微信客服:xiaoxionga100
微信客服:ITCS521
ISOM5230-分析代写-Assignment 1
时间:2023-09-13
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 1 © Henry Chang
Assignment on Privacy Analysis
Distribution of this assignment publicly or to third-party is not authorised
(Due by the fourth week on 20 September 2023)
The case
COVID-19 Tracker App
1. COVID 19 Omicron (Omicron) is hitting hard in many places and the mortality rate is
still high.
2. There is a mandated government policy to combat Omicron by identifying and isolating
those infected or possibly infected in order to break the chain of infection.
3. Hypothetically the health authority in a jurisdiction has decided to build an app and
mandate all its citizens to install and use it.
4. Self-reporting of whereabout by the infected, and voluntary checking and isolation by
close contacts have proved to be unacceptably ineffective. The app is therefore
considered necessary to address the issue, and be mandated to be used by everyone.
5. During installation, the app shows the following privacy notice (or Personal
Information Collection Statement):
i. This app collects your location information for the purpose of identifying those
who are in close contact with the infected.
ii. Your mobile service provider will pass your name and residential addresses to
the health authority. If you are at risk, the health authority can then locate you.
iii. You must allow the collection of your locations.
6. Once the app user accepts the privacy notice, the mobile service provider will upload
the subscriber information (all the details obtained by the mobile service provider
during the initial service registration/subscription) to a central database in the public
cloud. This jurisdiction requires, by law, all mobile service users to provide verified
real name/ID and residential address during service registration.
7. Using GPS and A-GPS, the app, even when it is not running in the foreground, will
track the positions of where its holder goes, and upload the locations (including date,
time and duration) to the central database in the public cloud.
8. When anyone is diagnosed with Omicron by the health authority, the information will
be uploaded by the relevant health authority clinic to the central database in the public
cloud, and the system will disclose the names of the infected to those who have been
identified as having close contact with the infected (by SMS) and advise them to stay
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 2 © Henry Chang
at home to avoid infecting others. The health authority will then visit the homes of these
close contacts to take them to an isolation facility in order to break the chain of infection.
9. As planned and soon after the app was launched, the health authority starts to sell the
anonymised location data (the health authority anonymises the data by removing
identifiers such as names and phone number, but includes information like age group,
gender, and locations/movements persistently of the same individual over time)
continuously to its business partners specialising in providing business advisory service
(such as where to open shops) to retailers.
10. After the system has operated for one year and realised the additional and potential
benefits, the health authority starts to allow the entire police department to have full
access to the database (with full one-year record) in order to help track the whereabout
of suspected murderers.
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 3 © Henry Chang
The questions
Based on the description above, answer the following questions. You must answer each
question separately. Your answers must be based on the requirements under the Personal
Data (Privacy) Ordinance (PDPO) as if this arrangement is taking place in Hong Kong.
You should also assume that the COVID 19 pandemic is so severe that voluntary measures
(such as self-reporting/checking of visits to areas where infected went, or willingness to be
quarantined immediately upon phone calls etc.) of any kind cannot be relied upon. At the
same time, do note that this tracker app is not LeaveHomeSafe but a hypothetical app that
works in the ways described under ‘the case’ – so do not mix up the operation of this
hypothetical app with LeaveHomeSafe.
You should also answer each question in a stand-alone manner. Do not assume that a point
is addressed elsewhere so you do not need to repeat it. You should also answer the question
in a way that is self-contained. This means your target audience has no privacy training so
you need to explain the regulatory basis of your analysis. At the same time, your target
audience is a seasoned manager and does not need to have a 101 teaching on the foundation
of privacy.
1. (18%) Using the PDPO, analyse and describe the personal data involved in the
arrangement, covering the following points:
1.1. What would be considered as personal data in this arrangement (i.e. why you
would consider certain data as personal data)?
1.2. List the specific types of personal data involved in this arrangement
1.3. List the source (i.e. who is the data subject and the channel of collection) of
each type of personal data
1.4. List the purposes (including those clearly stated in the question and those that
are implied) for the collection/processing for each type of personal data
2. (55%) Using the six Data Protection Principles (DPPs) under the PDPO, identify
possible privacy concerns and explain what they are. Among all things, please note
that:
• the answer should follow the order of the six DPPs, and divided into six
sections. The marks assigned to DPP1 to DPP6 are 23%, 10%, 6%, 6%, 4% and
6% respectively
• the answer should explain what the requirements of each DPP are, how they
apply and what their relevance to the situation are
• the answer should include suggestion(s) on how each identified concern should
be addressed/corrected
• For DPP1 analysis, you should analyse it using each of the purposes stated
under 5. i, and 5. ii, and the manner stated in 5.iii under ‘the case’
• For simplicity, DDP1 analysis does not need to cover the mobile service
providers’ collection of registration information from subscribers
• For DD2 to DPP6 analysis, you should analyse it based on all the available
information
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 4 © Henry Chang
3. (15%) Assuming that there is no issue under the PDPO for the initial collection of
all personal data for the purposes 5i and 5ii at the time of collection, does the health
authority have the right to sell the “anonymised location data” described?
Explain (i) your arguments and also (ii) what steps under the PDPO can be carried
out to consider safely selling the anonymised data described.
4. (12%) Assuming that there is no issue under the PDPO for the initial collection of
all personal data for the purposes 5i and 5ii at the time of collection, can the health
authority, under the PDPO, change the use of the database and allows unlimited
access by the entire police department? Explain (i) your arguments and also (ii)
what steps and measures under the PDPO can be done to address any concerns
identified.
Important research to carry out and expectation on your answers
• COVID location tracker is not a new invention. Please study related worldwide
privacy debates and developments in this space.
• Please research on the definition of anonymised data and what makes data anonymised.
• Please also study the types of personal data that would usually be collected by mobile
service providers in Hong Kong during service registration. The vast majority of Hong
Kong people would register monthly subscription.
Assessment emphasis
• Emphasis should be on the demonstration that students have grasped the essential
application of privacy dimensions and principles, and the ability to analyse the situation
practically and in context. Views, opinions and conclusions must be supported by
analysis.
Length
• The total length of the answers must not exceed 3,500 words. It is the quality and
analysis, not the number of words, that counts. Note this word limit is the upper limit,
not the expected length.
Format
• Answers must be provided in English
• Answers should be provided in the specified assignment template.
• The assignment should be prepared with 12 point fonts, 1.5 to double spacing. Tables
may be used to improve clarity.
Marking
• Marking will mainly be based on the following two areas:
1. Sufficient levels of knowledge, understanding and research
2. Analysis, problem solving and critical reflection
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 5 © Henry Chang
• And the final marks influenced by the following qualities:
1. Clear/logical arguments and their presentation
2. Fluency, correct grammar and spelling
3. If the word limit is exceeded
in the digital age
Assignment 1 © Henry Chang
Assignment on Privacy Analysis
Distribution of this assignment publicly or to third-party is not authorised
(Due by the fourth week on 20 September 2023)
The case
COVID-19 Tracker App
1. COVID 19 Omicron (Omicron) is hitting hard in many places and the mortality rate is
still high.
2. There is a mandated government policy to combat Omicron by identifying and isolating
those infected or possibly infected in order to break the chain of infection.
3. Hypothetically the health authority in a jurisdiction has decided to build an app and
mandate all its citizens to install and use it.
4. Self-reporting of whereabout by the infected, and voluntary checking and isolation by
close contacts have proved to be unacceptably ineffective. The app is therefore
considered necessary to address the issue, and be mandated to be used by everyone.
5. During installation, the app shows the following privacy notice (or Personal
Information Collection Statement):
i. This app collects your location information for the purpose of identifying those
who are in close contact with the infected.
ii. Your mobile service provider will pass your name and residential addresses to
the health authority. If you are at risk, the health authority can then locate you.
iii. You must allow the collection of your locations.
6. Once the app user accepts the privacy notice, the mobile service provider will upload
the subscriber information (all the details obtained by the mobile service provider
during the initial service registration/subscription) to a central database in the public
cloud. This jurisdiction requires, by law, all mobile service users to provide verified
real name/ID and residential address during service registration.
7. Using GPS and A-GPS, the app, even when it is not running in the foreground, will
track the positions of where its holder goes, and upload the locations (including date,
time and duration) to the central database in the public cloud.
8. When anyone is diagnosed with Omicron by the health authority, the information will
be uploaded by the relevant health authority clinic to the central database in the public
cloud, and the system will disclose the names of the infected to those who have been
identified as having close contact with the infected (by SMS) and advise them to stay
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 2 © Henry Chang
at home to avoid infecting others. The health authority will then visit the homes of these
close contacts to take them to an isolation facility in order to break the chain of infection.
9. As planned and soon after the app was launched, the health authority starts to sell the
anonymised location data (the health authority anonymises the data by removing
identifiers such as names and phone number, but includes information like age group,
gender, and locations/movements persistently of the same individual over time)
continuously to its business partners specialising in providing business advisory service
(such as where to open shops) to retailers.
10. After the system has operated for one year and realised the additional and potential
benefits, the health authority starts to allow the entire police department to have full
access to the database (with full one-year record) in order to help track the whereabout
of suspected murderers.
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 3 © Henry Chang
The questions
Based on the description above, answer the following questions. You must answer each
question separately. Your answers must be based on the requirements under the Personal
Data (Privacy) Ordinance (PDPO) as if this arrangement is taking place in Hong Kong.
You should also assume that the COVID 19 pandemic is so severe that voluntary measures
(such as self-reporting/checking of visits to areas where infected went, or willingness to be
quarantined immediately upon phone calls etc.) of any kind cannot be relied upon. At the
same time, do note that this tracker app is not LeaveHomeSafe but a hypothetical app that
works in the ways described under ‘the case’ – so do not mix up the operation of this
hypothetical app with LeaveHomeSafe.
You should also answer each question in a stand-alone manner. Do not assume that a point
is addressed elsewhere so you do not need to repeat it. You should also answer the question
in a way that is self-contained. This means your target audience has no privacy training so
you need to explain the regulatory basis of your analysis. At the same time, your target
audience is a seasoned manager and does not need to have a 101 teaching on the foundation
of privacy.
1. (18%) Using the PDPO, analyse and describe the personal data involved in the
arrangement, covering the following points:
1.1. What would be considered as personal data in this arrangement (i.e. why you
would consider certain data as personal data)?
1.2. List the specific types of personal data involved in this arrangement
1.3. List the source (i.e. who is the data subject and the channel of collection) of
each type of personal data
1.4. List the purposes (including those clearly stated in the question and those that
are implied) for the collection/processing for each type of personal data
2. (55%) Using the six Data Protection Principles (DPPs) under the PDPO, identify
possible privacy concerns and explain what they are. Among all things, please note
that:
• the answer should follow the order of the six DPPs, and divided into six
sections. The marks assigned to DPP1 to DPP6 are 23%, 10%, 6%, 6%, 4% and
6% respectively
• the answer should explain what the requirements of each DPP are, how they
apply and what their relevance to the situation are
• the answer should include suggestion(s) on how each identified concern should
be addressed/corrected
• For DPP1 analysis, you should analyse it using each of the purposes stated
under 5. i, and 5. ii, and the manner stated in 5.iii under ‘the case’
• For simplicity, DDP1 analysis does not need to cover the mobile service
providers’ collection of registration information from subscribers
• For DD2 to DPP6 analysis, you should analyse it based on all the available
information
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 4 © Henry Chang
3. (15%) Assuming that there is no issue under the PDPO for the initial collection of
all personal data for the purposes 5i and 5ii at the time of collection, does the health
authority have the right to sell the “anonymised location data” described?
Explain (i) your arguments and also (ii) what steps under the PDPO can be carried
out to consider safely selling the anonymised data described.
4. (12%) Assuming that there is no issue under the PDPO for the initial collection of
all personal data for the purposes 5i and 5ii at the time of collection, can the health
authority, under the PDPO, change the use of the database and allows unlimited
access by the entire police department? Explain (i) your arguments and also (ii)
what steps and measures under the PDPO can be done to address any concerns
identified.
Important research to carry out and expectation on your answers
• COVID location tracker is not a new invention. Please study related worldwide
privacy debates and developments in this space.
• Please research on the definition of anonymised data and what makes data anonymised.
• Please also study the types of personal data that would usually be collected by mobile
service providers in Hong Kong during service registration. The vast majority of Hong
Kong people would register monthly subscription.
Assessment emphasis
• Emphasis should be on the demonstration that students have grasped the essential
application of privacy dimensions and principles, and the ability to analyse the situation
practically and in context. Views, opinions and conclusions must be supported by
analysis.
Length
• The total length of the answers must not exceed 3,500 words. It is the quality and
analysis, not the number of words, that counts. Note this word limit is the upper limit,
not the expected length.
Format
• Answers must be provided in English
• Answers should be provided in the specified assignment template.
• The assignment should be prepared with 12 point fonts, 1.5 to double spacing. Tables
may be used to improve clarity.
Marking
• Marking will mainly be based on the following two areas:
1. Sufficient levels of knowledge, understanding and research
2. Analysis, problem solving and critical reflection
HKUST ISOM 5230 Privacy management
in the digital age
Assignment 5 © Henry Chang
• And the final marks influenced by the following qualities:
1. Clear/logical arguments and their presentation
2. Fluency, correct grammar and spelling
3. If the word limit is exceeded
