics are converted to nationwide regulations, many type of jurisdictions take on the very same principles-based strategy. For example, the UK’s Data Protection Act uses eight DPPs,8 Australia’s Privacy Act has 13 privacy ethics,9 and also the Canadian Personal Information Protection and also Electronic Documents Act has 10 ethics.10

For the purpose of illustration, the staying component of this post will certainly use Hong Kong’s PDPO, enacted in 1995 and also Asia’s first privacy regulation, to highlight the salient points on just how honest considerations are built within the implementation of privacy law that is compatible via the OECD Privacy Guidelines.

The Six File Protection Principles of PDPO

An explacountry of the DPPs is provided by the Hong Kong,11 Office of the Privacy Commissioner for Personal Data, and have the right to be summarized as:

File Collection and Purpose Principle: Personal information have to be built up in a lawful and also fair method for a objective straight regarded a function/task of the information user (i.e., those who collect individual data).Data subjects (i.e., people from whom personal data are collected) need to be educated of the purpose and also the classes of persons to whom the data might be transferred.Data accumulated should be necessary, yet not excessive. Accuracy and Retention Principle—Personal data must be accurate and also must not be maintained for a duration much longer than is vital to satisfy the function for which they are provided.Data Use Principle—Personal information should be offered for the objective for which the data are accumulated or for a directly associated purpose, unless voluntary and explicit consent out with a new function is derived from the information topic.Documents Security Principle—A data user demands to take sensibly useful procedures to safeguard individual information from unauthorized or accidental accessibility, processing, erasure, loss or use, while taking into account the harm that would impact the individual should there be a breach.Openness Principle—A data user must make individual data policies and practices known to the public regarding the forms of personal data it holds and also just how the data are provided.Documents Access and Correction Principle—Data subjects should be provided accessibility to their individual data and also allowed to make corrections if the data are inexact.

The PDPO is principle-based and is not a item of prescriptive legislation. Knowing the underlying moral considerations for each principle will certainly help an company to much better understand also the spirit and also the letter of the legislation as soon as developing a compliance regimen. In certain, honest relevance is plainly apparent in the implications of PDPO privacy security principles:

DPP1 explains that the repertoire of individual information need to be fair and that personal data accumulated have to not be too much. Whether the arsenal is fair and extreme will have to be assessed under the circumstance. Given that fairness and excessiveness for one perchild might not be the same for an additional person, there is, inevitably, a judgment involved in the assessment. That relativistic judgement will, subsequently, be influenced by the society’s acceptable habits and also worth, i.e., its cumulative ethical idea.DPP2 claims that accumulated individual data are not to be preserved for longer than is crucial. As tbelow is also an element of judgment on requirement, it can be argued on practical grounds that tbelow might be an ethical dilemma in deciding on a brief retention period that is protective of the individuals or a longer period that is protective of the interests (commercial or otherwise) of the organization that collects the personal data.DPP3 claims that data usage that is not directly pertained to the original function might be carried out only through the consent of the individual. This may be analyzed as respecting the wishes of the individuals. Even if the organization thinks that the changed use would certainly be helpful to people, the company has actually no best to take away the individual’s complimentary will certainly and choice.DPP4 claims that establishments have to implement reasonable protection protection on the collected individual data to proccasion data leakage. While leaving aside the decision on how many sources and how a lot initiative an company have to use to defend the individual information accumulated, DPP4 asks institutions to balance the sources and initiative against the likely injury to individuals.

In 2010, moral considerations regarded data defense played a major role in testing existing laws. The Octopus card is an “digital wallet” that many type of Hong Kong citizens usage for daily transport and everyday purchases. In 2010, it was uncovered that Octopus Cards Limited, the agency that owned the cards, was marketing card owners’ loyalty membership to insurance carriers for straight marketing objectives. As an outcome of public outcry, the privacy commissioner investigated and concluded that while the sales of customer records was not prohibited by the law at the moment, the company faicaused make a meaningful initiative to seek consent from customers once it increated them of this data use in a privacy plan statement.

The firm denied contravening the law, but welcomed that its actions felt brief of customer expectations. Two significant police officers of the agency stepped dvery own throughout the investigation.12, 13

The heightened public awareness of individual data civil liberties that emerged in the wake of the incident readjusted expectations of organizational habits. No much longer will world accept suppliers doing only the bare minimum compelled by law; they need to also act ethically. The chief executive officer (CEO) that took over Octopus Cards Limited after the occurrence captured the brand-new expectations succinctly: “We should perform not simply legal, yet what is appropriate.”14

The Hexa-dimension Code of Conduct

A code of conduct serves a range of attributes, among the many essential of which is to serve as a guide for stakeholders based on a collection of rules and also standards. In spite of official fostering, agency plans and also standards, which tend to be difficult for stakeholders, consisting of employees to absorb, are not basic to enforce successfully and are most likely ignored in the finish. A code of conduct, if formulated and articulated well, should serve to communicate the plans and also standards to stakeholders in a relatable means. While such codes might serve to deter potential offensive actions, they are limited in enforcing those rules or standards; they count pucount on the ethical obligation of the stakeholders pertained to, bereason violation by itself does not, in basic, tempt any kind of criminal charges in the legal feeling. However before, despite the great intention and also main fostering, the code by itself cannot guarantee even more honest behavior, and auxiliary steps should be in pressure to operationalize the rules and standards efficiently.

Organizations of all varieties could have some type of code of practice in area. However, the extant codes invariably tend to focus on technological, financial and also legal concerns and are inadequate as soon as considering the honest, social and eco-friendly concerns that quickly arise and also ascend to the height of corporate and also IT monitoring agendas. Different institutions have their own unique policies and a unique code of conduct; tbelow deserve to be no global recipe, only a general guideline. As a general tip for designing a code of conduct, the hexa-measurement framework is recommfinished. This structure comprises 2 major components: the theoretical hexa-dimension metric for measuring legal validity, social desirability, eco-friendly sustaincapability, moral acceptability, technological effectiveness and financial viability (the six requirements/factors) and also a plan for operationalizing the framework. The operationalization system is lugged out in 3 major procedures including:

Identify the pertinent critical determinants depending on the targain finish users (corporatewide or a functional unit or nature of operation). For example, ecological impact is instrumental for a mining firm or a manufacturing facility, yet can most likely be skipped for an information protection unit.Secure the assistance of the board of directors through respect to corporate plan facets and the supporting infrastructures that encompass the organization’s human sources (HR) administration, legal, finance, and also information and also communications innovation functional units with respect to technological assistance and reference. An appraisal of honest consistency in conduct must be had throughout yearly performance reviews (by HR).Determine a schedule for quantifying the facets of each variable for measuring, prioritizing and balancing the components. The attributes/components through assist determine the procedures to be taken to meacertain the efficiency.

If appropriately and also as necessary formulated and articulated, the code deserve to be advantageous in disseminating the policies and also standards throughout the organization and also beyond, for this reason cultivating corporatewide moral, professional conduct. While a code may deter potential offensive actions, it is restricted in enforcing the rules or criteria. The limitation exists bereason the code have the right to rely only on the stakeholders’ sense of principles because violation of the code does not entail any criminal charges. Auxiliary procedures must be put in area to arrive at desirable results, such as executive actions that provide rewards and also impose punishment (e.g., discussing the hexa-dimensional code of conduct in the time of an yearly performance appraisal as soon as those being appelevated are asked to exemplify that their assigned duties were lugged out in a manner continual with information privacy security plans, i.e., not breaking the law; not harmful to people and society at large; not wasteful of the sources easily accessible consisting of the computer system facilities, the workpressure, the budget; and also not harming the environment).

See more: Top 5 Reasons Why Do Basketball Players Wear Plastic Masks ?


Information security specialists are in urgent require of effective and also pragmatic guidance for arising data privacy protection requirements for 2 significant factors. The initially is that the information security attribute in a technology-driven information-intensive setting becomes more complicated because of new threat (e.g., socio-techno risk); the second is that data privacy protection becomes a major problem to information defense monitoring as privacy infringement occurs typically and attracts wide coverage in the media. Viewing privacy from the perspective of values can assist enterprises develop and also enhance their code of conduct. Considering privacy from an moral suggest of watch and also developing a code of conduct makes all individuals in an organization, not just protection personnel, accountable for protecting handy data.


1 Zankl, W.; The International Data Privacy Principles, presented at Harvard University, Cambridge, Massachusetts, USA, October 2014, The Personal Documents (Privacy) Ordinance, Chapter 486 , and also Lee, W. W.; “A Hexa-dimension Metric for Designing Code of Ethical Practice,” Encyclopedia of Information Science and also Technology, 4th Edition, July 20174 It has actually been said that suppliers making use of, for circumstances, their Internet platcreates for declaring objectives are already being passist by the advertisers so there is no need for further payment through data. This suggest of view neglects the reality that perform ut des refers to a balance between quid pro quo of the contracting parties and not in between these parties and also third parties. That is why readers have to pay for magazines despite the publisher receiving payments from 3rd parties (advertisers).5 Op cit, Zankl6 Organization for Economic Co-operation and also Advancement, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Greenleaf, G; “Global File Privacy Laws 2015: 109 Countries, through European Laws Now a Minority,” 133 Privacy Laws & Company Internationwide Report, February 2015, p. 14-178 Indevelopment Commissioner’s Office, Data Protection Principles, UK, Office of the Austrailian Information Commissioner, Australian Privacy Principles, Office of the Privacy Commissioner of Canada, PIPEDA Fair Information Principles, September 2011, Office of the Privacy Commissioner for Personal File, Six Data Protection Principles, Hong Kong, Ng, J.; “Octopus CEO Resigns Over Documents Sale,” The Wall Street Journal, 4 August 201013 Chong, D.; “2nd Octopus Boss Quits Amid Scandal,” The Standard, 20 October 201014 Cheung, S.; “The Challenges of Personal File Privacy in A New Period,” International Conference on Privacy Protection in Corpoprice Governance, 11 February 2014,