Advancing information privacy concerns evaluation in personal data intensive services

Rohunen, A. (Anna)

04 December 2019

Abstract When personal data are collected and utilised to produce personal data intensive services, users of these services are exposed to the possibility of privacy losses. Users’ information privacy concerns may lead to non-adoption of new services and technologies, affecting the quality and the completeness of the collected data. These issues make it challenging to fully reap the benefits brought by the services. The evaluation of information privacy concerns makes it possible to address these concerns in the design and the development of personal data intensive services. This research investigated how privacy concerns evaluations should be developed to make them valid in the evolving data collection contexts. The research was conducted in two phases: employing a mixed-method research design and using a literature review methodology. In Phase 1, two empirical studies were conducted, following a mixed-method exploratory sequential design. In both studies, the data subjects’ privacy behaviour and privacy concerns that were associated with mobility data collection were first explored qualitatively, and quantitative instruments were then developed based on the qualitative results to generalise the findings. Phase 2 was planned to provide an extensive view on privacy behaviour and some possibilities to develop privacy concerns evaluation in new data collection contexts. Phase 2 consisted of two review studies: a systematic literature review of privacy behaviour models and a review of the EU data privacy legislation changes. The results show that in evolving data collection contexts, privacy behaviour and concerns have characteristics that differ from earlier ones. Privacy concerns have aspects specific to these contexts, and their multifaceted nature appears emphasised. Because privacy concerns are related to other privacy behaviour antecedents, it may be reasonable to incorporate some of these antecedents into evaluations. The existing privacy concerns evaluation instruments serve as valid starting points for evaluations in evolving personal data collection contexts. However, these instruments need to be revised and adapted to the new contexts. The development of privacy concerns evaluation may be challenging due to the incoherence of the existing privacy behaviour research. More overarching research is called for to facilitate the application of the existing knowledge. / Tiivistelmä Kun henkilötietoja kerätään ja hyödynnetään dataintensiivisten palveluiden tuottamiseen, palveluiden käyttäjien tietosuoja saattaa heikentyä. Käyttäjien tietosuojahuolet voivat hidastaa uusien palveluiden ja teknologioiden käyttöönottoa sekä vaikuttaa kerättävän tiedon laatuun ja kattavuuteen. Tämä hankaloittaa palveluiden täysimittaista hyödyntämistä. Tietosuojahuolten arviointi mahdollistaa niiden huomioimisen henkilötietoperusteisten palveluiden suunnittelussa ja kehittämisessä. Tässä tutkimuksessa selvitettiin, kuinka tietosuojahuolten arviointia tulisi kehittää muuttuvissa tiedonkeruuympäristöissä. Kaksivaiheisessa tutkimuksessa toteutettiin aluksi empiirinen monimenetelmällinen tutkimus ja tämän jälkeen systemaattinen kirjallisuustutkimus. Ensimmäisessä vaiheessa tehtiin kaksi empiiristä tutkimusta monimenetelmällisen tutkimuksen tutkivan peräkkäisen asetelman mukaisesti. Näissä tutkimuksissa selvitettiin ensin laadullisin menetelmin tietosuojakäyttäytymistä ja tietosuojahuolia liikkumisen dataa kerättäessä. Laadullisten tulosten pohjalta kehitettiin kvantitatiiviset instrumentit tulosten yleistettävyyden tutkimiseksi. Tutkimuksen toisessa vaiheessa toteutettiin kaksi katsaustyyppistä tutkimusta, jotta saataisiin kattava käsitys tietosuojakäyttäytymisestä sekä mahdollisuuksista kehittää tietosuojahuolten arviointia uusissa tiedonkeruuympäristöissä. Nämä tutkimukset olivat systemaattinen kirjallisuuskatsaus tietosuojakäyttäytymisen malleista sekä katsaus EU:n tietosuojalainsäädännön muutoksista. Tutkimuksen tulokset osoittavat, että kehittyvissä tiedonkeruuympäristöissä tietosuojakäyttäytyminen ja tietosuojahuolet poikkeavat aikaisemmista ympäristöistä. Näissä ympäristöissä esiintyy niille ominaisia tietosuojahuolia ja huolten monitahoisuus korostuu. Koska tietosuojahuolet ovat kytköksissä muihin tietosuojakäyttäytymistä ennustaviin muuttujiin, arviointeihin voi olla aiheellista sisällyttää myös näitä muuttujia. Olemassa olevia tietosuojahuolten arviointi-instrumentteja on perusteltua käyttää arvioinnin lähtökohtana myös kehittyvissä tiedonkeruuympäristöissä, mutta niitä on mukautettava uusiin ympäristöihin soveltuviksi. Arvioinnin kehittäminen voi olla haasteellista, sillä aikaisempi tietosuojatutkimus on epäyhtenäistä. Jotta sitä voidaan soveltaa asianmukaisesti arviointien kehittämisessä, tutkimusta on vietävä kokonaisvaltaisempaan suuntaan.

information privacy

mixed-method research

personal data

personal data intensive services

privacy behaviour

privacy concerns

privacy concerns evaluation

dataintensiiviset palvelut

henkilötiedot

monimenetelmällinen tutkimus

tietosuoja

tietosuojahuolet

tietosuojahuolten arviointi

tietosuojakäyttäytyminen

Individanpassad marknadsföring : ett hot mot konsumentens integritet / P ersonalized Marketing : A Threat towards customers privacy

Arezouvand, Mahnoush, Rahsepar Mohammadi, Rojano Sadat

January 2022

Individanpassad marknadsföring drivs till stor del av de fördelar som den tillför till ett företags kundrelationer och marknadsföringsresultat. Idag försöker annonsörer möta kundernas förväntningar på en individuell nivå. Tillsammans med detta har den avancerade utveckling av informationsteknologi öppnat nya möjligheter för att kunna samla in och analysera kunddata till att skapa individanpassad marknadsföring. Faktum är att företag behöver samla in mycket information från kunderna för att tillhandahålla kundanpassade tjänster. Syftet med studien är att undersöka och redogöra om individanpassad marknadsföring är något som värdesätts av konsumenter eller uppfattas som ett hot mot konsumentens integritet. Med stöd av denna studie utreder vi de underliggande faktorerna hos konsumenternas positiva eller negativa förhållningssätt gentemot fenomenet. En kvalitativ studie av tolv individuella intervjuer har genomförts. Resultatet visade sig att individanpassad marknadsföring upplevs vara ett hot mot konsumentens integritet. De underliggande faktorer som skapar en känsla av hot är konsumenternas brist på kunskap, brist på lättläst datainsamlingsmetod, begränsning av kontroll över hur ens genererade data kan användas, tvång till att acceptera olika användarvillkor i utbyte av de tjänster som används. Ytterligare faktorer som skapar en känsla av hot för konsumenterna visade sig vara irritation över annonser, tillit för aktören och placeringen av annonsen. Resultatet tyder även på att individanpassad marknadsföring kan uppskattas av konsumenterna i en situation där det uppstår ett ömsesidigt värdeutbyte. / Personalized advertising is largely driven by the benefits that it brings to a company's customer relationship and marketing results. Today, advertisers try to meet customer expectations individually. In the same way, the development of information technology has opened new opportunities for collecting and analyzing customer data to create personalized advertising. In fact, companies need to gather a big amount of information from customers to provide customized services. The purpose of the study is to investigate whether personalized advertising is being valued by customers or does it perceive as a threat to their privacy. This study also investigates the underlying factors of customers' positive or negative attitudes towards personalized advertising. A qualitative study of 12 individual interviews has been conducted. The results showed that personalized advertising is perceived as a threat to customer privacy. The underlying factors that cause a sense of threat are: customer' lack of knowledge, lack of easy-to-read information about data collection methods by actors, restriction of customers' control about how their data should be used, compulsion to accept the various user terms of use in exchange of service. The result of this study also showed that ad irritation, customers' trust in the company and ad placement also affects how customers experience personalized advertising. The results also show that this type of marketing strategy can be appreciated by customers in a situation where a value exchange occurs.

personalized advertising

privacy

privacy paradox

privacy calculus

personal data / information

big data.Eshgham

Individanpassad marknadsföring

privacy paradox

privacy calculus

personal data/information

big data.

Business Administration

Företagsekonomi

Les registres médicaux et la confidentialité

Giroud, Clémentine

08 1900

"Mémoire présenté à la Faculté des études supérieures en vue de l'obtention du grade de Maîtrise en LL.M. Droit - Recherche option Droit, Biotechnologies et Sociétés" / Les registres médicaux sont des banques de données, ayant des caractéristiques spécifiques, rassemblant tous les cas d'une maladie sur un territoire précis. Ces informations permettent la mise en place de politiques de santé publique ainsi que l'étude de maladies afin de faire progresser la recherche médicale. La question se pose donc de savoir comment la réglementation concernant le respect de la vie privée s'applique aux particularités des registres. La législation actuellement en vigueur au Québec prévoit l'obligation d'obtenir le consentement du patient avant d'inclure les données le concernant dans le registre. Ces renseignements personnels de santé recueillis dans le registre doivent être protégés afin de respecter la vie privée des participants. Pour cela, des mesures concernant la confidentialité et la sécurité des données doivent être mises en place en vue de leur conservation et durant celle-ci. Après l'utilisation principale de ces données, il est possible de se servir à nouveau de ces renseignements personnels à d'autres fins, qu'il faille ou non les transférer vers une autre banque de données, nationale ou étrangère. Néanmoins cette utilisation secondaire ne peut se faire qu'à certaines conditions, sans porter atteinte au droit des participants concernant le respect de la vie privée. / Medical registries are databases which record aIl cases of a specifie disease found in a given area. Registries provide vital information for public health research and for the implementation of appropriate public policies. The question is : How does the regulation of privacy apply to registries? Legislation currently in force in the province of Quebec requires the consent of a patient in order to inc1ude personal information in the registry. Personal health data in a registry have to be protected to preserve the privacy of research subjects. To ensure data security and confidentiality sorne measures must be taken during their conservation. Secondary use of data is possible under certain conditions aimed at protecting the right to privacy. It is possible to use such personal information again for other purposes even if the data need to be transferred to another national or foreign database.

Registre

Renseignement personnel

Respect de la vie privée

Consentement

Confidentialité

Registry

Personal data

Privacy

Consent

Confidentiality

L'encadrement juridique du traitement des données personnelles sur les sites de commerce en ligne

Chassigneux, Cynthia

07 1900

"Thèse en vue de l'obtention du grade de docteur en droit de l'Université Panthéon-Assas (Paris II) et de docteur en droit de la faculté de droit de l'Université de Montréal en droit privé" / Dans un environnement électronique tel qu'Internet, les relations s'établissant entre les entreprises en ligne et les internautes doivent se dérouler dans un climat de confiance. Cette considération, particulièrement importante eu égard au traitement des données personnelles, doit conduire les commerçants électroniques à respecter un certain nombre de principes en la matière. Ces principes sont relatifs au consentement, à la collecte, à l'utilisation, à la communication, à la sécurité, à l'exactitude (droit d'accès et de rectification), et à la destruction. Ils sont énoncés en termes généraux dans des instruments de nature législative, comme les Lignes directrices de l'OCDE, la Convention 108 du Conseil de l'Europe, la Directive 95/46/CE du Parlement européen et du conseil, la Loi Informatique et Libertés, la Loi sur le secteur privé, la Loi C-6. Cependant, compte tenu de la dimension transfrontalière du réseau, ces protections ne suffisent pas à elles seules à instaurer un climat de confiance, leur application étant limitée dans l'espace. Par conséquent, et pour tenir compte de la logique actuelle, il convient de reconnaître l'émergence de nouvelles normes susceptibles d'encadrer les renseignements personnels qui circulent sur les sites de commerce en ligne. Des garanties complémentaires de nature autoréglementaire se développent donc sous la forme de politiques de confidentialité, de labels de qualité ou de standards comme le Platform for Privacy Preferences. Toutefois, la logique sous-jacente de ces garanties soulève des questions quant à leur effectivité et à leur contrôle tant par des autorités publiques que par des associations privées. / In an electronic environment such as Internet, relationships between on-line companies and web users must proceed in a c1imate of trust. This consideration, particularly significant in regard to the processing of personal data, must bring the cyber merchant to respect a number ofprinciples from which trust can emerge. These principles pertain to consent, collection, use, disclosure, safety, accuracy (access and correction rights), and destruction of personal data. They are expressed in general terms in legislative instruments such as the OECD Guidelines on Privacy, the Council of Europe Convention 108, the European Parliament and of the Council Directive 95/46/CE, the Loi Informatique et Libertés, the Loi sur le secteur privé and the Act C-6. However, taking into account the transborder nature of Internet data exchanges, these protections alone are not enough to create a c1imate of trust, their application being limited in space. Consequently, and to take in account CUITent legal protections, it is possible to acknowledge the development of new standards to manage the movements of personal data on commercial web sites. Guarantees like privacy policies, seals or standards like Platform for Privacy Preferences are developed to complement legislative instruments. However, the underlying logic of these guarantees raises questions regarding their effectivity and the control public and private authorities may assert over them.

Internet

Données personnelles

Commerce en ligne

Confiance

Protection

Effectivité

Personal data

Electronic commerce

Trust

Effectivity

Vybrané problémy při výběru zaměstnanců / Selected issues of the hiring of employees

Janštová, Vendula

January 2011

This thesis analyzes selected issues of the hiring of employees. It is the connection between the uncodified branch of human resources and the labour law generally. This topic is close to everyone because every person sometimes finds himself during the life in the position of job applicant and chooses acceptable employment and also person is hiring by employers. It is neccessary to know rights and responsibilities which everyone has to follow in the process of hiring of employees. The procedure of hiring of employees can be uderstood from many aspects. If we want discusse it closely we must focus on one of them. These selected issues of the hiring of employees are methods of hiring and protection of personal data which is connected by employer with application of methods. The thesis is composed of four main chapters. The first one focuses on legal regulation of this procedure. It includes national, internetional and european regulation. It defines issues which this thesis explains. The second chapter defines and describes the process of hiring of employees generally, what preceded, what it includes and which rules must be kept during the procedure. The following chapter discusses the methods of hiring and its function. It describes the most widely used and the most suitable one - curicculum vitae,...

Ochrana osobních údajů na internetu podle práva Evropské unie / The protection of personal data on the Internet under European Union law

Krejčířová, Edita

January 2013

The purpose of my thesis is to analyse a development of technologies in comparison with the protection of personal data on the internet under law of the EU. However, it would not be possible to describe every single technology and its reflection in law of the EU. Therefore, the thesis is mainly focused on two most significant internet technologies - cookies and cloud computing. The key for selection of the most important representative technologies was especially a frequency of their use. The thesis is composed of two main chapters, each of them dealing with different aspects of the development of technologies in comparison with protection of personal data on the internet under law of the EU. Chapter One is introductory and defines basic terminology used in the thesis under applicable law of the EU. The chapter is subdivided into two parts. Part One describes personal data and its role in applicable law of the EU. Part Two deals with the specific technologies - cookies and cloud computing. This part particularly points out risks of these technologies and provides possible solutions. Chapter Two analyzes the upcoming reform of data protection in EU. The chapter is mainly focused on proposal for General Data Protection Regulation, which could dramatically change the protection of personal data on the...

Osobnostní práva zaměstnance (se zaměřením na ochranu osobnosti a osobních údajů zaměstnance) / Personal rights of employees (focusing on the protection of personal data and personal employee data )

Hrabinová, Michaela

January 2014

This thesis deals with the issue of personal law of employees. Above all, it focuses on protection of personal data, monitoring employees at workspace via camera systems and checking upon their e-mail communication or examining logs of websites. The work is divided into seven chapters, few of which are further separated to subchapters. The first half of the work is dedicated to theory; the following chapters describe the specific cases of interference into employees' privacy. The first chapter pictures history of law adjustment in the sphere of protection of privacy, respectively protection of personal data, which reaches not too far since its first development started after the Second World War. The second chapter contains definitions of the basic terms which are related to protection of personal data, for example the term personal data itself, subject of data or trustee and exekutor. In the third chapter there are the roots of laws to be found. This chapter is further divided to subchapters distinguishing particular types of law sources from the international, European and national sphere. The next, fourth chapter, describes the relation between personal data protection and labour law. It handles personal data processing in each phase of labour-law relations in separated subchapters, including the...

Ochrana osobních údajů v pracovněprávních vztazích / Personal Data Protection in Labour Law Relationships

Langerová, Michaela

January 2016

This thesis deals with personal data protection, it focuses on labour law relationships, in particular. The aim of the thesis is to analyze regulation of personal data protection; also, the paper elaborates on difficulties that could be caused by the processing of personal data of employee on the part of employer. The first section of the thesis discusses general basis which represents a solution to concrete cases that are mentioned in the second part. The first two chapters examine sources of the regulation of personal data protection on both levels - on a statutory and constitutional level and also on an international and the European Union level. The third chapter deals with the Office for Personal Data Protection and with its scope of activity, in particular. The following three chapters specify particular definitions and introduce legal regulation of the rights of a data subject on the one hand, and the obligations of a controller or a processor on the other hand. In the general part, a few examples of the processing of personal data by an employer can be found. Those examples are mentioned there to clarify unclear concepts and their definitions. The aim of the last chapter is to capture a range of possible examples of the processing of personal data, which can take place and actually does...

Ochrana osobních údajů v pracovněprávních vztazích / Personal data protection in labour-law relationschips

Valachová, Tereza

January 2016

The submitted thesis deals with personal data protection in the context of labour-law relationships. This is an actual and discussed issue in current society, which has constitutional aspects as well. Due to the extensiveness of the topic, the aim of this thesis is not giving a comprehensive explanation of the personal data protection in labour-law relationships area. My effort is to perform the reader with this issue from the general introduction including a survey of the legislation and explanation of main concepts to outlining the fundamental principles of the legislation and focusing more thoroughly on the several selected questions. The thesis itself is divided into four chapters. In my thesis I am trying to point out to the most important court decisions and also the opinions of The Office for Personal Data Protection and The Article 29 Working Party. In the first chapter I deal with the concept of privacy, because I consider it to be a "foundation stone" of the whole issue of personal data protection. This chapter demonstrates how the concept of privacy has developed in the course of time, in the next chapter the legislation of privacy protection and, as well, a conflict with other values are pointed out. In the second chapter I focus on the legislation of privacy and personal data...

Ochrana informací a osobních údajů v pracovněprávních vztazích / Information and Data Protection in Labour Law Relationships

Turoková-Hetešová, Alexandra

January 2016

Information and Data Protection in Labour Law Relationships The thesis is concerned with the issue of personal data protection in labour-law relationships, as it mainly deals with cases where the employee's right to privacy collides with employer's right to property protection. The aim of the thesis is primarily to give a complex interpretation concerning personal data protection in the context of labour law. Besides, the author attempts to solve some questions whose practical application may cause problems and draws attention to frequent bad habits that happen at workplaces. The thesis consists of four chapters which are further divided into subchapters. In the outset of the thesis the author deals with basic legal framework of privacy protection of an individual, and personal data protection as part of privacy, both in Czech legislation and in the context of international law and European Union law. Next chapters explain selected key terminology that occurs in the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the Act No. 101/2000 Coll., on Personal Data Protection and the Act No. 262/2006 Coll., Labour Code, and define basic principles that are...