The right to privacy is commonly recognised as a fundamental human right. The United Nations Universal Declaration of Human Rights (United Nations 1948) and the South African Constitution (Republic of South Africa 1996), in particular, explicitly recognise privacy to be a fundamental right. Information privacy derives from this right and while a formal definition follows in the next chapter, information privacy can be seen as the control individuals have over information that pertains to them. The protection of information privacy, together with the protection of privacy in general1, is seen as necessary in the maintenance of democracy (Flaherty 1998, p.170-1)(Bygrave 1998) and
healthy psychological function (Pedersen 1999).
Information technologies such as networking, databases, data mining and storage media, however, have advanced to the point where storage, sharing and access to personal information facilitates the violation of information privacy to an unprecedented extent (Clarke 1998, p.500)(Head & Yuan 2001, p.150)(Jordaan 2003, p.i)(Smith 1993, p.105).
It is therefore now viable for large organisations and governments to violate the information privacy of more individuals with greater ease than in the past. A recent case bears testament to this. In 2010 Google Inc. (Google Inc. 2012a) collected unsecured wireless network traffic without permission in many countries while developing its Street View (Google Inc. 2012b) product. This was termed by the Australian Minister of Communications as “the largest privacy breach in history across Western democracies” (ZDNet 2010).
In response to the risk to information privacy, increased attention has been given to mechanisms that protect information privacy (Ernst & Young 2012). Such mechanisms have been both technological, for example, through so-called privacy enhancing technologies, and legal, via laws designed to protect information privacy. Despite the 1 All references to the term ‘privacy’ in this thesis refer to the broad concept of privacy, while the term ‘information privacy’ refers to the more specific concept. increased attention given to protecting information privacy, protective mechanisms have lagged behind the technologies and practices that allow for information privacy violations (Reddy & Venter 2010, p.973).
By and large, technological efforts to protect information privacy focus on specific technical problems, such as maintaining anonymity on the Internet. Few efforts have focused on the management of information privacy protection within large organisations. Large organisations, like multi-national companies and government departments, typically hold substantial amounts of information about individuals. Even less work has been done on addressing information privacy protection in organisations in a holistic manner. That is, in a manner that addresses the management of technology, as well as the management of the people and processes involved in processing and storing individuals’ information.
1.2 Problem Statement
1.5 Thesis Layout
2 Information Privacy
2.2 What is Privacy?
2.2.1 Definitions of Privacy
2.2.2 Privacy – Adopting a Definition
2.2.3 The Right to Privacy
22.214.171.124 International Privacy Rights
126.96.36.199 Privacy Rights in South Africa
2.3 What is Information Privacy?
2.3.1 Definitions of Information Privac
2.3.2 Information Privacy – Adopting a Definition
2.3.3 The Fair Information Principles
2.3.4 Information Privacy in the Law
188.8.131.52 International Information Privacy Laws
184.108.40.206 South African Information Privacy Laws
2.3.5 Protection of Information Privacy
3 Digital Forensics
4 Digital Forensics Readiness
4.2 Organisational Aspects of Digital Forensic Readiness.
4.2.1 Early Identification of Technical Factor
4.2.2 Organisational Policy and Early Non-technical Aspects
4.2.3 A Comprehensive Approach
4.2.4 Law Enforcement and Information Privacy Sensitive Forensics
4.2.5 Importance of Training, Per Incident Costs, Network Forensic Readiness and Strategy
4.2.6 Incorporating Digital Forensics into Other Corporate Functions .
5 Time-Driven Activity-Based Costing
6 A Digital Forensic Readiness Framework for Information Privacy Incidents
7 Using TDABC to Manage DFR for Information Privacy Incidents in Large Organisations
8 TDABC and a Digital FORCFIPI – Information Query Simulation
9 TDABC and a Digital FORCFIPI – Firewall Monitoring Simulation
10 Architecture of a Digital Forensic Readiness Management System.
11 Discussing the DFRMS Architecture
12 DFRMS Prototype – The Event Analysis Module
13 DFRMS Prototype – Information, Access Control and User Interface Modules