View
27
Download
3
Category
Preview:
Citation preview
1
Department of Criminology
Distance Learning Programmes
_____________________________________
Assignment Cover Sheet for submission of examined formal assessments _____________________________________
Course Name and
Qualification
Name of Student Student Number Intake
Month and Year
MSc Security and Risk
Management
David KLIMAS 139 046 783 March 2014
Submission Date Module/Assignment Number (e.g.: FA1)
Word Count
Page Numbers
Inserted (state YES)
23rd June 2015 Module 5 / FA5 3.996
YES
Essay Title
Does current data protection legislation achieve a satisfactory balance between the interests of the security
manager and the individual?
2
Data protection and security seems to be two incompatible concepts. The implementation of full
body scanners in the years following the 9/11 terrorist attacks seem to be an example of that:
Hundreds of full body scanners had to be removed from airports because of unresolved privacy
issues (Ahlers, 2013). In this particular case, the prevailing question about balancing security and
privacy had been answered, temporarily, in favour of the last. This essay will evaluate in more details
the challenges to find and maintain this balance and what role the UK Data protection act play in this
process. In a first part, definitions of security, privacy and data protection will be developed.
‘Developing’ seems to be more suitable for that essay’s purpose than ‘providing’ or ‘supplying’ given
that there have been significant differences in the interpretation of those terms. Authors such as
Kaser (2012), Carey and Berry (2002) who associate data protection to cloud computing, firewalls,
server and network configuration do, of course, have a valid point. Nevertheless, it security concepts
are not helpful when assessing the security managers role in the data protection process. A
paragraph will be dedicated to the role of the security manager in privacy and data protection, a
relationship which does not seems evident at first. Following this, the interests of individuals and
security managers will be outlined. To fulfil that purpose, this essay will concentrate on the
workplace environment as it is believed that in such environments security managers do have the
greatest, if not only, impact on privacy and data protection. This will be completed by a description
of current, European and UK legislation with a brief comparison to US standards and contrasted with
the application of those laws in the workplace environment. A focus will be the balance between
individuals interests in privacy and data protection compared to the interests of corporations and
security managers which will be developed thought different parts of this essay and be resumed with
practical case studies and law cases in a final paragraph.
Nixon (2005), in his work about privacy, defined the role of corporate security within the range
between the ‘protection of payroll figures and the shielding of trade secrets’ (Nixon, 2005: 1) which
suggest a much wider understanding of security as the protection of business interests beyond the
classical protection of tangible assets and people. Van Lieshout, Friedewald, Wright and Gutwirth
(2013) criticized security as a new market opportunity to monitor behaviour of citizens, a point which
is also supported by Metter (2009) who claims that companies uses surveillance to monitor
employees performance and efficiency of staff in an increasingly globalizing and competitive market.
Surveillance as a management tool did also find its ways into data protection and privacy guidelines
as the ‘Surveillance at the workplace’ guide produced by the Luxembourg data protection agency
(Lommel and Reding, 2014). The reader may recognize at this point that surveillance do no longer
belong exclusively to the resort of security manager to prevent or respond to criminal behaviour at
the workplace. Defining privacy is far more controversial than defining security. Van Lieshout et al.
3
(2013) considers privacy as the right to be let alone, secrecy, personhood, intimacy and the
ownership of personal information. Those categories will be discussed in more details below. Much
straightforward may be the attempt by Blume (2004) who identified and distinguished between
physical privacy, the individuals body, and psychological privacy, data generated by the individual.
While Blume recognizes that there is no clear line between the two, physical privacy can be seen as
the right of an individual how he or she present itself and is perceived by others. Psychological
privacy is the data generated by an individual, as communication in any form, the location of a
person which is relevant in tracking and attendance monitoring but also the occupation and action by
an individual. Data protection is a ‘framework to decide who should have legitimately the capability
to access and process the data’ which falls under the physical and psychological privacy of an
individual (Bambauer, 2013: 669).
It has been stated above that data protection seems to be more associated with Information
technology (IT) than with loss prevention. According to Bambauer (2013), security is the technology
which allow or deny access to data such as credentials, passwords, usernames and personal
identification numbers but also the software such as firewalls and antimalware. It becomes obvious,
that security managers, except those specialized in Information security, do have no influence
whatsoever when it comes to Information technology and information security. Reviewing Security
manager’s job openings confirm a strict separation between information security and security with
significant differences regarding competences and skills (reed.co.uk, 2015). When following this
reasoning, questioning about the security managers interests in data protection seems, at first, make
little sense. The situation becomes clearer when considering data out of the IT context. There are
particularly two situations which are of interests. The first case can be inferred from Van Lieshout et
al. (2013) who claim that data is collected by security services for crime prevention purposes.
Security Managers do, naturally, have an interest in preventing criminal behaviour in their respective
work environment. Bird (2013) described accurately that ‘both the private sector and public agencies
have a number of reasons to be interested in the thoughts, plans and actions of citizens and
consumers’ (Bird, 2013: 670) and which obviously include employees. The data generated, collected
and processed for crime prevention concern individuals’ behaviour and actions. Security Managers
may attempt to exploit available data for the purpose of security while information security seeks to
protect this same data against unlawful access and exploitation. Cavoukian and Deloitte & Touche
(2003) claims that it is this conflict of interest which requires corporations to have separate functions
to present security and privacy perspectives equally and independently to senior management.
Security managers may not be appropriate or credible to defend privacy rights of employees as they
4
may be a threat to those rights themselves, a situation which Cavoukian and Deloitte & Touche
(2003) called the ‘security-privacy paradox’.
The second case, where security managers may have an impact in data protection is as enforcer of
moral obligations and protector of the liberty of customers and employees (Moore, 1987). Through
risk assessments, security managers should be aware of what kind of data is collected and processed
within the company. Security managers risk assessments should be extensive enough to include the
purpose for the processing and storage and how to conform the activity to regulations. Heim (2014)
argued that there is little clarity how data protection legislation should be applied to every
organization and Nixon (2005) claimed that 75% of large companies monitor their employees.
However, most corporations have no idea what is permitted or not. Many corporations considers
data protection as a ‘lose-lose issue’ (Cavoukian and Deloitte & Touche, 2003) with no obvious
benefits and a low priority for senior management. A security manager, in the absence of a legal
department, may be the most suitable function to advise executive management about potential
breaches of privacy and data protection legislation. Unfortunately, this most appropriate position
may also become very uncomfortable if the disclosure or processing of data is conducted deliberately
in breach of regulations to safeguard the businesses advantage in a competitive and globalized
market. This essay will not develop this point further as the purpose to demonstrate the security
manager’s role as a moral instance have been made clear. A more detailed overview about data
protection and privacy will be provided further below. However at this point, it should be important
to provide a description about the interests of individuals, those at the workplace in the case of this
essay, and the interests of the security manager and the company in more detail.
‘I have nothing to hide’ is a response which is often used by individuals when asked about the idea of
being watched at the workplace (Nixon, 2005: 1). Cavoukian and Deloitte & Touche (2003)
developed this argument further claiming that privacy is most of the time and for most individuals a
dormant issue which changes ‘depending on the context, nature and perceived threat’ (Cavoukian
and Deloitte & Touche, 2003: 12). This study includes an interesting example to demonstrate this: A
$5.00 discount offered in a restaurant in exchange of the clients’ postal code would probably not be
problematic for most individuals. The situation is different when offering that $5.00 in exchange of
the children’s name of the client and the address of their day-care centre. It becomes obvious that it
would not be feasible to provide a list of what personal data should fall under privacy protection. At
this stage, the privacy definition may be developed further. Interests of individuals can be
summarised into six concepts which are overlapping and active depending on the circumstances. The
right to be let alone is about an individual immunity against interference by others and the privilege
to plan its own affairs (Solove, 2002: 1101). Limited access to the self is about an individual’s desire
5
for concealment and for being apart from others (Solove, 2002). Secrecy is the permission for an
individual to ‘conceal discreditable facts about himself’ (Posner 1998 as cited in Solove, 2002: 1106)
and the concept of ‘control over personal information’ is self-explaining. It is obvious that it is an
individual’s interest to determine what personal information is collected and processed and for what
purpose. Personhood, the fifth interest of privacy, is the integrity of the personality, to be seen
differently than a simple object (Solove, 2002: 1116). Finally, individuals do have needs for intimacy.
Following Solove (2002), privacy goes beyond an individual’s self to include his/her personal
relationship with others. The ‘nothing to hide’ argument is generally thought about an individual’s
actions and very few would recognize spontaneously its implications on personality, individuality and
social life. From the descriptions above, the reader may have noticed that most points are ideal
concepts which do not applicate in this form in the real word. Interactions and the society as a hold
do always interfere with one or more of the concepts with the result that a personality and
personhood is influences by other opinions, argumentations or expectations. Workers under
surveillance adopt their behaviour (Ball, 2010).
The security manager, as a person, does have the same privacy needs as any other individual.
However, because of his or her position, the security manager does also have a delegated and
contractual duty to protect the company’s interests: to maintain a peaceful work environment and to
prevent losses through criminal activity, damages or injuries, losses through the no-respect of
procedures or unacceptable behaviour. To protect the assets of the company, a security manager do
have a natural interest in monitoring employees and other individuals on the workplace. Media
articles, reports and law cases suggest that corporations consider competitiveness and employee
performance, behaviour and personal characteristics as assets which require ‘monitoring, recording
and tracking’ (Ball, 2010: 87). Ball further referred to this routinely and extensive interest as the
‘going hand in hand’ of surveillance and organizations. There has been no evidence found to what
extend security managers are involved in monitoring of employee performance. The surveillance of
employees and customers within the Lidl discounter in Germany, which have been made public by
the media in 2008, are an example of the use of security technology by management for no-security
purposes. Investigation reports suggests that regional managers of the Lidl Discounter implemented ,
on their own initiative, an extensive surveillance program using private detectives and video
surveillance to monitor employees and to detect mismanagement by branch managers or employee
complicity in inventory losses (Data protection office for the private sector, 2008). Reports compiled
by the hired private detectives included details about the personal relationships between employees,
competences and the level of authority of branch managers as well as details of employees which are
unrelated to the work environment (Data protection office for the private sector, 2008). Having
6
outlined that interests of individuals are wide-ranging and contrasting with those expressed by
security managers and the company, the next paragraph will be dedicated to provide an overview
about the legislation.
In the European Union (EU), privacy and data protection are fundamental rights (European Union,
2012). The EU charter recognizes that everyone has the right that his or her private and family life,
home and communications are respected (European Union, 2012: Article 7). The charter also outline
that data must be processed fairly. It is widely recognized that in the European Union, individuals
exercise a right of control on what happens to their personal information (Cavoukian and Deloitte &
Touche, 2003). Herold (1995) summarized the basic tenants of the European data protection
directive 1995, which laid the foundation for the current European data protection regulation and
which bind EU member states. Individuals have the right to know that personal data is collected and
processed. Individuals do also have a right to refuse their data to be collected and processed. The
third tenant consists of the right to know how collected data is used and for what purpose.
Additionally, the directive imposes safeguards which must be implemented to protect the personal
data against misuse, loss or theft. An individual do also have a right to review and update incorrect
personal data and have a guaranteed access to enforce those rights trough legal procedures (Herold,
1995). The UK data protection act 1998 is based on this directive (Bange, Hann, Jeffery and
Annereau, 2012).
The right of ownership and control about data contrast with practices in the USA. Cavoukian and
Deloitte & Touche (2003) argued that the prevailing concept in the US is that personal data becomes
the property of the data controller once a data subject had released or disclosed the data. As the
new owners, US companies claim to be entitled to use the data as they wish. To bypass this contrast
and allow free movement of data between the EU and the USA, the safe harbour program have been
set up which consists of safeguards and principles of data protection on which US companies need to
adhere to in order to receive personal data from the EU. An interesting case which demonstrates the
flexibility of US regulations is that of Acxiom Corporation. Acxiom is a consumer research company
which process data from different sources to create new data sets. Acxiom had a high standard
privacy policy outlining that data is only processed and disclosed with the consent of data subjects,
condition imposed by the safe harbour program to which Acxiom adhered in May 2001 (U.S.
Commercial Service, 2015). However, in 2002, it became public that Acxiom had sold large sets of
personal data to a third party. Taking into consideration the legal ownership on the data, Acxiom had
been sanctioned on the base of unfair and deceptive business practices. Unfair as the disclosure of
the data caused small harm to large number of people and deceptive as the companies privacy
policies were misleading (Rotenberg, Sobel, Hoofnagle and Hofmann, 2003).
7
Can a candidate refuse providing personal data as contact details, police records, information about
driving license and car ownership or about his or her general fitness to a potential employer as it
would be an individual’s right according to the EU data protection directive? This paragraph will
outline how data protection legislation attempt to balance the interests of the company and the
privacy interests of employees. The following paragraph will be dedicated to the interests of the
security managers. The reader should by now be aware of the different interests of corporations and
security managers.
The UK Data Protection Act is, as the European policy on which it is based on, more concerned with
the protection of personal data, than with the protection of an individual’s privacy (Van Lieshout et
al., 2013). The secure handling, the protection against unauthorized access and the restrictions of use
of personal data seems to be only a very small part of an individual’s privacy. Many scholars suggest
that this shortcoming is intentionally. Ball (2010) argued that by restricting the privacy, in the form of
surveillance and ‘monitoring’, businesses assure development and performance. A contract of
employment is simply an agreement with employees to perform certain tasks for the benefits of an
employer in exchange of remuneration. Monitoring, in the first place, attempt to review if the terms
and conditions of the contract are fulfilled and that staff do not spend the work time browsing
through the internet. Ball (2010) recognized further that employees expect to be evaluated, ‘to have
their performance reviewed, objectives set’ and to be supervised while at work, a ‘taken-for-granted
element of working life’ (Ball, 2010: 89). Legislation which would restrict monitoring and supervision
would clearly stay in conflict with workplace culture and contractual obligations. It would be hard to
imagine how a company would remunerate an external service provider if it is not allowed to review
and evaluate the service provided. However, there are risks which cannot be neglected that
surveillance and monitoring at the workplace may go beyond what is considered reasonable or
necessary (Ball, 2010). ‘The Husband of employee X does have a police record. Employee X appears
very tired at work but no criminal behaviour could be confirmed’ (Data protection office for the
private sector, 2008: 11). This statement was part of a surveillance report by a private investigator in
a Lidl Discounter branch in Germany 2008. In the UK, it would not be clear if a similar issue would
have success if prosecuted under the data protection act. A claim trough the human rights act may
have more success to protect individuals privacy (Human Rights Act, 1998; Bange et al., 2012).
A more rigorous implementation of the European Data Protection directive was attempted by
Luxembourg. Lommel and Reding (2014), on behalf of the data protection agency, deplored that the
European directive is too narrow and does not contain previsions about surveillance and monitoring.
Based on this default, the legislation in Luxembourg has been extended and is claimed to be part of
the most restrictive and protective among European member states (Lommel and Reding, 2014: 10).
8
The data protection act Luxembourg include previsions for the use of covered and open CCTV
surveillance in the workplace, the conditions in which monitoring of IT equipment as the internet,
private and corporate emails, the recording of phone conversations, use of biometric systems, GPS
tracking of company vehicles and employees as well as access control and time keeping conditions
(Lommel and Reding, 2014). The law recognizes that monitoring and surveillance cannot be
eliminated from the workplace; it recognizes the right to associate trade unions and staff
representatives before implementing extensive surveillance measures. Workplace surveillance
requires a government license which is accorded depending on the specific purpose and objective a
company outline and the form and scope of the surveillance. Strict rules do apply when it comes to
covered CCTV monitoring, audio recording of employees or the CCTV surveillance of permanently
occupied workplaces. It can be claimed that the data protection legislation in Luxembourg do balance
the interests of individual employees against the companies interest adequately and security
managers are provided with detailed guidelines to be able to conduct surveillance in the frame set by
the national data protection legislation.
Regarding the protection of private data, regulations between European member states are far more
consistent. This may be caused by the fact that private data is less abstract than privacy and can be
better described and evaluated. Many data protection agencies provide listings on what data
employers are authorized to collect and to process (e.g. Government Digital Service 2014). This
simplification based on standard lists does have shortcomings and impacts which can be citizen.
Public data protection records, selected randomly from the Information Commissioners Office
(2015f) demonstrate a high level of uniformity. In many cases, the obvious difference between
records is the name and address of the companies which supplied the notification. It can be
concluded that the records are generated through a tick boxing process instead of a true assessment
on the companies’ particularities and needs (Information Commissioners Office, 2015a; Information
Commissioners Office, 2015b; Information Commissioners Office, 2015c; Information Commissioners
Office, 2015e). Public records in Luxembourg on the other hand include qualitative data which could
not be obtained through tick boxes. It can be assumed that an alarm monitoring centre such as
CUSTODIAN MONITORING (Information Commissioners Office, 2015d), a randomly selected
company, do routinely record incoming and outgoing phone calls as part of their service provision. If
such is the case this data would fall data protection because it is ‘data which relate to a living
individual who can be identified from those data’ (Data Protection Act, 1998, Article 1). It can be
stated that data protection in the UK is a formality which do not reflect the true extend of data
collection and processing in corporations. Another point which would challenge the efficiency of data
protection legislation is the use of biometric systems. Are faces, eyes, hands and fingerprints data
9
which falls under the data protection act and need to be protected and notified? According to article
one of the act, they are, but there is little guidance from the act how to apply protection to this data
which is publicly displayed, as a face which is exposed to facial recognition technology. Already
mentioned above was the case of the US Corporation Acxiom. The company had been accused to sell
personal data, compiled in large data bases to third parties. On the same time, Acxiom assures data
subject’s through its policies that no such data is sold without the consent of the individuals
concerned, a misleading claim which were seen as a breach of fair trade concepts (Rotenberg et al.,
2003). Mysteriously, Acxiom is part of the safe harbour program and guarantees the highest data
protection standard according to EU regulations. A reasonable conclusion would be that, in the
workplace environment, there is little consideration for data protection principles when it comes to
business advantages and profitability. Safe harbour as a tool to reinforce international trade,
contrary to its original purpose to guarantee the protection of data. The situation in the UK seems to
be similar half-hearted. As a leader in collecting and processing private data through public and
private CCTV, the legislator have not been able to implement adequate safeguards in the data
protection act (Barrett, 2013).
Throughout this essay, it was attempted to evaluate the balance of interests between individuals and
security managers, when it comes to privacy and data protection. Important consideration has also
been given to the interests of corporations which differ with that of security managers. It was
conclusively demonstrated that individuals’ data and privacy are increasingly affected by their
employers for no-security purposes which are out of the influence of security managers. Evidence
had been given which outline the association between data protection and privacy. However, UK
Data protection focuses exclusively on data protection. A comparison was drawn with other
countries data protection legislation and it was outlined, in the case of Luxembourg, that privacy and
the protection of data can be combined in the interests of individuals, a situation which seems to
have been neglected in the UK. This essay was voluntarily restricted to the workplace environment at
this seems to be the only area where security managers do have an impact on policing and
application of legislation. In the final part, this essay demonstrated that data protection legislation in
UK is inadequate to protect workers interest which seems to be better served by other regulations
such as the human rights act or the fair trade concept in the US. It have also been noticed that the
data protection notifications which pretend to protect individual interests, are superficial and
standardized and do not take the complexity and variety of privacy into account. To conclude, it can
be claimed that the current data protection act fail to balance the interests of individuals with the
interest of security managers and corporations.
10
References
Ahlers, M. M. (2013) 'TSA removing 'virtual strip search' body scanners', 19th January 2013: n.p., http://edition.cnn.com/2013/01/18/travel/tsa-body-scanners/, (accessed 15th June 2015).
Ball, K. (2010) 'Workplace surveillance: an overview' Labor History 51(1): 87-106.
Bambauer, D. E. (2013) 'Privacy versus Security' Journal of Criminal Law and Criminology 103(3): 667-
683.
Bange, V., Hann, G., Jeffery, C. and Annereau, S. (2012) An overview of UK data protection law [e-
book], London: TaylorWessing LLP. Available at: https://www.taylorwessing.com/uploads/tx_siruplawyermanagement/NB_000168_Overview_UK_data_protection_law_WEB.pdf (accessed 19th June 2015).
Barrett, D. (2013) 'One surveillance camera for every 11 people in Britain, says CCTV survey', 21st
June 2015: n.p., http://www.telegraph.co.uk/technology/10172298/One-surveillance-camera-for-every-11-people-in-Britain-says-CCTV-survey.html, (accessed 21st June 2015).
Bird, S. J. (2013) 'Security and Privacy: Why Privacy Matters' Science and Engineering Ethics 19(3):
669-671.
Blume, P. (2004) 'Data protection in the private sector' Scandinavian Studies in Law 47(1): 297-318.
Carey, P. and Berry, D. (2002) 'DATA PROTECTION — SECURITY: DATA SECURITY — THE KEY TO
PRIVACY' Computer Law & Security Review 18(2): 112-113.
Cavoukian, A. and Deloitte & Touche (2003) The Security-privacy Paradox: Issues, Misconceptions and
Strategies, Ontario, Canada: Information and Privacy Commissioner/Ontario.
Data Protection Act 1998 (c29), London: HMSO.
Data protection office for the private sector (2008) Pressemitteilung [Press Statement] [e-book],
Stuttgart, Germany: Home Office of the free state Baden-Würtemberg. Available at: https://www.datenschutzzentrum.de/presse/20080911-bw-lidl-bussgeldverfahren.pdf (accessed 8th June 2015).
European Union (2012) 'Charter of fundamental rights of the European Union' Official Journal of the
European Union 55(1): 391-407.
Government Digital Service (2014) Personal data an employer can keep about an employee,
https://www.gov.uk/personal-data-my-employer-can-keep-about-me (accessed 20th June 2015).
11
Heim, P. (2014) 'The quest for clarity on data protection and security' Network Security 2014(2): 8-10.
Herold, R. (1995) European Union Data Protection Directive of 1995 [e-book], Computer Security
Institute. Available at: https://www.informationshield.com/papers/EU%20Data%20Protection%20Directive%20FAQ.pdf (accessed 18th June 2015).
Human Rights Act 1998 (c42), London: HMSO.
Information Commissioners Office (2015a) Data Protection Register - Entry Details - G4S SECURE
SOLUTIONS (UK) LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=257471 (accessed 21st June 2015).
Information Commissioners Office (2015b) Data Protection Register - Entry Details - MITIE SECURITY
LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=49195 (accessed 21st June 2015).
Information Commissioners Office (2015c) Data Protection Register - Entry Details - SECURITAS
SECURITY SERVICES LTD, https://ico.org.uk/ESDWebPages/DoSearch?reg=259633 (accessed 21st June 2015).
Information Commissioners Office (2015d) Data Protection Register - Entry Details - SECURITY
MONITORING CENTRES LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=441630 (accessed 21st June 2015).
Information Commissioners Office (2015e) Data Protection Register - Entry Details - ULTIMATE
SECURITY SERVICES LTD, https://ico.org.uk/ESDWebPages/DoSearch?reg=270373 (accessed 21st June 2015).
Information Commissioners Office (2015f) Register of Data Controllers, https://ico.org.uk/ (accessed
21st June 2015).
Kaser, D. (2012) 'Where Privacy Meets Security' Information Today 29(8): 3-3.
Lommel, G. and Reding, J.-C. (2014) La surveillance sur le lieu de travail [Surveillance at the
workplace], Dialogue Thématique, Luxembourg: Commission nationale pour la protection des données.
Metter, T. (2009) Möglichkeiten der Überwachung von Arbeitnehmern [Possibilities of surveillance of
employees], München: GRIN Verlag.
Moore, R. H. (1987) 'Civil liability of private security: Enforcer of moral obligations to right legal
wrongs' American Journal of Criminal Justice 11(2): 133-150.
12
Nixon, M. (2005) 'Workplace Security confronted by rules on privacy', 22nd February 2005: n.p.,
http://web.a.ebscohost.com.ezproxy3.lib.le.ac.uk/ehost/viewarticle?data=dGJyMPPp44rp2%2fdV0%2bnjisfk5Ie46bZLr6e1UK6k63nn5Kx95uXxjL6srUmzpbBIr6ueT7ipt1Kzr55Zy5zyit%2fk8Xnh6ueH7N%2fiVbOrtEi1p65OsZzqeezdu33snOJ6u9j1gKTq33%2b7t8w%2b3%2bS7ZLOqr0mwrbBR0bnAaqTc7Yrr1%2fJV5urrhMTr6oTS2%2faM&hid=4206, (accessed 10th June 2015).
reed.co.uk (2015) Security Manager jobs, http://www.reed.co.uk/jobs/security-manager (accessed
17th June 2015).
Rotenberg, M., Sobel, D. L., Hoofnagle, C. J. and Hofmann, M. (2003) Complaint and Request for
Injunction, Investigation and for Other Relief, In the Matter of JetBlue Airways Corporation and Acxiom Corporation, https://epic.org/privacy/airtravel/jetblue/ftccomplaint.html (accessed 19th June 2015).
Solove, D. J. (2002) 'Conceptualizing Privacy' California Law Review 90(4): 1087-1155.
U.S. Commercial Service (2015) Acxiom Corporation - Public Record Safe Harbor [e-book],
Washington: U.S. Commercial Service. Available at: https://safeharbor.export.gov/companyinfo.aspx?id=28247 (accessed 19th June 2015).
Van Lieshout, M., Friedewald, M., Wright, D. and Gutwirth, S. (2013) 'Reconciling privacy and
security' Innovation: The European Journal of Social Sciences 26(1/2): 119-132.
Recommended