Logování průchozích dat v routerech / Logging of Transmitted Data in Routers

Kislinger, Pavel

January 2007

Transmitted data logging in routers is the main point of this semestral project. The suggestion of a system for data flows logging in routers and selection of suitable technology, that is used by implementation of the system within this thesis, is based on this analysis. In the thesis, a law responsibility of router administrator for transmitting data is analysed. In the next part, a general introduction to issue of data logging in computer networks including basic description of protocols and fundamentals of standard communication models is presented. Analysis of real enviroment is following. Suggestion and implementation of the system is described too. In the last part a reached results of this thesis are revealed.

The challenge of industry challenges : the uneasy encounter between privacy protection and commercial expression

Miller, Danielle

09 1900

En s’inspirant de l’exemple des défis corporatifs, c’est-à-dire, des initiatives déployées par les sociétés pour rendre le marché de l’emploi plus accessible aux membres de groupes perçus comme marginalisés, ce mémoire cherche à analyser le conflit qui pourrait surgir au Québec entre le droit à la vie privé, protégé notamment par la Loi sur la protection des renseignements personnels dans le secteur privé et la Loi sur la protection des renseignements personnels et des documents électroniques et le besoin croissant de l’entreprise d’utiliser les données privées de leurs employés pour vendre leurs biens et services. Dans un premier temps, ce mémoire effectue un survol des régimes de protection de la vie privée des pays qui ont le plus influencé le droit québécois et canadien soit l’Europe, les États-Unis et le Royaume Uni en soulignant leur influence sur le régime en vigueur au Québec. Dans un second temps, il soulève les entraves que posent la LPRPS et la LPRPDE à la participation de l’entreprise aux défis corporatifs. Dans un troisième temps, il explore des pistes possibles à la fois interprétatives, législatives et contentieuses afin de rendre ces lois plus accommodantes aux besoins de l’entreprise. / This essay uses the example of Industry Challenges - a technique deployed by companies to promote the hiring and advancement of certain members of society - to explore a conflict that could arise in Quebec between the individual’s right to privacy as protected by An Act Respecting the Protection of Personal Information In the Private Sector and the Personal Information Protection and Electronic Documents Act , and that of an organisation to use personal information relating to its workforce to market itself. It briefly reviews privacy protection in jurisdictions with the greatest legal influence on Quebec and Canada: the European Union, the United States and the United Kingdom (Chapter 2). It demonstrates how a blend of these influences is reflected in the Quebec and Canadian approaches to privacy and how existing privacy legislation might prevent a company from effectively and efficiently responding to Industry Challenges (Chapter 3). Finally, the last two chapters respectively explore the interpretive and legislative amendments that could be made to PPIPS and PIPEDA to enable companies to respond to Industry Challenges (Chapter 4) as well as the possible legal action a company could take on the ground that Quebec’s privacy legislation violates its right to express itself commercially under s. 2(b) of the Canadian Charter of Rights and Freedoms (Chapter 5).

Militantisme du consommateur;

Défis corporatifs

Expression commerciale

Quebec

Vie privée

Canadian Charter of Rights and Freedoms

Commercial Expression

Consumer Activism

Industry Challenge(s)

Privacy

Quebec

論偵查機關調閱銀行私人帳戶資料之合法性─與美國作比較 / The Legality on Our Law Enforcement's Access to Private Banking Account–In Comparison with the United States

張君寧, Chang, Chun Ning

Unknown Date

長久以來，我國在偵辦民刑事案件時，調閱相關人等之銀行帳戶資料通常是必要作法之一，表面上看來行之有年、理所當然，但深究後卻發現未臻完善、有待改進，其中尤以正當合法性及與個人隱私權之衝突最具爭議。調閱銀行帳戶資料固然是快速有效偵查案情的方式之一，但若無合理的法律依據、明確的施行方針、完善的配套措施及必要的懲處規定，將易流於擴權濫用，不僅違背法理，亦侵害當事人之隱私權，影響甚鉅，而當今我國文獻中卻較缺乏關於此方面之探討，殊為可惜。因此，目前我國偵查機關調閱銀行帳戶資料之法律依據為何？與其他法律是否有矛盾衝突之處？實務上如何施行？有哪些配套措施？未來有何改進之道？若公務機關違法濫權有何懲罰機制？如何適當修改現有法令規範以使其更臻完善？凡此皆與社會大眾息息相關，並使筆者產生高度興趣及強烈研究動機，期盼透過深入研究，得以充分瞭解相關理論與實務，並對問題提出解決或改善之建議。 無論自人性尊嚴、隱私權或資訊自決權之觀點來看，個人資料保護皆為基本且重要之議題，不容忽視，而銀行帳戶實為個人資料當中非常重要之一環。美國為隱私權概念發源地，理論與實務發展久遠，深具探討價值，故本文擇其作為比較分析對象。為求深入探討調閱銀行帳戶資料在台灣及美國司法實務面運作之情形，本文整理解析兩國近年來相關法規及民事刑事裁判，2010年4月我國立法通過之「電腦處理個人資料保護法修正案」(後更名為「個人資料保護法」，2012年10月付諸實行，以下亦簡稱「新個資法」)亦在本文討論範圍內。本文將介紹各相關法規內容，分析新舊法規之差異，探究實務面作法及未來可能走向，以提供各位讀者先進參考。 國家為履行公共任務或打擊金融犯罪，通常需要調閱相關人等之銀行帳戶資料，此為偵查機關職責所在，但若稍有不慎即可能使個人資訊隱私權遭受重大侵害，而目前理論與實務面皆尚有未盡完善之處。筆者盼以本身面臨之法令疑義，對我國新個資法及台美兩國相關法規之檢視，對本文蒐集資料之研讀心得，及在金融業服務十年之工作經驗作為本文研究之核心。 本篇論文之主要目的，盼藉由各面向之探討及對法律制度之論述，檢視當今我國與美國調閱銀行私人帳戶資料之正當性與合法性；本文不僅描述兩國偵查機關調閱銀行帳戶資料之現況，亦針對問題分析研究，提出建議策略，盼能為我國目前存在之問題困境貢獻一己之力，以供法律界、金融界及相關公務部門參考。 透過本文研究，可觀察目前我國與美國調閱銀行私人帳戶資料相關法規與實務之發展方向，探討主管機關在提升偵查效率及保障個人財務資訊隱私權之間如何取得平衡，希冀政府機關不僅能快速有效完成偵查任務，亦能在合情合理合法範圍內作好個人資料保護，兩全其美。 / In Taiwan, law enforcement’s access to private banking account is a common way of investigating civil or criminal crimes. Although it seems very normal, it still has some problems need to be solved, especially its legality and controversy over privacy. It’s efficient to investigate a crime by retrieving data from private banking account, but it’s easy to invade personal privacy if there’s no reasonable law, clear direction, supplementary measures or necessary punishments. As a result, it’s very worthwhile and important to discuss this thesis’ title. However, there are not many relevant essays or writings in our country nowadays. About this issue, there are many relevant topics which are worthy to be discussed. For example, what is the legal basis of this kind of investigation? Is there any inconsistency between its legal basis and other laws? What are the implementations or supporting measures in practice and improvements in the future? Is there any supervision mechanism if the Government abuses its power? How to amend existing legal regulations appropriately to make them more perfect? Topics above are closely related to all society so the author has a high degree of interest and motivation. Hope this thesis will make readers fully understand relevant theory and practice then they may know how to solve problems and make improvements by this article’s suggestion. Whether from the point of view of privacy, human dignity or self-determination of revealing personal information, protection of personal data is always a basic and important issue which shouldn’t be ignored. The private banking account is actually one kind of the most important personal data. The United States (hereinafter also “America”) is the birthplace of the concept of privacy which has developed there for a long time. It is worth researching so the author selects America for comparative analysis task. In order to discuss the judicial practice about private banking account being investigated by the authorities in Taiwan and America, the author sorts out and analyzes relevant regulations and criminal judges of these two countries in recent years. “Computer Processed Personal Information Protection Act Amendments” (later renamed “Personal Information Protection Act”, implemented in October 2012, hereinafter also “New Personal Information Act”) passed by the Legislative Yuan of Taiwan in April 2010 is also within the scope of this article. This article will describe the contents of relevant laws, analyze the differences between old and new regulations and discuss practical approaches and possible directions in the future so this thesis will provide reference for all readers. The Government often needs to retrieve banking account information to fulfill public tasks or fight against financial crimes. Although this is the duty of the authorities, it will result in serious violation of personal information privacy if the authorities make any mistake. In fact, both of relevant theory and practice in our country have some drawbacks and deficiencies at this time. The author looks forward to discussing the doubts of law, examining “New Personal Information Act” and relevant regulations of Taiwan and America and sharing study experience on this issue and a decade of work experience in the financial industry in order to constitute the core of this research. The main purpose of this thesis is to examine the necessity and legality of retrieving banking account information in Taiwan and America by discussing all relevant aspects and legal systems. This article not only describes the authorities’ access to banking account information in the current situation but also analyzes problems, makes suggestions and offers strategies. The author hopes to do his best to make some contribution to the law, financial industry and related public authorities. Through this thesis, readers could observe Taiwan and America’s investigation of private banking account currently and developing directions of relevant regulations and actual situations in the future. Readers could also learn and discuss how the authorities weigh improvement of investigation efficiency and protection of personal financial information privacy. Hope our Government will not only complete investigation quickly and efficiently but also protect personal information privacy legally and reasonably.

調閱

美國

偵查機關

銀行帳戶

財務資訊

隱私權

個人資料保護

個人資料保護法

正當性

合法性

Retrieval

the United States

Investigation

Banking Account

Financial Information

Privacy

Protection of Personal Information

Personal Information Protection Act

Legitimacy

Legality

A framework to manage sensitive information during its migration between software platforms

Ajigini, Olusegun Ademolu

06 1900

Software migrations are mostly performed by organisations using migration teams. Such migration teams need to be aware of how sensitive information ought to be handled and protected during the implementation of the migration projects. There is a need to ensure that sensitive information is identified, classified and protected during the migration process. This thesis suggests how sensitive information in organisations can be handled and protected during migrations by using the migration from proprietary software to open source software to develop a management framework that can be used to manage such a migration process.A rudimentary management framework on information sensitivity during software migrations and a model on the security challenges during open source migrations are utilised to propose a preliminary management framework using a sequential explanatory mixed methods case study. The preliminary management framework resulting from the quantitative data analysis is enhanced and validated to conceptualise the final management framework on information sensitivity during software migrations at the end of the qualitative data analysis. The final management framework is validated and found to be significant, valid and reliable by using statistical techniques like Exploratory Factor Analysis, reliability analysis and multivariate analysis as well as a qualitative coding process. / Information Science / D. Litt. et Phil. (Information Systems)

Closed Source Software

Information classification

Information protection

Information security

Information sensitivity

Information sensitivity

IP Protection

IS Migration

IS theory development

IT control frameworks

005.8

Information technology -- Management

Computer programs -- Software

Information science -- Software

Computer programs -- Security measures

Data protection

健康資料之個人資料類別屬性研究──以IoT設備之蒐集、處理或利用為中心 / A Study on Personal Health Data Attributes: Focus on the Data Collection, Process or Use of IoT Device

張幼文, Chang, Yu Wen

Unknown Date

我國於2015年底通過新修正之個人資料保護法（以下簡稱「個資法」），將病歷納入特種個人資料中保護。目前個資法第六條特種個人資料列舉包含病歷、醫療、基因、性生活、健康檢查及犯罪前科之個人資料。雖然該條文係取法自國際賦予敏感性個人資料特別保護的模式，惟在個人相關健康資料保護部分，我國個資法不若歐盟一般資料保護規則（EU General Data Protection Regulation, GDPR）保護寬廣，納入資料之類型仍較國際立法例狹窄。尤其此次GDPR修法擴大特種個人資料空間，增列基因資料、生物性資料和性傾向，檢視我國特種個人資料列舉類型是否符合現今科技社會需求有其必要性。 過去研究針對健康資料個資法適用問題較少。大數據資料來源來自各處，以一般健康保健物聯網模式為例，自行操作之檢查數據或穿戴式裝置所蒐集之資料，若非須由醫師或其他之醫事人員施以檢查，而可由一般民眾自行測量之行為，該民眾自行測量之結果應不屬於個資法所謂之病歷、醫療或健康檢查個人資料，即非為特種個人資料。 惟大數據分析技術進步之環境下，健康資料亦攸關資料主體生理健康之敏感性，且容易連結並識別個人，考量健康資料敏感性提升，蒐集、處理、利用健康資料易侵犯到個人隱私，因此有加強保護之需求。將來可刪除個資法第六條第一項各種個人資料例示之「醫療」、「病歷」與「健康」資料，並新增「健康」或「與健康相關」之列舉項目。 但解釋「與健康相關」資料之內涵時不能無限上綱，在適用時應考量情境說，依據不同使用情境判斷是否為係作為特種個人資料利用，以排除一般性描述健康的使用情境。 / The change to the regulation of special categories of data (sensitive data) in the Taiwan Personal Information Protection Act (PIPA) in 2015 comes with the inclusion of medical records. The definition of sensitive data in the PIPA Article 6(1) refers to personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records. However, the list of sensitive data in PIPA do not contain categories as broad as foreign legislation such as EU General Data Protection Regulation (GDPR). It is important to review the continuing relevance of existing categories of sensitive data in the light of change in social structures and advances in technology. Differ from “medical data” such as medical records, medical treatment and health examination, the collection, process and use of “health data” which is measured from wearable device, is not included in the sensitive data. Concerning the development of big data analysis, the “health data” which sensitivity enhanced is easy to identify an individual. It needs to give a higher level of protection to “health data” under PIPA. Therefore, this thesis suggests that medical records, medical treatment and health examination in PIPA Article 6(1) should be consolidated and amended to health records or data concerning health. However, this is not to say that the processing of all kinds of medical and health data should be regarded as the processing of sensitive data. But data, under certain contexts/circumstances may be treated as the processing of sensitive data.

個人資料保護法

特種個人資料

敏感性資料

健康資料

大數據

物聯網

Personal information protection act

Special categories of data

Sensitive data

Health data

Big data

Internet of Things

Comparative data protection and security : a critical evealuation of legal standards

London, R. W.

09 1900

This study1 addresses the key information technology issues of the age and its unintended consequences. The issues include social control by businesses, governments, and information age Star Chambers. The study focuses on a comparative analysis of data protection, data security, and information privacy (DPSIP) laws, regulations, and practices in five countries. The countries include Australia, Canada, South Africa, the United Kingdom, and the United States. The study addresses relevant international legal standards and justifications. This multidisciplinary analysis includes a systems thinking approach from a legal, business, governmental, policy, political theory, psychosocial, and psychological perspective. The study implements a comparative law and sociolegal research strategy. Historic, linguistic, and statistical strategies are applied. The study concludes with a next step proposal, based on the research, for the international community, the five countries in the study, and specifically, South Africa as it has yet to enact a sound DPSIP approach. / LL.D. (Laws)

Australia data protection

Canada data protection

Data protection

Data security

Information privacy

Information privacy laws

Information technology

International data

Protection legal standards

Social control

Sciolegal information privacy,

South Africa data protection

United Kingdom

United States information protection

342.858068

Data protection

Data protection -- Law and legislation

Computer security -- Government policy.

Comparative data protection and security : a critical evaluation of legal standards

London, Ray William

09 1900

This study1 addresses the key information technology issues of the age and its unintended consequences. The issues include social control by businesses, governments, and information age Star Chambers. The study focuses on a comparative analysis of data protection, data security, and information privacy (DPSIP) laws, regulations, and practices in five countries. The countries include Australia, Canada, South Africa, the United Kingdom, and the United States. The study addresses relevant international legal standards and justifications. This multidisciplinary analysis includes a systems thinking approach from a legal, business, governmental, policy, political theory, psychosocial, and psychological perspective. The study implements a comparative law and sociolegal research strategy. Historic, linguistic, and statistical strategies are applied. The study concludes with a next step proposal, based on the research, for the international community, the five countries in the study, and specifically, South Africa as it has yet to enact a sound DPSIP approach. / LL. D.

Australia data protection

Canada data protection

Data protection

Data security

Information privacy

Information privacy laws

Information technology

International data

Protection legal standards

Social control

Sciolegal information privacy,

South Africa data protection

United Kingdom

United States information protection

342.858068

Data protection -- Law and legislation

Computer security -- Government policy

Försäkringsskydd för skadeståndsansvar vid dataskyddsöverträdelser : En undersökning av försäkringsvillkorens omfattning och eventuella begränsningar i förhållande till art. 82 GDPR och grupptalan / Insurance coverage for liability in case of data protection breaches : An investigation into the extent and potential limitations of insurance terms in relation to art. 82 GDPR and class action lawsuits

Nahlbom, Robin

January 2024

I uppsatsen utreds försäkringsskyddet för skadeståndsansvar vid dataskyddsöverträdelser. GDPR är den centrala regleringen för personuppgiftsbehandling och fastställer ett antal principer som måste upprätthållas för att den ansvarige ska få behandla personuppgifter. Bryter den ansvarige mot förordningens principer har den registrerade rätt att kräva skadestånd enligt art. 82.1 GDPR. Förordningen fastställer tre kumulativa krav som måste vara uppfyllda för att skadeståndsskyldighet ska föreligga. Det innefattar att en överträdelse av GDPR har skett, att materiell eller immateriell skada till följd av denna överträdelse har uppstått och att det föreligger ett orsakssamband mellan skadan och överträdelsen. Förordningen innehåller även en bestämmelse som tar över medlemsstaternas nationella skadeståndsrättsliga bestämmelser, vilket innebär att GDPR ska tillämpas enligt sin ordalydelse och att de kumulativa kraven enligt art. 82.1 GDPR måste följas. Det innebär att nationella skadeståndsrättsliga begrepp inte bör jämställas med begrepp som framgår av art. 82.1 GDPR eftersom begreppen har tillkommit i en helt annan kontext. Exempelvis översätts i vissa fall materiella och immateriella skador till ekonomiska och ideella skador. Begreppen är inte synonyma och bör inte tillställas samma betydelse eftersom terminologin i art. 82.1 GDPR kan misstolkas. Försäkringsvillkoren som reglerar skadeståndsskyldigheten för dataskyddsöverträdelser och som även hänvisar till art. 82.1 GDPR, innehåller i vissa fall nationella skadeståndsrättsliga begrepp och även andra begrepp som inte framgår av förordningen. Det kan leda till att kongruensen mellan villkorens utformning och förordningens ordalydelse medför tolkningsproblematik vid bedömning om skadeståndsskyldighet föreligger. Därför bör försäkringsvillkoren endast innehålla sådan terminologi som framgår av art. 82.1 GDPR. Dataskyddsöverträdelser medför oftast att en stor grupp människor lider skada varför förordningen tillåter registrerade att föra grupptalan med hjälp av en ideell organisation enligt art. 80 GDPR. Teoretiskt sett kan skadeståndsbeloppen bli högre än försäkringsbeloppen varför det i sådana fall saknas ett försäkringsskydd för grupptalan för den personuppgiftsansvarige. Försäkringsvillkoren anger däremot ingenting om att försäkringen inte täcker ett sådant anspråk. Därmed ställs försäkringsbolagen inför utmaningen att hantera sådana anspråk, varför försäkringen bör uppdateras för att möta skadestånd i en grupptalan vid dataskyddsöverträdelser. / The essay investigates insurance coverage for liability for damages in the event of data protection breaches. GDPR is the central regulation for the processing of personal data and establishes a number of principles that must be upheld for the data controller to process personal data. If the data controller breaches the principles of the regulation, the data subject has the right to claim damages under Art. 82.1 GDPR. The regulation sets out three cumulative requirements that must be met for liability for damages to arise. This includes that a breach of the GDPR has occurred, that material or immaterial damage as a result of this breach has arisen, and that there is a causal link between the damage and the breach. The regulation also includes a provision that supersedes the national tort law provisions of Member States, which means that the GDPR shall be applied according to its wording and that the cumulative requirements under Art. 82.1 GDPR must be followed. This means that national tort law concepts should not be equated with concepts as set out in Art. 82.1 GDPR as the concepts have arisen in a completely different context. For example, in some cases, material and immaterial damages are translated into economic and non-economic damages. The concepts are not synonymous and should not be attributed the same meaning as the terminology in Art. 82.1 GDPR can be misinterpreted. The insurance terms and conditions that regulate liability for damages in the event of data protection breaches and also refer to Art. 82.1 GDPR, in some cases contain national tort law concepts and other concepts that are not evident in the regulation. This may lead to a lack of congruence between the wording of the terms and conditions and the wording of the regulation, resulting in interpretation issues when assessing whether liability for damages exists. Therefore, the insurance terms and conditions should only contain terminology as set out in Art. 82.1 GDPR. Data protection breaches usually result in harm to a large group of people, which is why the regulation allows data subjects to bring a collective action with the assistance of a not-for-profit organization under Art. 80 GDPR. Theoretically, damages awarded may exceed insurance coverage, which means there is no insurance coverage for collective actions for the data controller in such cases. However, the insurance terms and conditions do not specify that the insurance does not cover such a claim. Therefore, insurance companies are faced with the challenge of handling such claims, which is why the insurance should be updated to cover damages in a collective action in the event of data protection breaches.

GDPR

General Data Protection Regulation

protection

Insurances

breach

insurance

Class action lawsuit

terms and conditions

Personal data

Personal data protection

Registered

Privacy protection Insurance

coverage

sum insured

Damages

compensation

Tort law

Material damages

Immaterial damages

Violation

Economic loss

Insurance company

European Union

Personal Data Act

Data integrity

Confidentiality

Confidentiality protection

Information protection

Personal data protection

Insurance contract

Liability for damages

Data controller

DPO

Data processor

Compensation for damages

Claim for damages

Insurance coverage

Principles

Data protection principles

Compliance

Insurance compensation

Tort law Regulation

Directive

Law

Swedish Authority for Privacy Protection

Data protection officer

European Data Protection Board

Article 29 workgroup

Article

Article 82

Data controller responsibility

Sanctions

Administrative fines

Data Protection Directive

Artikel 82

GDPR

Dataskydd

Försäkring

Försäkringar

Databrottsförsäkring

Grupptalan

Försäkringsvillkor

Personuppgift

Personuppgifter

Personuppgiftsskydd

Registrerad

Registrerade

Integritetsskydd

Försäkringsbelopp

Skadestånd

Skadeståndslag

Materiell

Immateriell

Kränkning

Förmögenhetsskada

Försäkringsbolag

Dataskyddsförordningen

EU

Personuppgiftslag

Dataintegritet

Sekretess

Sekretessskydd

Informationsskydd

Personuppgiftsskydd

Försäkringsavtal

Skadeståndsskyldighet

Skadeståndsansvar

Personuppgiftsansvarig

Personuppgiftsbiträde

Skadeståndsersättning

Skadeståndskrav

Försäkringsskydd

Principer

Dataskyddsprinciper

Regelefterlevnad

Försäkringsersättning

Skadeståndslagen

Förordning

Direktiv

Lag

Integritetsskyddsmyndigheten

IMY

Dataskyddsombud

Data

EDPB

Artikel

82

Personuppgiftsansvar

Sanktioner

Sanktionsavgifter

Dataskyddsdirektivet

DPO

Artikel 82 GDPR

Artikel 82

Europeiska unionen

Law and Society

Juridik och samhälle