Ochrana osobních údajů při podnikání / Personal data protection while carrying on business

Hricová, Kateřina

January 2016

Personal data protection is only one of many specific fields of administrative law. In everyday life, personal data and their protection are quite wide area that deserves our full attention and it's possible to study it extensively. This diploma thesis deals specifically with personal data protection while processing them. First of all, it defines the right to privacy and the term personal data. Further, it deals with basic legal requirements concerning personal data processing based on Act no. 101/2000 Coll., on the protection of personal data, including transfer of personal data to other countries and its recent development in Safe Harbor principles that are rules for transfer of personal data into United States of America. Besides personal data being a unique tool to distinguish individuals from each other, they are a very useful and valuable tool in business too. Therefore the most common way of personal data processing is while carrying on a business. At the end of this thesis, some specific situations were chosen to demonstrate how entrepreneurs process personal data of their customers and other persons they come into contact with. Then the basic obligations of data processing are analyzed with respect to real situations.

Selective privacy protection for video surveillance

Matusek, F. (Florian)

27 April 2014

Abstract An unparalleled surge in video surveillance has occurred in recent years, due to some tragic events such as terror attacks, bank robberies and the activities of organized crime. Video surveillance technology has advanced significantly, which has even enabled the automatic tracking of individuals. However, in the opinion of the public the increase in security has brought about a decrease in personal privacy. Through video surveillance citizens could be monitored more easily than ever before, thus considerably intruding into their personal privacy. It was assumed that security and privacy in video surveillance was a zero-sum game in which citizens were forced to choose one over the other. This study was based on the belief that this notion is false. It was assumed that it can be possible to keep personal privacy while guaranteeing the utmost security. A solution to this issue was sought using Hevner’s design science research guidelines and design science research cycles. A video surveillance system was designed and constructed that would protect the personal privacy of uninvolved individuals under surveillance while still providing a high level of security, namely the Privacy Enhancing Video Surveillance system PEVS. PEVS protected the privacy of individuals by automatically scrambling the image regions where people were present in video streams. If a criminal act should take place, it was possible, with the proper authorization, to selectively unscramble the data of individuals of interest to analyze the situation. This enabled to analyze the situation without intruding into the privacy of uninvolved people on the one hand, while on the other hand using the data as evidence of possible criminal activity. Hence, the privacy of individuals was protected while maintaining the same level of security. PEVS provided the first technology-based video surveillance solution, which showed only relevant individuals in the image while leaving the identity of everyone else unrevealed. Therefore, the main contribution of this thesis was the construction of a novel approach to video surveillance systems, capable of selectively protecting the privacy of individuals. This included introducing an architecture for a privacy preserving video surveillance system, which consisted of several sub-constructs. These included storage techniques for privacy data and shadow detection and segmentation methods, which increased the accuracy and speed of previous methods. Further, novel security and privacy metrics for video surveillance were introduced. The overall system was a significant improvement over the existing knowledge base that has thus far seen only first steps to selective privacy protection but has failed to provide a complete system. / Tiivistelmä Videovalvonnassa on tapahtunut viime vuosina merkittävää kasvua johtuen järkyttävistä tapahtumista kuten terrori-iskut, pankkiryöstöt ja järjestäytyneen rikollisuuden toimet. Videovalvontateknologia on kehittynyt merkittävästi mahdollistaen jopa yksittäisten ihmisten automaattisen seurannan. Turvallisuuden lisääntymisen katsotaan kuitenkin vähentäneen yksityisyyttä. Videovalvonnan avulla ihmisiä pystytään seuraamaan helpommin kuin koskaan aikaisemmin tunkeutuen täten heidän yksityisyytensä alueelle. On oletettu, että turvallisuus ja yksityisyys videovalvonnassa on nollasummapeliä, jossa kansalaisten on valittava yksityisyyden ja turvallisuuden välillä. Tämä tutkimus perustuu olettamukseen, että edellä esitetty ei pidä paikkaansa, vaan että on mahdollista suojata yksityisyys samalla taaten täysi turvallisuus. Ratkaisua tähän ongelmaan etsittiin suunnittelutieteellisen tutkimuksen avulla. Työssä suunniteltiin ja toteutettiin videovalvontajärjestelmä PEVS (Privacy Enhancing Video Surveillance system), joka suojaa valvonnanalaisten sivullisten yksityisyyttä ja siitä huolimatta tuottaa korkean turvallisuustason.. PEVS suojaa henkilöiden yksityisyyttä salaamalla automaattisesti videoaineistosta ne kuva-alat, joissa esiintyy ihmisiä. Mikäli laitonta toimintaa havaittaisiin, olisi riittävillä käyttöoikeuksilla mahdollista purkaa salaus mielenkiinnon kohteena olevien henkilöiden kohdalta tilanteen analysoimiseksi. Tämä mahdollisti yhtäältä puuttumattomuuden sivullisten yksityisyyteen ja toisaalta tiedon käyttämisen todistusaineistona mahdollisen rikoksen tutkimisessa. Tällä järjestelmällä yksityisyys oli mahdollista suojata samanaikaisesti, kun turvallisuudesta huolehdittiin. PEVS mahdollisti ensimmäistä kertaa maailmassa videovalvonnan, joka näyttää vain relevantit henkilöt jättäen muiden henkilöllisyyden paljastamatta. Sen takia tämän tutkimuksen merkittävin kontribuutio oli uudenlaisen lähestymistavan kehittäminen videovalvontaan, joka kykenee valikoivasti suojelemaan ihmisten yksityisyyttä. Tämä ratkaisu sisältää yksityisyyden suojaavan, useita rakenneosia sisältävän videovalvontajärjestelmäarkkitehtuurin esittelyn. Rakenneosiin kuuluu yksityisen tiedon tallennusmenetelmiä ja varjontunnistus- ja segmentointimetodeja, jotka paransivat aiemmin käytettyjen metodien tarkkuutta ja nopeutta. Lisäksi esiteltiin uudenlainen turvallisuus- ja yksityisyysmetriikka videovalvonnalle. Toteutettu järjestelmä on huomattava lisäys nykytietämykseen, jossa yksityisyyden suojan osalta on otettu vasta ensiaskelia ja joka ei mahdollista kattavaa järjestelmää.

CCTV

computer vision

data protection

privacy

video surveillance

konenäkö

tiedon suojaus

valvontakamera

videovalvonta

yksityisyys

An investigation of ISO/IEC 27001 adoption in South Africa

Coetzer, Christo

January 2015

The research objective of this study is to investigate the low adoption of the ISO/IEC 27001 standard in South African organisations. This study does not differentiate between the ISO/IEC 27001:2005 and ISO/IEC 27001:2013 versions, as the focus is on adoption of the ISO/IEC 27001 standard. A survey-based research design was selected as the data collection method. The research instruments used in this study include a web-based questionnaire and in-person interviews with the participants. Based on the findings of this research, the organisations that participated in this study have an understanding of the ISO/IEC 27001 standard; however, fewer than a quarter of these have fully adopted the ISO/IEC 27001 standard. Furthermore, the main business objectives for organisations that have adopted the ISO/IEC 27001 standard were to ensure legal and regulatory compliance, and to fulfil client requirements. An Information Security Management System management guide based on the ISO/IEC 27001 Plan-Do-Check-Act model is developed to help organisations interested in the standard move towards ISO/IEC 27001 compliance.

ISO 27001 Standard

Computer security

Data protection

Trust on the semantic web

Cloran, Russell Andrew

07 August 2006

The Semantic Web is a vision to create a “web of knowledge”; an extension of the Web as we know it which will create an information space which will be usable by machines in very rich ways. The technologies which make up the Semantic Web allow machines to reason across information gathered from the Web, presenting only relevant results and inferences to the user. Users of the Web in its current form assess the credibility of the information they gather in a number of different ways. If processing happens without the user being able to check the source and credibility of each piece of information used in the processing, the user must be able to trust that the machine has used trustworthy information at each step of the processing. The machine should therefore be able to automatically assess the credibility of each piece of information it gathers from the Web. A case study on advanced checks for website credibility is presented, and the site presented in the case presented is found to be credible, despite failing many of the checks which are presented. A website with a backend based on RDF technologies is constructed. A better understanding of RDF technologies and good knowledge of the RAP and Redland RDF application frameworks is gained. The second aim of constructing the website was to gather information to be used for testing various trust metrics. The website did not gain widespread support, and therefore not enough data was gathered for this. Techniques for presenting RDF data to users were also developed during website development, and these are discussed. Experiences in gathering RDF data are presented next. A scutter was successfully developed, and the data smushed to create a database where uniquely identifiable objects were linked, even where gathered from different sources. Finally, the use of digital signature as a means of linking an author and content produced by that author is presented. RDF/XML canonicalisation is discussed in the provision of ideal cryptographic checking of RDF graphs, rather than simply checking at the document level. The notion of canonicalisation on the semantic, structural and syntactic levels is proposed. A combination of an existing canonicalisation algorithm and a restricted RDF/XML dialect is presented as a solution to the RDF/XML canonicalisation problem. We conclude that a trusted Semantic Web is possible, with buy in from publishing and consuming parties.

Semantic Web

RDF (Document markup language)

XML (Document markup language)

Knowledge acquisition (Expert systems)

Data protection

Enabling e-learning 2.0 in information security education: a semantic web approach

Goss, Ryan Gavin

January 2009

The motivation for this study argued that current information security ed- ucation systems are inadequate for educating all users of computer systems world wide in acting securely during their operations with information sys- tems. There is, therefore, a pervasive need for information security knowledge in all aspects of modern life. E-Learning 2.0 could possi- bly contribute to solving this problem, however, little or no knowledge currently exists regarding the suitability and practicality of using such systems to infer information security knowledge to learners.

Data protection

Computers -- Access control

The ISO/IEC 27002 and ISO/IEC 27799 information security management standards : a comparative analysis from a healthcare perspective

Ngqondi, Tembisa Grace

January 2009

Technological shift has become significant and an area of concern in the health sector with regard to securing health information assets. Health information systems hosting personal health information expose these information assets to ever-evolving threats. This information includes aspects of an extremely sensitive nature, for example, a particular patient may have a history of drug abuse, which would be reflected in the patient’s medical record. The private nature of patient information places a higher demand on the need to ensure privacy. Ensuring that the security and privacy of health information remain intact is therefore vital in the healthcare environment. In order to protect information appropriately and effectively, good information security management practices should be followed. To this end, the International Organization for Standardization (ISO) published a code of practice for information security management, namely the ISO 27002 (2005). This standard is widely used in industry but is a generic standard aimed at all industries. Therefore it does not consider the unique security needs of a particular environment. Because of the unique nature of personal health information and its security and privacy requirements, the need to introduce a healthcare sector-specific standard for information security management was identified. The ISO 27799 was therefore published as an industry-specific variant of the ISO 27002 which is geared towards addressing security requirements in health informatics. It serves as an implementation guide for the ISO 27002 when implemented in the health sector. The publication of the ISO 27799 is considered as a positive development in the quest to improve health information security. However, the question arises whether the ISO 27799 addresses the security needs of the healthcare domain sufficiently. The extensive use of the ISO 27002 implies that many proponents of this standard (in healthcare), now have to ensure that they meet the (assumed) increased requirements of the ISO 27799. The purpose of this research is therefore to conduct a comprehensive comparison of the ISO 27002 and ISO 27799 standards to determine whether the ISO 27799 serves the specific needs of the health sector from an information security management point of view.

Computer security

Information security awareness: generic content, tools and techniques

Mauwa, Hope

January 2007

In today’s computing environment, awareness programmes play a much more important role in organizations’ complete information security programmes. Information security awareness programmes are there to change behaviour or reinforce good security practices, and provide a baseline of security knowledge for all information users. Security awareness is a learning process, which changes individual and organizational attitudes and perceptions so that the importance of security and the adverse consequences of its failure are realized. Therefore, with proper awareness, employees become the most effective layer in an organization’s security defence. With the important role that these awareness programmes play in organizations’ complete information security programmes, it is a must that all organizations that are serious about information security must implement it. But though awareness programmes have become increasing important, the level of awareness in most organizations is still low. It seems that the current approach of developing these programmes does not satisfy the needs of most organizations. Therefore, another approach, which tries to meet the needs of most organizations, is proposed in this project as part of the solution of raising the level of awareness programmes in organizations.

Computer security

Data protection

Computers -- Safety measures

Lessons from Québec: towards a national policy for information privacy in our information society

Boyer, Nicole-Anne

05 1900

While on the broadest level this paper argues for a rethinking of governance in our "information society," the central thesis of this paper argues for a national policy for data protection in the private sector. It does so through three sets of lessons from the Quebec data protection experience. These include lessons for I) the policy model, (2) the policy process, (3) the policy area as it relates to the policy problem as well as general questions about governance in an information polity. The methodology for this paper is based on a four-part sequential analysis. The first part is a theoretical and empirical exploration of the problem, which is broadly defined as the "tension over personal information." The second part looks comparatively at how other jurisdictions have responded to the problem. The third part assesses which model is the better policy alternative for Canada and concludes that Quebec regulatory route is better than the national status quo. The fourth part uses a comparative public policy framework, as well as interviews, to understand the policy processes in Quebec and Ottawa so that we can highlight the opportunities and constraints for a national data protection policy in the private sector. / Arts, Faculty of / Political Science, Department of / Graduate

Information policy -- Canada

Privacy, Right of -- Canada

Privacy, Right of -- Québec (Province)

Data protection -- Canada

A multi-dimensional model for information security management

Eloff, Maria Margaretha

06 December 2011

D.Phil. / Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.

Information resources management

Data protection

Computer security

Database management security measures

Modeling personally identifiable information leakage that occurs through the use of online social networks

Louw, Candice

30 June 2015

M.Sc. (Computer Science) / With the phenomenal growth of the Online Social Network (OSN) industry in the past few years, users have resorted to storing vast amounts of personal information on these sites. The information stored on these sites is often readily accessible from anywhere in the world and not always protected by adequate security settings. As a result, user information can make its way, unintentionally, into the hands of not only other online users, but also online abusers. Online abusers, better known as cyber criminals, exploit user information to commit acts of identity theft, Advanced Persistent Threats (APTs) and password recovery, to mention only a few. As OSN users are incapable of visualising the process of access to their OSN information, they may choose to never adjust their security settings. This can become synonymous with ultimately setting themselves up to becoming a victim of cyber crime. In this dissertation we aim to address this problem by proposing a prototype system, the Information Deduction Model (IDM) that can visualise and simulate the process of accessing information on an OSN profile. By visually explaining concepts such as information access, deduction and leakage, we aim to provide users with a tool that will enable them to make more informed choices about the security settings on their OSN profiles thereby setting themselves up for a pleasant online experience.

Online social networks - Access control

Data protection