DATA PROTECTION, PRIVACY AND THE FREEDOM OF INFORMATION:

DEFINITION: Data protection is the process of safeguarding important information from

corruption and/or loss.

Data protection is commonly defined as the law designed to protect your personal information,
which is collected, processed and stored by automated means or intended to be part of a filing
system. In modern societies, to empower us to control our information and to protect us from
abuses, it is essential that data protection laws restrain and shape the activities of companies and
governments. These institutions have shown repeatedly that unless rules restrict their actions,
they will endeavor to collect it all, mine it all, and keep it all, while telling us nothing at all.

The term data protection is used to describe both operational backup of data and disaster
recovery/business continuity. A data protection strategy should include data lifecycle
management (DLM), a process that automates the movement of critical data to online and offline
storage and information lifecycle management (ILM), a comprehensive strategy for valuing,
cataloging and protecting information assets from application/user errors, malware/virus attacks,
machine failure or facility outages/disruptions.

Storage technologies that can be used to protect data include tape backup, which copies
designated information to a tape cartridge device so it can be safely stored and mirroring, which
creates an exact replica of a website or files so they are available from more than one
place. Storage snapshots can automatically generate a set of pointers to information stored on
tape or disk, allowing for faster data recovery, while continuous data protection (CDP) backs up
all the data in an enterprise whenever a change is made.

THE NEED FOR DATA PROTECTION:

Buying a product online, register for email, go to your doctor, pay your taxes, or enter into any
contract or service request, some of your personal information are being registered, Even without
your knowledge, information about you is being generated and captured by companies and

1
agencies you are likely to have never knowingly interacted with. The only way citizens and
consumers can have confidence in both government and business is through strong data
protection practices, with effective legislation to help minimize needless monitoring by
officialdom and regulate surveillance by companies.

Since the 1960s and the expansion of information technology capabilities, business and
government organizations have been storing this personal information in databases. Databases
can be searched, edited, cross-referenced and data shared with other organizations and across the
world. Once the collection and processing of data became widespread, people started asking
questions about what is happening to their information once it was turned over. Who had the
right to access the information? Was it kept accurately? Was it being collected and disseminated
without their knowledge? Could it be used to discriminate or abuse other fundamental rights?

While over 100 countries now have laws, in many countries there is still a great need for stronger
legal safeguards to give citizens and consumers confidence in what is done to their personal
information by government and business. Although most countries have accepted data
protection is necessary in selected sectors they have not yet developed comprehensive data
protection law that applies to all business sectors and to government.

HOW DOES DATA PROTECTION WORK?

Where a comprehensive data protection law exists, organizations, public or private, that collect
and use your personal information have the obligation to handle this data according to the data
protection law. This law is based on a number of basic principles. Briefly, these principles
require that:

There should be limits to what is collected:

There should be limits on the collection of personal information, and

It should be obtained by lawful and fair means, with the knowledge or consent of the individual

The information should be correct: personal information should be relevant to the purposes for
which it is used, should be accurate, complete and up to date;

2
There must be no secret purposes: the purposes for which the information is to be used should be
specified at least at the time of collection and should only be used for those agreed purposes;

There must be no creeping purposes: personal information can only be disclosed, used, or
retained for only the original purposes, except with the consent of the individual or under law,
and accordingly it must be deleted when no longer necessary for that purpose;

The information must be secure: reasonable security safeguards are used to protect personal
information from loss, unauthorized access, destruction, use, modification or disclosure;

No secret organizations, sources, or processing: we must be made aware of the collection and use
of our information, we should know the purpose for its use, and we must know about the
organization that is the data controller;

Individuals have rights to be involved: we should be able to have access to our information, and
we must have the right to challenge the information held and to seek its deletion, rectification,
completion or modification;

Organizations must be held to account: the organization that collects and manages your
information must be accountable for providing the above principles and rights.

Data protection rules need to be enforced by a regulator or authority, often called a Privacy
Commissioner. The strength of the powers invested in these authorities varies from country to
country and so does its independence from Government. These powers, for example, can include
the ability to conduct investigations, act on complaints and impose fines when they discover an
organization has broken the law.

Apart from enforcement through regulatory means, we also believe that technologies can play a
strong role in ensuring data protection rules are followed. Through technological means and
careful design, it is possible to limit data collection, to mathematically restrict further data
processing, to assuredly limit unnecessary access, amongst other privacy measures. Laws can
influence and when necessary compel such developments. Though their adoption has been slow,

3
as companies and governments are resistant to limit their future capabilities or aspirations to
mine our information, even as they are legally supposed to limit purpose creep.

WHAT IS CONSIDERED AS PERSONAL INFORMATION UNDER DATA

PROTECTION LAWS?

Roughly speaking, personal information means any kind of information (a single piece of
information or a set of information) that can personally identify an individual or single them out
as an individual.

The obvious examples are somebodys

Name,

Address,

National identification number,

Date of birth or a facial image.

A few perhaps less obvious examples include vehicle registration plate numbers, credit card
numbers, fingerprints, a computers IP address, CCTV video footage, or health records. Some
personal information is considered more sensitive than other, and therefore subject to stricter
rules; this includes your racial or ethnic origin, political views, religion, health, and sex life.
Such information cannot be collected or used at all without your specific consent.

PRIVACY AND FREEDOM OF INFORMATION ACT

The Freedom of Information Act allows any person to request access to federal agency records
or information not determined to be a matter of national security. Agencies of the federal
government are required to disclose any requested information on receipt of a written request.
This requirement is enforceable in court. Some information is, however, protected from
disclosure, and the act does not apply to state or local government agencies or to private
businesses or individuals, although many states have their own version of the.

4
THE DATA PROTECTION ACT (DPA)

This is a law designed to protect personal data stored on computers or in an organized paper
filing system.

How the Data Protection Act works

The 1998 Act covers information or data stored on a computer or an organized paper filing
system about living people. The basic way it works is by:

1. setting up rules that people have to follow

2. having an Information Commissioner to enforce the rules
It does not stop companies storing information about people. It just makes them follow rules.

The roles of those involved

1. The Information Commissioner is the person (and his/her office) who has powers to
enforce the Act.
2. A data controller is a person or company that collects and keeps data about people.
3. A data subject is someone who has data about them stored somewhere, outside of their
direct control. For example, a bank stores its customers' names, addresses and phone
numbers. This makes us all data subjects as there can be few people in the UK who do not
feature in computer records somewhere.

The Principles of Data Protection

For the personal data that controllers store and process:

1. It must be collected and used fairly and inside the law.

2. It must only be held and used for the reasons given to the Information Commissioner.
3. It can only be used for those registered purposes and only be disclosed to those people
mentioned in the register entry. You cannot give it away or sell it unless you said you would
to begin with.
4. The information held must be adequate, relevant and not excessive when compared with the
purpose stated in the register. So you must have enough detail but not too much for the job
that you are doing with the data.

5
5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example
to change an address when people move.
6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep
information for certain lengths of time but not indefinitely. This rule means that it would be
wrong to keep information about past customers longer than a few years at most.
7. The information must be kept safe and secure. This includes keeping the information backed
up and away from any unauthorized access. It would be wrong to leave personal data open to
be viewed by just anyone.

THE CONCEPT OF HACKING AND VIRUSES:

Computer hacking refers to the practice of modifying or altering computer software and
hardware to accomplish a goal that is considered to be outside of the creators original objective.
Those individuals who engage in computer hacking activities are typically referred to as
hackers.
The majority of hackers possess an advanced understanding of computer technology. The typical
computer hacker will possess an expert level in a particular computer program and will have
advanced abilities in regards to computer programming.
Unlike the majority of computer crimes which are regarded as clear cut in terms of legality
issues, computer hacking is somewhat ambiguous and difficult to define. In all forms, however,
computer hacking will involve some degree of infringement on the privacy of others or the
damaging of a computer-based property such as web pages, software, or files.
As a result of this loaded definition, the impact of computer hacking will vary from a simple
invasive procedure to an illegal extraction of confidential or personal information.

TYPES-OF-HACKING

6
HACKING SOFTWARE USED BY HACKERS AND SECURITY PROFESSIONALS

1. METASPLOIT is probably the best platform for developing and executing exploits,
Control compromised machines and take over the network
2. NESSUS VULNERABILITY SCANNER: Scans IPs and Hosts with Nessus Agents
3. CAIN & ABEL, as a free hacking and password recovery software with multiple
functionalities and possibly our favorite software for initiating Man-in-the-Middle
(MITM) attacks. It permits simple recovery of most types of passwords by sniffing the
network, cracking encrypted passwords via dictionary attack, Brute-Force and
crypto attacks, VoIP recording, weak wireless network keys, revealing cached passwords
and analyzing routing protocols, ARP poisoning and MITM. Using weaknesses in core
TCP/IP protocols.
4. KALI LINUX is the new generation of the industry-leading Back Track Linux
penetration testing and security auditing Linux distribution.
5. HYDRA Do you want to brute force a remote authentication service, than you better
choose THC Hydra. It is fast, reliable and customizable hacking software able to crack
more than thirty protocols.

HOW TO PREVENT IT!

1. Perform required software updates for your operating system and web browser.

7
2. Install a firewall on your computer.

3. Change your passwords every month.

4. Purchase or download anti-virus software.

5. Install anti-spyware/adware programs onto your system.

THREE MAIN TYPES OF HACKERS

1. White Hat Hackers: These are the computer security experts who specialize in penetration
testing and other methodologies to ensure that a companys information systems are secure.

2. Black hat hacker is the one who hacks for malicious intent, steal credit card information

Steal valuable information to sell on the black market. They may even lock out the computer and
network system from the owners and then hold them for ransom.

3. Grey Hat Hackers is someone who is in between these two concepts. He may use his skills
for legal or illegal acts, but not for personal gains.

COMPUTER VIRUS is a type of malicious software program ("malware") that, when

executed, replicates by reproducing itself (copying its own source code) or infecting
other computer programs by modifying them. Infecting computer programs can include as well,
data files, or the "boot" sector of the hard drive. When this replication succeeds, the affected
areas are then said to be "infected" with a computer virus. The term "virus" is also commonly,
but erroneously, used to refer to other types of malware. "Malware" encompasses computer
viruses along with many other forms of malicious software, such as computer
"worms", ransomware, trojan horses, keyloggers, rootkits, spyware, adware, malicious Browser
Helper Object (BHOs) and other malicious software. The majority of active malware threats are
actually trojan horse programs or computer worms rather than computer viruses. The term

8
computer virus, coined by Fred Cohen in 1985, is a misnomer. Viruses often perform some type
of harmful activity on infected host computers, such as acquisition of hard disk space or central
processing unit (CPU) time, accessing private information (e.g., credit card numbers), corrupting
data, displaying political or humorous messages on the user's screen, spamming their e-mail
contacts, logging their keystrokes, or even rendering the computer useless. However, not all
viruses carry a destructive "payload" or attempt to hide themselvesthe defining characteristic
of viruses is that they are self-replicating computer programs which install themselves without
user consent.

GENERALLY, THERE ARE THREE MAIN CLASSES OF VIRUSES:

1. File infectors. Some file infector viruses attach themselves to program files, usually selected
.COM or .EXE files. Some can infect any program for which execution is requested, including
.SYS, .PRG, and .MNU files.

2. System or boot-record infectors. These viruses infect executable code found in certain
system areas on a disk. They attach to the DOS boot sector on diskettes or the Master Boot
Record on hard disks.

3. Macro viruses. These are among the most common viruses, and they tend to do the least
damage. Macro viruses infect your Microsoft Word application and typically insert unwanted
words or phrases.

VIRUS REMOVAL

Many websites run by antivirus software companies provide free online virus scanning, with
limited "cleaning" facilities (after all, the purpose of the websites is to sell antivirus products and
services). Some websiteslike Google subsidiary VirusTotal.comallow users to upload one or
more suspicious files to be scanned and checked by one or more antivirus programs in one
operation. Additionally, several capable antivirus software programs are available for free
download from the Internet (usually restricted to non-commercial use). Microsoft offers an
optional free antivirus utility called Microsoft Security Essentials, a Windows Malicious

9
Software Removal Tool that is updated as part of the regular Windows update regime, and an
older optional anti-malware (malware removal) tool Windows Defender that has been upgraded
to an antivirus product in Windows 8.

Some viruses disable System Restore and other important Windows tools such as Task
Manager and CMD. An example of a virus that does this is CiaDoor. Many such viruses can be
removed by rebooting the computer, entering Windows "safe mode" with networking, and then
using system tools or Microsoft Safety Scanner. System Restore on Windows Me, Windows
XP, Windows Vista and Windows 7 can restore the registry and critical system files to a
previous checkpoint. Often a virus will cause a system to "hang" or "freeze", and a subsequent
hard reboot will render a system restore point from the same day corrupted. Restore points from
previous days should work, provided the virus is not designed to corrupt the restore files and
does not exist in previous restore points.

OPERATING SYSTEM REINSTALLATION.

Microsoft's System File Checker (improved in Windows 7 and later) can be used to check for,
and repair, corrupted system files. Restoring an earlier "clean" (virus-free) copy of the entire
partition from a cloned disk, a disk image, or a backup copy is one solution restoring an earlier
backup disk "image" is relatively simple to do, usually removes any malware, and may be faster
than "disinfecting" the computer or reinstalling and reconfiguring the operating system and
programs from scratch, as described below, then restoring user preferences. Reinstalling the
operating system is another approach to virus removal. It may be possible to recover copies of
essential user data by booting from a live CD, or connecting the hard drive to another computer
and booting from the second computer's operating system, taking great care not to infect that
computer by executing any infected programs on the original drive. The original hard drive can
then be reformatted and the OS and all programs installed from original media. Once the system
has been restored, precautions must be taken to avoid reinfection from any restored executable
files.

10
Staying Safe Online

If youre using the web, theres no foolproof method to avoid all online threats, but there are
certainly things you can do to make yourself safer.

Some of these are:

1. Keep your operating system and each of your programs up-to-date by downloading updates as
they become available.
2. Install a good antivirus program and keep the virus definitions up-to-date.
3. Utilize a firewall that monitors both inbound and outbound traffic. Keep an eye on the flow of
this traffic to help to detect the presence of threats that may be communicating with outside
servers.
4. Avoid unsafe downloads from unknown and untrusted sources.
5. Use your antivirus program, or a malware detection program to scan suspicious links before
opening them.
6. Avoid pirated software.

CONCLUSION

The data protection act (DPA) is a law designed to protect personal data stored on computers or
in an organized paper filing system

The Freedom of Information Act allows any person to request access to federal agency records
or information not determined to be a matter of national security. Agencies of the federal
government are required to disclose any requested information on receipt of a written request.
This requirement is enforceable in court. Some information is, however, protected from
disclosure, and the act does not apply to state or local government agencies or to private
businesses or individuals, although many states have their own version of the

Computers add a new dimension to criminal law, presenting many issues for law enforcement.
At the forefront of law enforcement concerns is the necessity to secure adequate training to
combat these crimes. This requires additional resources. The technical sophistication needed to
follow the "electronic trail" far surpasses traditional methods of investigation. In some cases data

11
are encrypted, making it difficult for police authorities to discern the contents of the information.
The detection of criminal conduct may also be hampered by the reluctance of entities to report an
unauthorized computer access. Corporations may fear the negative publicity that might result as
a consequence of their systems being compromised. In many cases, unauthorized computer
access may go undetected by the individual or entity whose computer system had been invaded.

The Internet also presents national security concerns since computers serve instrumental roles in
the delivery of emergency services, government operations, banking, transportation, energy, and
telecommunications. As technology develops, the law needs to respond to these new
developments to deter those who would abuse and misuse the new technology.

Malaysia

THE MALAYSIAN PERSONAL DATA PROTECTION ACT 2010: A

LEGISLATION NOTE

The Constitution of Malaysia does not specifically recognize the right to privacy.

The Ministry of Energy, Telecommunications and Posts is drafting a Personal Data Protection
Act which will create legal protections for personal data. Minister Datuk Leo Moggie said the
Act would also cover the security of personal data in relation to the implementation of an
electronic network. He told the Dewan Rakyat (House of Representatives) in July 1998 that the
Act will be tabled in Parliament by the end of the year.

In July, the House approved the Communications and Multimedia Bill, which has several
sections on telecommunications privacy. Section 234 prohibits unlawful interception of
communications. Section 249 sets rules for searches of computers and includes access to
encryption keys. Section 252 authorizes police to intercept communications without a warrant if
a public prosecutor considers that a communications is likely to contain information which is
relevant to an investigation.

Several other laws relating to technology have recently been approved, including The Digital
Signature Act 1997 and the Computer Crime Act, 1997. Section 8 of the Computer Crime Act
allows police to inspect and seize computing equipment of suspects without a warrant or any
notice. The suspect is also required to turn over all encryption keys for any encrypted data on his

12
equipment. Malaysia's Banking and Financial Institutions Act 1989, Pt XIII, also has provisions
on privacy.

Police detained four people under the Internal Security Act on suspicion of spreading rumors of
disturbances in Kuala Lumpur in August 1998. Inspector-General of Police Tan Sri Abdul Rahim
Noorsaid told the media then that the suspects were detained after police tracked their activities
on the Internet with the assistance of Internet service provider Mimos Berhad. The provider said
later that it did not screen private email.

In the digital age, data or information has become an especially valuable, yet vulnerable
commodity.1 The significant role of information in the global economy and the implications of
the collection, use, processing and disclosure of personal data have raised concerns over the
ways in which the personal data can be protected. For Malaysia, data protection, or information
privacy, is relatively new. As it develops, it demands specific law to provide a secure
environment for personal data in electronic transactions.

In Malaysia, the Constitution has not made privacy a fundamental human right equivalent to
other rights guaranteed under it. However, it does provide for several privacy-related rights,
including liberty of the person,2 freedom of movement 3 and freedom of assembly, speech and
association.4 Additionally, English common law principles are widely applicable to privacy-
related cases such as defamation, nuisance, trespass and breach of confidence. More than a
decade ago, the Multimedia Super Corridor Malaysia or "MSC" project5 was formulated with
the full support of the Malaysian Government to transform the nation into a knowledge-based
economy. As part of the programme, a data protection law was introduced to create a legal and
regulatory framework for the project. The proposed Act was tabled a number of times in
Parliament. 6 It was finally passed on 5 April 2010, 7 and became law on 10 June 2010.8 The
purpose of this note is to discuss this new Personal Data Protection Act 2010 (PDP 2010)9 from
a privacy protection perspective and to examine its scope and its limitations in regulating the
handling and controlling of personal data. The protections available in processing, holding,
collecting and using any data pertaining to an individual person will be scrutinised. The paper
also makes comparison with the United Kingdom and Hong Kong Data Protection legislation
and highlights the international features reflected in the PDP 2010 particularly the OECD
Guidelines, the Council of Europe Convention, the EU Data Protection Directives and the APEC

13
Privacy Framework. The discussion concludes with suggestions for overcoming the Act's
perceived flaws. This analysis shows that the PDP 2010 is a law that outlines data protection
principles in a generic form but does not provide protection in terms of damages and injunction
to individuals whose data has been encroached upon and is not dedicated to the protection of
individual privacy. Circumstances. The Act's dominant influences are from the Hong Kong
Personal Data (Privacy)

Ordinance 1995 and the Data Protection Act 1998 (UK). The personal data protection principles
are structured in terms which are identical to those of both pieces of legislation and the PDP
2010 contains all those principles in order to satisfy minimum requirements for the law
governing collection and processing of personal data.10 The preamble of the PDP 2010 states
that it is an Act "to regulate and protect the process of personal data from being misused through
commercial transactions and matters relating thereto". Thus, it aims only to safeguard
confidentiality in the handling of an individual's personal data and preventing misuse of that data
in relation to commercial transactions.

14