The Governance of Personal Data Sovereignty in the Banking Sector

Otieno, Christine

January 2022

Concerns related to the control of personal “digital data” have resulted in initiatives being taken globally to safeguard the individuals’ control over their own data. The EU’s General Data Protection Regulation (GDPR) being a significant example in this connection. Specifically, two protective rights regarding respectively the right for data to be forgotten and their portability have been brought in to enhance individuals’ control over their data. As a consequence, data governance which signifies the “power relations between all the actors affected by, or having an effect on, the way data is accessed, controlled, shared and used, the various socio-technical arrangements set in place to generate value from data, and how such value is redistributed between actors” (Micheli et al., 2020, p. 3) has become a crucial endeavour for governments and businesses around the world. A scrutiny of different models of data governance highlighted the notion of personal data sovereignty (PDS) which indicates enhanced empowerment of data subjects through self-determination. PDS, additionally, entails an appropriate combination of empowerment, economic development, enhanced knowledge and profit to participating private organisations. Further, data subjects, in PDS, have the power to access, regulate, share and investigate their information at all times. In this regard, the present study investigated the manner in which banks in Sweden manage the sustainability of the sovereignty of their data. Based on the problem statement, the research question of the study was formulated as follows: “How do banks govern personal data sovereignty?” The research strategy used for the present study was an exploratory survey design with a quantitative approach to obtain data from executives in Swedish banks. The present study used a survey strategy. Survey strategies employing questionnaires are widespread since they permit standardised data to be obtained from a large population in a very economical manner. Further, the data collected can be easily compared. Moreover, the survey strategy is viewed as reliable, in general, by people and it is also relatively straightforward both for the researcher to explain and for the participants to understand. A custom questionnaire was designed for the study based on insights obtained from existing academic and business research. Sections in the questionnaire were designed to obtain data related to areas such as, data governance in Sweden, personal data, usage of personal data, and PDS. The study’s findings reveal that banks in Sweden take different measures to help their customers maintain their PDS. As a result, bank employees seem to robustly understand personal data, how their banks utilize the personal data of customers, and the extent to which customers are aware of banks’ use of their personal data. It could also be concluded that banks were using measures which were in line with existing Swedish and EU data protection standards and laws. The study’s findings contribute to further research concerning data sovereignty and use of personal data in the banking sector. Further, it can aid banks to manage their global customers’ data. The study was constrained chiefly by the limited empirical literature associated with the study’s topic and the restricted time available for the study

data governance

personal data sovereignty

Swedish banks

Computer Sciences

Datavetenskap (datalogi)

A GDPR compliant address infrastructure mobile application for Ugandan and Rwandan users / En GDPR-kompatibel adressinfrastruktur-applikation för mobiltelefoner ämnad för Ugandiska och Rwandiska användare

Modin Larsson, Lina

January 2018

More than half of the world's population are negatively affected by inadequate addresses. In Uganda and Rwanda, efforts have been done to implement a national address system but the effectiveness of those efforts have been prevented, due to lack of understanding and fears regarding its impact. With the help of Information and Communication Technology (ICT), because of its knowledge-generating foundation and substantial growth in East Africa, traditional address initiatives could be streamlined. However, negative consequences with ICT, such as surveillance, could cause the already existing reluctance to accept a system that not only registers a location but also an identity, to increase. Privacy, security and trust are therefore key factors to consider when developing a system that target areas characterized by distrust in organizations and government. This paper argues that the General Data Protection Regulation (GDPR) provides a strong framework when accomplishing this. By evaluating the user rights defined in GDPR from an interaction design perspective, this research aims to propose design guidelines that gives users agency of their personal information. This paper argues that redefining the rights as potential user actions gives the users control to manage their personal information, and further, that interest and understanding are important to enable conscious actions. With a Research through Design approach, user studies were conducted in Uganda and Rwanda, to evaluate how to design actions and information in order to enhance interest and understanding, and resulted in three design guidelines: User actions, Action layers and Information layers. / Mer än hälften av världens befolkning är negativt påverkade av bristfälliga adresser. I Uganda och Rwanda har det gjorts insatser för att implementera ett nationellt adressystem, men effektiviteten av dessa insatser har förhindrats på grund av bristande förståelse och rädsla för dess inverkan. Med hjälp av Informations- och Kommunikationsteknik (IKT), på grund av sin kunskapsgenererande struktur och starka ökning i Östafrika, kan traditionella addressinitiativ effektiviseras. Negativa konsekvenser med IKT, såsom övervakning, skulle dock kunna leda till att den redan befintliga motviljan att acceptera ett system som inte bara registrerar en plats utan också en identitet, ökar. Integritet, säkerhet och förtroende är därför viktiga faktorer att tänka på när man utvecklar ett system som riktar sig till områden som karaktäriseras av misstro mot organisationer och myndigheter. Denna artikel argumenterar för att den nya Dataskyddsförordningen (GDPR) utformar ett starkt ramverk för att uppnå detta. Genom att utvärdera de användarrättigheter som definieras i GDPR från ett interaktionsdesignperspektiv, syftar denna forskning till att föreslå designriktlinjer som ger användaren full kontroll över sin personliga information. Detta arbete argumenterar att omdefiniera rättigheterna till potentiella användarfunktioner ger användarna kontroll att hantera sin personliga information, och vidare, att intresse och förståelse är viktiga faktorer för att möjliggöra medvetna handlingar. Med en Research through Design-metod genomfördes användarstudier i Uganda och Rwanda, för att utvärdera hur man bör utforma funktioner och information för att öka intresse och förståelse för användarrättigheterna. Detta resulterade i tre designriktlinjer: Användarfunktioner, Funktionslager och Informationslager.

Address infrastructure

Uganda

Rwanda

ICT

Interaction Design

Mobile application

GDPR

Personal data

Privacy

Media Engineering

Mediateknik

Din integritet är priset du betalar för att dela dina personuppgifter : En kvalitativ studie om hur konsumenter ser på fördelar och risker kopplat till insamling av personuppgifter i marknadsföringssyfte.

Lindfors, Malin, von Reis, Matilda

January 2023

Individualised online marketing requires taking a stand regarding legal laws and user privacy. Although laws and regulations have arisen to strengthen individuals' rights to privacy and data control, the subject is still perceived as complex. The purpose of the study is to make it easier for companies' marketing departments when communicating with consumers, by creating an insight into the consumer's perception of how sharing their personal data affects marketing on the internet. This study aims to investigate consumers' experiences regarding privacy and personal data for marketing purposes. The aim is to gain an insight into how users assess the value of the positive aspects of internet use, concerning the concerns linked to protecting personal data. Researchers of the study will research which factors impact consumers than they are sharing their personal data.  To answer the research question, 16 interviews were conducted, based on the consumer perspective. Respondents answered questions about their experience of privacy and sharing personal data when using the internet. At the same time, the study shows that consumers do not know how little control they have over their personal data. The study also shows that consumers value their privacy when sharing personal data online by trying to control the sharing of personal data. The empirical material shows that there are consumers who appreciate targeted marketing, while other consumers see it as an invasion of privacy. The study's theoretical contribution includes a model that infers the factors a consumer considers when deciding whether to share their personal data. The study concludes that consumers' experience of invasion of privacy makes them choose to minimise the sharing of personal data. This results in targeted online marketing being negatively affected, as consumers minimise the sharing of personal data. The study also concludes that consumers' relationship with companies deteriorates in cases where consumers experience lower trust, when they experience that their integrity is being violated.

cookies

personal data

privacy concerns

kakor

marknadsföring

personuppgifter

integritet

datainsamling

delning av personuppgifter

Business Administration

Företagsekonomi

GDPR och känsliga personuppgifter : En fallstudie om fackförbunds arbete med Dataskyddsförordningen / GDPR and sensitive personal data : A case study about trade unions' work with the General Data Protection Regulation

Helenius, Anna

January 2018

Den 25e maj 2018 träder den nya dataskyddsförordningen, GDPR, i kraft. I och med detta kommer alla medlemsstater i den europeiska unionen få en gemensam lag som skärper tidigare regler och ställer högre krav på organisationers personuppgiftsbehandling. Syftet med detta arbete har varit att undersöka och kartlägga hur verksamheter som behandlar känsliga personuppgifter anser sig bli påverkade av GDPR, samt hur de arbetar för att uppfylla kraven från denna nya förordning. Känsliga personuppgifter är sådana som exempelvis avslöjar en persons sexuella läggning, politiska åsikt, religiösa övertygelse eller fackliga tillhörighet och för att uppfylla syftet utfördes därför en fallstudie på sex stycken fackförbund av olika storlek. Datainsamlingen gjordes med hjälp av intervjuer med en person från varje förbund som har god insikt och överblick över organisationens GDPR-arbete. Resultaten från studien visar att fackförbunden anser att den nya dataskyddsförordningen är komplex och svårtolkad men att den ändå medför positiva konsekvenser för både organisationen och medlemmarna. Alla personuppgifter som fackförbunden hanterar faller direkt under känsliga personuppgifter eftersom de kan härledas till facklig tillhörighet, och detta gör att förbunden anser sig ställas inför högre krav på informationssäkerhet i jämförelse med många andra verksamheter. Bland annat möter de stora utmaningar i hur de skall kunna kommunicera med sina medlemmar i framtiden eftersom missbruksregeln försvinner och även ostrukturerat material inkluderas i den nya dataskyddsförordningen. Det går inte att säga generellt vilka åtgärder förbunden vidtagit för att förbereda sig inför de nya kraven från GDPR men det är tydligt att både tekniska och administrativa säkerhetsåtgärder behövs. Exempelvis uppgraderar många av förbunden sina IT-system och upphandlar helt nya ärendehanteringssystem, samtidigt som de dessutom inför rutiner för gallring och för hantering av personuppgiftsincidenter. / On 25 May 2018, the new data protection regulation, GDPR, will come into effect. With this, all members of the European Union will have a common law that sharpens previous rules and puts higher demands on organisations' personal data processing. The purpose of this study has been to investigate and map how businesses dealing with sensitive personal data consider themselves being affected by GDPR, and how they work to meet the requirements of this new regulations. Sensitive personal data are what for example reveals a person's sexual orientation, political opinion, religious conviction or union affiliation and therefore, to fulfil the purpose, a case study with six trade unions of different sizes was performed. The data collection was made with help of interviews with one person from each trade union, who has good insight and overview over the organisation's work with the GDPR. The results from the study show that the trade unions find the new data protection regulation to be complex and hard to interpret but that it nevertheless causes positive consequences for both the organisation and the members. All personal data that the trade unions handle fall directly under sensitive personal data since they may be derived to union affiliation and this leads to where the trade unions considering themselves facing higher demands on information security in comparison to many other businesses. Among other things, they face major challenges in how they are going to communicate with their members in the future, as even unstructured material is included in the new data protection regulation.  It's not possible to say in general what actions the unions have taken to prepare for the new requirements of the GDPR, but it's clear that both technical and administrative safety actions are needed. For example, many of the unions are upgrading their IT systems or purchasing brand new case management systems while also introducing new routines for clearing of data and for management of personal data incidents.

GDPR

data protection

general data protection regulation

personal data processing

sensitive personal data

trade union

information security

GDPR

dataskydd

dataskyddsförordningen

personuppgiftsbehandling

känsliga personuppgifter

fackförbund

informationssäkerhet

Computer and Information Sciences

Data- och informationsvetenskap

Análise de interdependência dos habilitadores tecnológicos, empresariais e humanos no desenvolvimento de base de dados pessoal

De Sordi, José Osvaldo

23 October 2001

Made available in DSpace on 2010-04-20T20:08:24Z (GMT). No. of bitstreams: 0 Previous issue date: 2001-10-23T00:00:00Z / Trata do uso dos dados pessoais integrado aos serviços digitais (e-services), criando um ambiente único para gerenciamento e uso destes, denominado de solução de base de dados pessoal. Além de descrever e caracterizar o ambiente e os componentes desta nova solução, são discutidas ações e desenvolvimentos requeridos para os seus principais habilitadores: humanos, tecnológicos e empresariais. / The main subject of this study is the development of an environment integrating personal data and digital services (e-services), in which we are denominating of Personal Data Base Solution. The solution harmonizes and aligns the personal, business and social interests, through the several specific benefits for each one of these entities, obtained by the common and integrated solution. Besides describing and characterizing solution's environment and components, it is discussed and analyzed actions and developments required for each one of the solution's main enablers: technological, human and business.

Dados pessoais

Base de dados pessoal

Serviço digital

E-services

Customer relationship management

Personal data

Personal data base

Digital service

Administração de empresas

Serviço ao cliente

Clientes - Contatos

Banco de dados

Recuperação da informação

Internet

The right to the protection of personal data. Some relevant topics about its regulation in Peru / El derecho a la protección de los datos personales. Algunos temas relevantes de su regulación en el Perú

Eguiguren Praeli, Francisco José

25 September 2017

What guarantees do we have as titleholders of theright to personal data protection? Does the Political Constitution of 1993 truly protect this right in aproperly way? Which role does the relatively recentPeruvian Law on the Personal Data Protection playto that effect?In this article, the renowned constitutionalist gives answers to these questions with a brief and detailed analysis of the Peruvian Law on the Personal Data Protection and its rules of procedure, focusing in its pros and cons, but also of the Peruvian National Personal  Data  Protection  Authority’s  role  and functions to that effect. / ¿Qué garantías tenemos como titulares del derecho a la protección de datos personales? ¿Realmente la Constitución Política de 1993 tutela adecuadamente este derecho? ¿Qué rol juega al respecto la relativamente reciente Ley de Protecciónde Datos Personales?En el presente artículo, el reconocido constitucio- nalista da respuesta a estas cuestiones con un breve pero detallado análisis de la Ley de Protección de Datos Personales y su reglamento, incidiendo en sus ventajas y desventajas, así como del rol y funciones de la Autoridad Nacional de Protección de Datos Personales al respecto.

Law

Habeas Data

Hábeas Data

Autodeterminación Informativa

Ley De Protección De Datos Personales

La libre circulation et la protection des données à caractère personnel sur Internet / Free flow of data and personal data protection on the Internet

Malekian, Hajar

15 November 2017

La protection des données à caractère personnel (DCP) constitue un droit fondamental autonome au sein de l’Union européenne (article 8 de la Charte des droits fondamentaux de l’Union européenne). En outre, la libre circulation de ces données et des services de la société de l’information, notamment des plateformes en ligne, est primordiale pour le développement de l’économie numérique dans le cadre du marché unique numérique européen. C’est dans ce contexte qu’un point d’équilibre entre la libre circulation et la protection des DCP fait l’objet du cadre juridique européen et français en matière de protection des DCP. Ainsi, dans cette étude, nous nous sommes intéressés en particulier aux enjeux liés à la mise en balance de ces deux intérêts. Ces enjeux suscitent une attention particulière notamment à l’ère des plateformes en ligne, du Big Data et de l’exploitation en masse des données à travers des algorithmes sophistiqués dotés de plus en plus d’autonomie et d’intelligence / Free flow of data and personal data protection on the Internet Protection of personal data is an autonomous fundamental right within the European Union (Article 8 of the Charter of Fundamental Rights of European Union). Moreover, free flow of personal data and free movement of information society services in particular online platforms is essential for the development of digital single market in European Union. The balance between free movement of data and personal data protection is subject of the European legal framework. However, the main challenge still remains to strike the right balance between effective personal data protection and free flow of this data and information society services. This balance is not an easy task especially in the age of online platforms, Big Data and processing algorithms like Machine Learning and Deep Learning.

Données à caractère personnel

Plateformes en ligne

Big data

Internet

Personal data protection

European Data Protection Regulation

Free flow of personal data

Big Data

Algorithms artificial intelligence

Digital single market

Předávání osobních údajů do zahraničí / Transfer of personal data abroad

Jeřábková, Helena

January 2008

The purpose of the work is to evaluate the stage of development of the rules for tranfer of personal data for the European union to the third countries. First it gives necessary information regarding the protection of personal data in general including the key terms, basic principles and also the legal framework. The second part explains the legal mechanism of tranfer of personal data from EU abroad with the use of the term "adequate protection." Possible methods of such tranfer which are in compliance with the requirement of provision of the adequate protection to the protection ensured in the European Union are given. The third part concentrates on the development of the negotiations between the United States and the European Union about the transfer of personal data of air passengers and resulting legal arrangement. The work also describes current trends and provides possible future development of this sphere.

Usability Issues in the User Interfaces of Privacy-Enhancing Technologies

LaTouche, Lerone W.

01 January 2013

Privacy on the Internet has become one of the leading concerns for Internet users. These users are not wrong in their concerns if personally identifiable information is not protected and under their control. To minimize the collection of Internet users' personal information and help solve the problem of online privacy, a number of privacy-enhancing technologies have been developed. These so-called privacy-enhancing technologies still have usability issues in the user interfaces because Internet users do not have the choices required to monitor and control their personal data when released in online repositories. Current research shows a need exists to improve the overall usability of privacy-enhancing technology user interfaces. A properly designed privacy-enhancing technology user interface will give the Internet users confidence they can monitor and control all aspects of their personal data. Specific methods and criteria for assessing the usability of privacy-enhancing technology user interfaces either have not been developed or have not been widely published leading to the complexity of the user interfaces, which negatively affects the privacy and security of Internet users' personal data. This study focused on the development of a conceptual framework, which will provide a sound foundation for use in assessing the user interfaces of Web-based privacy-enhancing technologies for user-controlled e-privacy features. The study investigated the extent to which user testing and heuristic evaluation help identify the lack of user-controlled e-privacy features and usability problems in selected privacy-enhancing technology user interfaces. The outcome of this research was the development of a domain-specific heuristics checklist with criteria for the future evaluation of privacy-enhancing technologies' applications user interfaces. The results of the study show the domain-specific heuristics checklist generated more usability problems and a higher number of severe problems than the general heuristics. This suggests domain-specific heuristics can be used as a discount usability technique, which enforces the concept of usability that the heuristics are easy to use and learn. The domain-specific heuristics checklist should be of interest to privacy and security practitioners involved in the development of privacy-enhancing technologies' user interfaces. This research should supplement the literature on human-computer interaction, personal data protection, and privacy management.

Domain-Specific Heuristics

Human-Computer Interaction

Personal Data Protection

Privacy-Enhancing Technologies

Privacy Management

Usability

Computer Sciences

基於存取目的之個資控管框架-以銀行業為例 / Purpose-Based PII Control Framework - A Banking Perspective.

鄭明璋, Cheng, Ming Chang

Unknown Date

新版「個人資料保護法」在民國99年5月公布，並正式實施於民國101年10月；隨著新法的實施，不管是公部門或民間組織，都投入大量資源以期改善並確保自己的組織對於個人資料之蒐集、處理與利用，能夠符合「個人資料保護法」的要求。 由於業務特性，個人資料的蒐集、處理與利用，乃是銀行業者日常必須面對的課題。雖然舊版個資相關法令「電腦處理個人資料保護法」與「銀行法」對於個人資料的處理都已有相關規定，但由於稽核與舉證困難、罰則過輕等原因，業者並未真正重視個資保護課題，善盡個資保護的責任，所以銀行發生個資外洩的案例時有所聞。新版「個人資料保護法」正式實施後，舉證責任歸屬由當事人變成企業，在疑似個資外洩事件發生時，企業須舉證其組織之系統或機制已對個人資料之控管機制已滿足「個人資料保護法」的要求，盡到完善管理之責任。因此業者不得不投入大量資源來周全組織內對於個人資料的保護與稽核機制，把新版法規的各項規定要求納入系統功能範疇。 伴隨「個人資料保護法」的實施，法務部頒布了「個人資料保護法之特定目的及個人資料之類別」細則來明確規範個人資料的類別範疇、以及存取個人資料之目的。本研究即針對此項要求，歸納分析銀行業的業務現況，並納入未來業務發展之可能需求，設計一具備彈性之個資存取框架以管理個資分類與存取目的，進而滿足「個人資料保護法」的要求。 / As the latest version of the "Personal Data Protection Act (PDPA)" published on May, 2010, and formally implemented since October, 2012, all public and private sector organizations need to put in significant resources to meet the strengthened legal requirements of personal data collection, processing and utilization. Yet banks are among the first to be affected by them, as personal data collection, usage and handling are essential to their daily operations. Therefore, this thesis investigates the compliance of PDPA from a banking perspective. A distinguished feature of the new "Personal Data Protection Act" is the inclusion of "purposes" in regulating access to personal data, namelyan organization must get the informed consent from its customer regarding how her personal data will be used, namely privacy preferences. Currently, employing a proper access control mechanism to protect customer's data is a well-accepted discipline in bank information system (BIS) development. However, the design of such mechanisms hardly includes the requirement of supporting customers’ preferences regarding the use of their personal data. It is therefore highly desirable to extend a BIS's access control to handle customers' privacy preferences. This thesis investigates the common practices of bank operations and presents a purpose-based access control framework for future BIS development. Specifically, we derive a classification of bank customers' personal data and purpose categories for bank operations so that the proposedaccees control framework can ensure all accesses to customers' personal data match their granted access purposes. As a result, the framework will lay a foundation to the compliance of PDPA for a bank.

個人資料保護法

隱私

目的

Personal Data Protection Act

Privacy

Purpose