Abstract
Cyberspace inhabitants live under threat of a complex data privacy protection problem in a technology-dependent information-intensive phenomenon grown out of a vicious circle. The front-line Information security professionals are among the first to bear the brunt and are in dire need of guidance for enforcing effectively the policies and standards and mitigating the adverse consequences of data privacy breaches since the policy statements are invariably dated due to the rapid advances of the technology, limited to cope with techno-socio threats, inadequate to deal with the well-equipped and cunning cybercriminals, and vague and less than user-friendly, or simply difficult to absorb and follow. A framework that comprises the newly developed hexa-dimension code of practice based on the 6-dimension metric (represented by the LESTEF model) and an operationalization scheme are proposed, where the code in which the gist of the adopted policies is incorporated promises to be a handy reference or a quick guide capable of alleviating the information security staff's burden.
TopBackground
Netizens are provided with such technologies as Customer Relationship Management, Web-lining and Call Centre, and so on; they can by means of these facilities conduct their daily activities more efficiently and effectively, and optimize the outcome of these activities, because they are better-informed and able to innovate marketing, to accelerate business promotion, to enlarge data storage capacity and communication coverage, to increase retrieval facilities, and to improve transaction speed in a more transparent and open environment. But then they will need to rely increasingly heavily on the technologies. While transparency and communication keep on improving, more and more data are consumed and correspondingly generated. This is akin to a vicious circle that “the happier the consumers of information and the higher the demand for more information leading to heavier reliance on the technology”. Or in other words, as the suppliers of goods or providers of services generate more and more data in order to sustain transparency and maintain the market share thus gained, the consumers demand more and more information after having enjoyed good bargains, and consequently, the technology expands storage capacity to process the increase in volume of the data generated, and upgrades processing power to handle the increase in complexity of the applications required. This can be called a technology-driven information-intensive phenomenon. (See Figure 1).
The consequence of the technology-driven information-intensive phenomenon is good and bad. The good is the accelerated arrival of such technologies as Big Data, Cloud Computing, Internet of Things and social engineering tools. These technologies enable integration of massive, scattered datasets, efficient interpretation of the integrated data, and speedier communication of the information. An obvious benefit is that with a huge amount of information being made available, the cyber-world becomes more transparent and netizens are better informed. And the bad is that there emerges numerous additional security threats bred in the loopholes in the new technologies, in the use of them or in the facilities enabled by the massive volume of data they generate, which the cyber-miscreants are ever lurking around to exploit when detected. However, it is noteworthy that some clandestine activities which are brought to light, for example, the Snowden episode (South China Morning Post, 2013) and the Panama Papers leak (Wilson, 2016), can be beneficial to some people/organizations and adversary to others.
Figure 1. A conceptual graph of the circle and the phenomenon
Key Terms in this Chapter
Technology-Driven Information-Intensive Phenomenon: A state that characterizes the modus operandi in cyberspace and attributes to the vicious circle: More and more information is needed to sustain more transparent business operations, thus satisfying the more demanding consumers of information; higher utilization of more technologies is needed to generate more information to handle the enlarged data volume, and to further increase the processing speed.
Post-Implementation Problem (An Example): An online monitoring system was implemented to replace an existing offline help-desk platform. The Executive Vice President (EVP) is impressed by the performance, particularly the online monitoring capability provided by the system, and asks the Chief Information Officer (CIO) to have a copy of the system installed in her office to track drug dealing allegedly taken place on company premises. Dilemmas that need to be addressed include deviation of approval of acquisition, privacy invasion, corporate image damage, professionalism (CIO), duty (EVP); treated as a means (staff); staff morale & corporate policy (Firm).
The Solution: A hexa-dimension code of practice , a list of rules and regulations that encapsulates the gist of the policies and standards adopted by the organization, and embraces the six criteria.
The Data Privacy Protection Problem: To develop and implement data privacy policies, standards, guidelines and processes (the policies), to ensure that the policies are appropriately enhanced, communicated and complied with, and to devise a set of effective mitigation measures.
GCF Computing: Slow Tech is not a technology that is slow but a movement that parallels with the same concept of the Slow Food movement. Slow Food International claimed in 1989 that the Slow Food Movement was set up to “counter the rises of fast food and fast life”: to strive for good food (food that tastes good, is a pleasure to eat and selected according to its quality), clean food (food that is produced by such a process that respects the environment and should promote biodiversity and sustainability), and fair food (food that is cultivated and produced by ways that must respect the farmers). GCF Computing (Good Computing, Clean Computing, Fair Computing) was proposed and defined following the Slow Tech concept (Patrignani & Whitehouse, 2014).
PDPO Data Protection Principles (DPP): (1) Data Collection and Purpose; (2) Accuracy and Retention; (3) Data Use; (4) Data Security; (5) Openness; and (6) Data Access and Correction ( https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html ).
Operationalization Scheme: Acquire Board’s endorsement and infrastructural support from other relevant departments, and determine the relevant criteria/factors according to the nature of the problem and the target users and a quantification system for measuring against and balancing the criteria.
PDPO: Personal Data (Privacy) Ordinance (Hong Kong’s privacy law), enacted in 1995 ( https://www.pcpd.org.hk/english/files/pdpo.pdf ).
Post-Contract Problem (an example): The specification was approved by provider and client, and contract duly signed. A senior project consultant who was assigned to the project discovered a fault in the specification, a fault in the inventory control function. Inventory control is a critical function for the business of the client, a fashion boutique, because supply and demand of the goods for sale is time –critical and zero error-tolerance is expected according to the specification. The fault was confirmed after the consultant’s site visit. The consultant faces the dilemma: Keep quiet or tell the boss or the client or both.
International Data Privacy Principles: Comprise 13 principles (Zankl, 2016).
Data Privacy: Can be personal data privacy if the data subjects refer to individuals or corporate data privacy if the data subjects refer to organizations including government agencies.