Study on introducing guidelines to prepare a data protection policy

Abstract

Over the past several decades, "Information Technology" has become the primary technology that affects everyone in the modern world in their day-to-day lives. As the role played by "information" in organizing, controlling, facilitating and managing a person's life became ever more pronounced, the impact of information technology on individuals and society also became more significant in its depth and far reaching in its breadth. In the modern technologically-enhanced world we live in today, information technology had been able to make a very positive impact by making our lives more enriching through the availability of a myriad of services and capabilities tailor-made to our individual needs and preferences. Among these many and varied benefits of information technology lies certain critical factors that could create negative outcomes. Main among these disadvantages is the possible harmful effects on privacy of people. Beginning with the new millennium, Sri Lanka has been on an accelerated program to bring information technology to nearly every aspect of a citizen's life with special emphasis on public sector services led by the e-Sri Lanka initiative of the government and the private sector services in banking and finance, insurance, telecommunication, education, trade and commerce, etc. The government has given due recognition to strengthen the legal framework for use of information technology in public life through the enactment of legislation such as Electronic Transactions Act of 2006 and Computer Crimes Act of 2007 that provide the laws and legal procedures for effective and correct use of technology. In addition to these new laws, the government has amended many other laws, rule and regulations to accommodate information technology and its many capabilities for improvement in services and process as well as in providing new services and other capabilities for the benefit of the citizens and the country. Also, both the government as well as the private sector in Sri Lanka have successfully implemented many initiatives to improve the information technology skills and literacy level of users. An important outcome of all these developments in technology, legislation, training, services, etc has been the ever expending collection, processing and storage of data pertaining to individuals and transactions that could have a significant impact on the privacy concerns of citizens. The globally prevalent approach to address such privacy concerns has been the formulation and enactment of legislation that are termed as "data protection laws" along with supporting procedures and mechanisms for law implementation. While it can be seen that a clear need exists for data protection laws in Sri Lanka through comparison with other countries and considering the accelerated growth in information technology and associated services; the extent of the need for a data protection law, the parameters of importance in such a law and the guideline that should be considered in the formulation of the law have not been systemically studied before. The research work presented in this thesis seeks to address this lacuna through a focused study on finding factors to be considered while preparing a data protection policy suitable for the Sri Lankan context. The research methodology was based on an empirical study using a sample of companies covering a broad spectrum of applications and services that collect, process and store data with potential privacy impacts. The research studied existing practices impacting data protection (both positively and negatively) as well as issues faced by management while protecting data. The research found that certain widely practiced acts of organizations seen to be commercially expedient could lead to serious information privacy violations to primary owners of data. Also, the research showed a focus on data protection primarily through company policy based approaches bereft of technological means such as data encryption that would facilitate vigorous enforcement of those policies. Another important finding of the research is the unintentional violation of data privacy by organization through the unregulated actions of employees. The author expects the research findings presented in this thesis to contribute to the knowledge area of information privacy concerns in Sri Lanka and to assist in future research work related to the area of data and privacy protection.