Privacy, confidentiality and information protection

1 Privacy

‘Privacy’ is used in relation to information that is protected under law whereas ‘confidentiality’ refers to different information contained in valid contracts and agreements.
Basically, privacy is when you provide and store your personal data on the internet. Our digital identity is made up of the traces of our browsing on the Internet and the information that we make available to our friends on social networks. ‘Privacy’ is used in relation to information that is protected under law, while confidentiality protects private information that is disclosed in a legal document or relationship. Confidential agreements can be made in written or oral form.
Information protection relies on five major elements:

- Confidentiality
- Integrity
- Availability
- Authenticity
- Non-repudiation

1.1 Personal data

• home address
• Email address
• ID number
• IP adress
• Location data
• Data held by a hospital or doctor
• Phone number
• Bank account

1.2 Non-personal data

• The registration code of a company
• Email address
• Anonymized data

1.3 Privacy Policy

Privacy Policy is a document that explains how an organization handles and uses any customer data.
Every website must have it, it is mandatory. The privacy policy is ruled by GDPR.
The users must accept the privacy policy before using a website, an application or a service that collects data
There are some studies that discovered many people do not read terms and conditions but they accept them.

Here's an example of what can happen if You accept privacy policies without reading them carefully
Nobody reads privacy policies


2 Fundamental Rights

Know your fundamental rights

Article 8 of the Charter of Fundamental Rights ''Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law."
Article 7 of the Charter of Fundamental Rights of the European Union "Everyone has the right to respect for his or her private and family life, home and communications."

3 Background DPA

The Data Protection Act 1998 (c. 29) was an act of the UK Parliament designed to protect personal data stored on a computer or in an organized paper recording system.
It adopted the provisions of the 1995 EU Data Protection Directive on data protection, processing and movement.
It was replaced by the Data Protection Act 2018 (DPA 2018) on May 23, 2018.
The 2018 DPA complements the EU General Data Protection Regulation (RGPD), which entered into force on 25 May 2018.
RGPD regulates the collection, storage and use of personal data in a significantly stricter way.

Consumers need to understand the risks and consequences of sharing their lives with the world. the Cambridge analytics scandal is a good example of how personal data can be used for bad intents.

4 Facebook-Cambridge Analytica scandal

In the 2010s, personal data belonging to millions of Facebook users was collected without their consent by British consulting firm Cambridge Analytica, predominantly to be used for political advertising.

The data was collected through an app called "This Is Your Digital Life", developed by data scientist Aleksandr Kogan and his company Global Science Research in 2013. The app consisted of a series of questions to build psychological profiles on users, and collected the personal data of the users’ Facebook friends via Facebook's Open Graph platform. The app harvested the data of up to 87 million Facebook profiles.Cambridge Analytica used the data to provide analytical assistance to the 2016 presidential campaigns of Ted Cruz and Donald Trump. Cambridge Analytica was also widely accused of interfering with the Brexit referendum.

Information about the data misuse was disclosed in 2018 by Christopher Wylie, a former Cambridge Analytica employee, in interviews with The Guardian and The New York Times.In response, Facebook apologized for their role in the data harvesting and their CEO Mark Zuckerberg testified in front of Congress. In July 2019, it was announced that Facebook was to be fined $5 billion by the Federal Trade Commission due to its privacy violations. In October 2019, Facebook agreed to pay a £500,000 fine to the UK Information Commissioner's Office for exposing the data of its users to a "serious risk of harm".

Nowadays we have many organizations protecting this data. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

4.1 Wikileaks Scandal

Wikileaks is a Icelandic Non Governative Organisation NGO made by Journalists. The website talks about private, reserved and classified informations from governements or intelligence agencies all over the world. One of the most famous cases was Hilary Clinton and his manager in a case called: Podesta Case. The most remarkable Member of Wikileaks is Julian Assange who was under investigation because of the leaking news he published on Wikileaks about Baghdad airstrike.

As follows the list of pubblished materials by wikileaks: Material Published by WikiLeaks



General Data Protection and Regulation is the now well known law that came in effect on 2018 with the purpose to create a European standard about data collection and managment through internet.

Personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:

  1. If the data subject has given consent to the processing of his or her personal data;
  2. To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
  3. To comply with a data controller's legal obligations;
  4. To protect the vital interests of a data subject or another individual;
  5. To perform a task in the public interest or in official authority;
  6. For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)

6 Rights of the data subject

Transparency and modalities

Article 12 requires that the data controller provides information to the "data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

6.1 Information and access

The right of access (Article 15) is a data subject right. It gives people the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)); furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a), with whom the data is shared Article 15(1)(c), and how it acquired the data Article 15(1)(g)).

A data subject must be able to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymized is excluded, but data that has been only de-identified but remains possible to link to the individual in question, such as by providing the relevant identifier, is not.In practice, however, providing such identifiers can be challenging, such as in the case of Apple's Siri, where voice and transcript data is stored with a personal identifier that the manufacturer restricts access to, or in online behavioral targeting, which relies heavily on device fingerprints that can be challenging to capture, send, and verify.

Both data being 'provided' by the data subject and data being 'observed', such as about behaviour, are included. In addition, the data must be provided by the controller in a structured and commonly used standard electronic format. The right to data portability is provided by Article 20 of the GDPR.

6.2 Rectification and erasure

A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds within 30 days, including noncompliance with Article 6(1) (lawfulness) that includes a case (f) if the legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data (see also Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).

6.3 Right to object and automated decisions

Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service related purposes. This means the data controller must allow an individual the right to stop or prevent controller from processing their personal data.

7 What if we believe that our rights have not been respected

1. File a complaint with the DPA (digital platform for Attorneys)
• deals with the investigation and information on the progress or resolution of your complaint within three months.

2. Prosecution of ODA (official development assistance)
• if the person considers that the ODA has not dealt with the complaint correctly within three months, or if he / she does not receive a response or against ADP.

3. Legal action of a company / organization
• if you believe that your data protection rights have been violated, take legal action directly against a company.

4. One-stop shop mechanism

• system that ensures more efficient handling of complaints

• It can help you to link your complaint to similar complaints lodged in other EU Member States

For example, let's say you like to run and buy a watch that calculates your heart rate and speed per kilometer, records your route, and collects other relevant data. Then you upload all your data to the website and you realize that your data has been mixed with someone else's. You can file a complaint against the site with the ODA in your country.

8 How do we Respond to Threats?

Physical insurance of devices and equipment.
Install a powerful antivirus and update it regularly.
Installing and updating intrusion detection systems.
Installing network monitoring systems to alert security vulnerabilities.
Create a backup policy.
The use of strong systems to encrypt the transmitted information

9 Confidentiality

Connecting to what is privacy, or information protection, it's important to mention confidentiality.
Confidentiality is a legal and moral aspect that imposes to keep secret some information about the intimate sphere of the persons.
Some information mustn't be available or disclosed whitouth the person's authorization.

There are different types of confidentiality:
Legal confidentiality: Lawyers are always required by law to keep secret all information about their clients.

9.1 Medical Confidentiality

Communications between a patient and a doctor in a professional medical setting must be secret. This confidentiality, called medical secrecy, rapresents the code of ethic for every doctor.
The rules contained within it are the expression of a conscientious conduct consistent with the noble traditions of the medical profession. It is precisely from the code of ethics that the obligation for the professional to maintain professional secrecy derives.
Legal protections prevent doctors from revealing some discussions with patients, even under oath in court.
This doctor-patient privilege applies only to secrets shared between doctor and patient during the course of providing medical care.
The rule goes back at least to the Hippocratic oath, which reads:
"Anything, in relation to my professional service, or not in relation to it, I see or hear, in the lives of men, which should not be talked about abroad, I will not divulge, such as the consideration that all this should be kept secret."
Traditionally, medical ethics have viewed the duty of confidentiality as a relatively non-negotiable principle of medical practice.
The ethical principle of confidentiality requires that information shared by a client with a therapist in the course of treatment is not shared with others.
This principle strengthens the therapeutic alliance, as it promotes an environment of trust.
There are important exceptions to confidentiality, namely when it conflicts with a physician's duty to warn or duty to protect.

9.2 IT confidentiality:

it's forbidden to copy, forward and disseminate sensitive data, (such as genetic or biometric data, health related data, ecc..) withouth the authorization of the person.
Genetic Data: all biometric data is personal data, as it relates to an identified or identifiable individual.
Biometric data is also special category data whenever you process it “for the purpose of uniquely identifying a natural person”.
This means that biometric data will be Special Category Data in many cases.
Health related data: is any data "related to health conditions, reproductive outcomes, causes of death, and quality of life" for an individual or population.
Health data includes clinical metrics along with environmental, socioeconomic, and behavioral information pertinent to health and wellness.

9.3 Dos of confidentiality

- Ask for consent to share information.
- Consider safeguarding when sharing information.
- Be aware of the information you have and whether it is confidential.
- Keep records whenever you share confidential information.
- Be up to date on the laws and rules surrounding confidentiality.

9.4 Good confidentiality agreement

The party receiving the information should be required to protect the confidentiality of the information.


Wikileaks publishes biggest ever CIA documents
GDPR Europe
Definition of Privacy

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License