1

Department of Criminology

Distance Learning Programmes

_____________________________________

Assignment Cover Sheet for submission of examined formal assessments _____________________________________

Course Name and

Qualification

Name of Student Student Number Intake

Month and Year

MSc Security and Risk

Management

David KLIMAS 139 046 783 March 2014

Submission Date Module/Assignment Number (e.g.: FA1)

Word Count

Page Numbers

Inserted (state YES)

23rd June 2015 Module 5 / FA5 3.996

YES

Essay Title

Does current data protection legislation achieve a satisfactory balance between the interests of the security

manager and the individual?

2

Data protection and security seems to be two incompatible concepts. The implementation of full

body scanners in the years following the 9/11 terrorist attacks seem to be an example of that:

Hundreds of full body scanners had to be removed from airports because of unresolved privacy

issues (Ahlers, 2013). In this particular case, the prevailing question about balancing security and

privacy had been answered, temporarily, in favour of the last. This essay will evaluate in more details

the challenges to find and maintain this balance and what role the UK Data protection act play in this

process. In a first part, definitions of security, privacy and data protection will be developed.

‘Developing’ seems to be more suitable for that essay’s purpose than ‘providing’ or ‘supplying’ given

that there have been significant differences in the interpretation of those terms. Authors such as

Kaser (2012), Carey and Berry (2002) who associate data protection to cloud computing, firewalls,

server and network configuration do, of course, have a valid point. Nevertheless, it security concepts

are not helpful when assessing the security managers role in the data protection process. A

paragraph will be dedicated to the role of the security manager in privacy and data protection, a

relationship which does not seems evident at first. Following this, the interests of individuals and

security managers will be outlined. To fulfil that purpose, this essay will concentrate on the

workplace environment as it is believed that in such environments security managers do have the

greatest, if not only, impact on privacy and data protection. This will be completed by a description

of current, European and UK legislation with a brief comparison to US standards and contrasted with

the application of those laws in the workplace environment. A focus will be the balance between

individuals interests in privacy and data protection compared to the interests of corporations and

security managers which will be developed thought different parts of this essay and be resumed with

practical case studies and law cases in a final paragraph.

Nixon (2005), in his work about privacy, defined the role of corporate security within the range

between the ‘protection of payroll figures and the shielding of trade secrets’ (Nixon, 2005: 1) which

suggest a much wider understanding of security as the protection of business interests beyond the

classical protection of tangible assets and people. Van Lieshout, Friedewald, Wright and Gutwirth

(2013) criticized security as a new market opportunity to monitor behaviour of citizens, a point which

is also supported by Metter (2009) who claims that companies uses surveillance to monitor

employees performance and efficiency of staff in an increasingly globalizing and competitive market.

Surveillance as a management tool did also find its ways into data protection and privacy guidelines

as the ‘Surveillance at the workplace’ guide produced by the Luxembourg data protection agency

(Lommel and Reding, 2014). The reader may recognize at this point that surveillance do no longer

belong exclusively to the resort of security manager to prevent or respond to criminal behaviour at

the workplace. Defining privacy is far more controversial than defining security. Van Lieshout et al.

3

(2013) considers privacy as the right to be let alone, secrecy, personhood, intimacy and the

ownership of personal information. Those categories will be discussed in more details below. Much

straightforward may be the attempt by Blume (2004) who identified and distinguished between

physical privacy, the individuals body, and psychological privacy, data generated by the individual.

While Blume recognizes that there is no clear line between the two, physical privacy can be seen as

the right of an individual how he or she present itself and is perceived by others. Psychological

privacy is the data generated by an individual, as communication in any form, the location of a

person which is relevant in tracking and attendance monitoring but also the occupation and action by

an individual. Data protection is a ‘framework to decide who should have legitimately the capability

to access and process the data’ which falls under the physical and psychological privacy of an

individual (Bambauer, 2013: 669).

It has been stated above that data protection seems to be more associated with Information

technology (IT) than with loss prevention. According to Bambauer (2013), security is the technology

which allow or deny access to data such as credentials, passwords, usernames and personal

identification numbers but also the software such as firewalls and antimalware. It becomes obvious,

that security managers, except those specialized in Information security, do have no influence

whatsoever when it comes to Information technology and information security. Reviewing Security

manager’s job openings confirm a strict separation between information security and security with

significant differences regarding competences and skills (reed.co.uk, 2015). When following this

reasoning, questioning about the security managers interests in data protection seems, at first, make

little sense. The situation becomes clearer when considering data out of the IT context. There are

particularly two situations which are of interests. The first case can be inferred from Van Lieshout et

al. (2013) who claim that data is collected by security services for crime prevention purposes.

Security Managers do, naturally, have an interest in preventing criminal behaviour in their respective

work environment. Bird (2013) described accurately that ‘both the private sector and public agencies

have a number of reasons to be interested in the thoughts, plans and actions of citizens and

consumers’ (Bird, 2013: 670) and which obviously include employees. The data generated, collected

and processed for crime prevention concern individuals’ behaviour and actions. Security Managers

may attempt to exploit available data for the purpose of security while information security seeks to

protect this same data against unlawful access and exploitation. Cavoukian and Deloitte & Touche

(2003) claims that it is this conflict of interest which requires corporations to have separate functions

to present security and privacy perspectives equally and independently to senior management.

Security managers may not be appropriate or credible to defend privacy rights of employees as they

4

may be a threat to those rights themselves, a situation which Cavoukian and Deloitte & Touche

(2003) called the ‘security-privacy paradox’.

The second case, where security managers may have an impact in data protection is as enforcer of

moral obligations and protector of the liberty of customers and employees (Moore, 1987). Through

risk assessments, security managers should be aware of what kind of data is collected and processed

within the company. Security managers risk assessments should be extensive enough to include the

purpose for the processing and storage and how to conform the activity to regulations. Heim (2014)

argued that there is little clarity how data protection legislation should be applied to every

organization and Nixon (2005) claimed that 75% of large companies monitor their employees.

However, most corporations have no idea what is permitted or not. Many corporations considers

data protection as a ‘lose-lose issue’ (Cavoukian and Deloitte & Touche, 2003) with no obvious

benefits and a low priority for senior management. A security manager, in the absence of a legal

department, may be the most suitable function to advise executive management about potential

breaches of privacy and data protection legislation. Unfortunately, this most appropriate position

may also become very uncomfortable if the disclosure or processing of data is conducted deliberately

in breach of regulations to safeguard the businesses advantage in a competitive and globalized

market. This essay will not develop this point further as the purpose to demonstrate the security

manager’s role as a moral instance have been made clear. A more detailed overview about data

protection and privacy will be provided further below. However at this point, it should be important

to provide a description about the interests of individuals, those at the workplace in the case of this

essay, and the interests of the security manager and the company in more detail.

‘I have nothing to hide’ is a response which is often used by individuals when asked about the idea of

being watched at the workplace (Nixon, 2005: 1). Cavoukian and Deloitte & Touche (2003)

developed this argument further claiming that privacy is most of the time and for most individuals a

dormant issue which changes ‘depending on the context, nature and perceived threat’ (Cavoukian

and Deloitte & Touche, 2003: 12). This study includes an interesting example to demonstrate this: A

$5.00 discount offered in a restaurant in exchange of the clients’ postal code would probably not be

problematic for most individuals. The situation is different when offering that $5.00 in exchange of

the children’s name of the client and the address of their day-care centre. It becomes obvious that it

would not be feasible to provide a list of what personal data should fall under privacy protection. At

this stage, the privacy definition may be developed further. Interests of individuals can be

summarised into six concepts which are overlapping and active depending on the circumstances. The

right to be let alone is about an individual immunity against interference by others and the privilege

to plan its own affairs (Solove, 2002: 1101). Limited access to the self is about an individual’s desire

5

for concealment and for being apart from others (Solove, 2002). Secrecy is the permission for an

individual to ‘conceal discreditable facts about himself’ (Posner 1998 as cited in Solove, 2002: 1106)

and the concept of ‘control over personal information’ is self-explaining. It is obvious that it is an

individual’s interest to determine what personal information is collected and processed and for what

purpose. Personhood, the fifth interest of privacy, is the integrity of the personality, to be seen

differently than a simple object (Solove, 2002: 1116). Finally, individuals do have needs for intimacy.

Following Solove (2002), privacy goes beyond an individual’s self to include his/her personal

relationship with others. The ‘nothing to hide’ argument is generally thought about an individual’s

actions and very few would recognize spontaneously its implications on personality, individuality and

social life. From the descriptions above, the reader may have noticed that most points are ideal

concepts which do not applicate in this form in the real word. Interactions and the society as a hold

do always interfere with one or more of the concepts with the result that a personality and

personhood is influences by other opinions, argumentations or expectations. Workers under

surveillance adopt their behaviour (Ball, 2010).

The security manager, as a person, does have the same privacy needs as any other individual.

However, because of his or her position, the security manager does also have a delegated and

contractual duty to protect the company’s interests: to maintain a peaceful work environment and to

prevent losses through criminal activity, damages or injuries, losses through the no-respect of

procedures or unacceptable behaviour. To protect the assets of the company, a security manager do

have a natural interest in monitoring employees and other individuals on the workplace. Media

articles, reports and law cases suggest that corporations consider competitiveness and employee

performance, behaviour and personal characteristics as assets which require ‘monitoring, recording

and tracking’ (Ball, 2010: 87). Ball further referred to this routinely and extensive interest as the

‘going hand in hand’ of surveillance and organizations. There has been no evidence found to what

extend security managers are involved in monitoring of employee performance. The surveillance of

employees and customers within the Lidl discounter in Germany, which have been made public by

the media in 2008, are an example of the use of security technology by management for no-security

purposes. Investigation reports suggests that regional managers of the Lidl Discounter implemented ,

on their own initiative, an extensive surveillance program using private detectives and video

surveillance to monitor employees and to detect mismanagement by branch managers or employee

complicity in inventory losses (Data protection office for the private sector, 2008). Reports compiled

by the hired private detectives included details about the personal relationships between employees,

competences and the level of authority of branch managers as well as details of employees which are

unrelated to the work environment (Data protection office for the private sector, 2008). Having

6

outlined that interests of individuals are wide-ranging and contrasting with those expressed by

security managers and the company, the next paragraph will be dedicated to provide an overview

about the legislation.

In the European Union (EU), privacy and data protection are fundamental rights (European Union,

2012). The EU charter recognizes that everyone has the right that his or her private and family life,

home and communications are respected (European Union, 2012: Article 7). The charter also outline

that data must be processed fairly. It is widely recognized that in the European Union, individuals

exercise a right of control on what happens to their personal information (Cavoukian and Deloitte &

Touche, 2003). Herold (1995) summarized the basic tenants of the European data protection

directive 1995, which laid the foundation for the current European data protection regulation and

which bind EU member states. Individuals have the right to know that personal data is collected and

processed. Individuals do also have a right to refuse their data to be collected and processed. The

third tenant consists of the right to know how collected data is used and for what purpose.

Additionally, the directive imposes safeguards which must be implemented to protect the personal

data against misuse, loss or theft. An individual do also have a right to review and update incorrect

personal data and have a guaranteed access to enforce those rights trough legal procedures (Herold,

1995). The UK data protection act 1998 is based on this directive (Bange, Hann, Jeffery and

Annereau, 2012).

The right of ownership and control about data contrast with practices in the USA. Cavoukian and

Deloitte & Touche (2003) argued that the prevailing concept in the US is that personal data becomes

the property of the data controller once a data subject had released or disclosed the data. As the

new owners, US companies claim to be entitled to use the data as they wish. To bypass this contrast

and allow free movement of data between the EU and the USA, the safe harbour program have been

set up which consists of safeguards and principles of data protection on which US companies need to

adhere to in order to receive personal data from the EU. An interesting case which demonstrates the

flexibility of US regulations is that of Acxiom Corporation. Acxiom is a consumer research company

which process data from different sources to create new data sets. Acxiom had a high standard

privacy policy outlining that data is only processed and disclosed with the consent of data subjects,

condition imposed by the safe harbour program to which Acxiom adhered in May 2001 (U.S.

Commercial Service, 2015). However, in 2002, it became public that Acxiom had sold large sets of

personal data to a third party. Taking into consideration the legal ownership on the data, Acxiom had

been sanctioned on the base of unfair and deceptive business practices. Unfair as the disclosure of

the data caused small harm to large number of people and deceptive as the companies privacy

policies were misleading (Rotenberg, Sobel, Hoofnagle and Hofmann, 2003).

7

Can a candidate refuse providing personal data as contact details, police records, information about

driving license and car ownership or about his or her general fitness to a potential employer as it

would be an individual’s right according to the EU data protection directive? This paragraph will

outline how data protection legislation attempt to balance the interests of the company and the

privacy interests of employees. The following paragraph will be dedicated to the interests of the

security managers. The reader should by now be aware of the different interests of corporations and

security managers.

The UK Data Protection Act is, as the European policy on which it is based on, more concerned with

the protection of personal data, than with the protection of an individual’s privacy (Van Lieshout et

al., 2013). The secure handling, the protection against unauthorized access and the restrictions of use

of personal data seems to be only a very small part of an individual’s privacy. Many scholars suggest

that this shortcoming is intentionally. Ball (2010) argued that by restricting the privacy, in the form of

surveillance and ‘monitoring’, businesses assure development and performance. A contract of

employment is simply an agreement with employees to perform certain tasks for the benefits of an

employer in exchange of remuneration. Monitoring, in the first place, attempt to review if the terms

and conditions of the contract are fulfilled and that staff do not spend the work time browsing

through the internet. Ball (2010) recognized further that employees expect to be evaluated, ‘to have

their performance reviewed, objectives set’ and to be supervised while at work, a ‘taken-for-granted

element of working life’ (Ball, 2010: 89). Legislation which would restrict monitoring and supervision

would clearly stay in conflict with workplace culture and contractual obligations. It would be hard to

imagine how a company would remunerate an external service provider if it is not allowed to review

and evaluate the service provided. However, there are risks which cannot be neglected that

surveillance and monitoring at the workplace may go beyond what is considered reasonable or

necessary (Ball, 2010). ‘The Husband of employee X does have a police record. Employee X appears

very tired at work but no criminal behaviour could be confirmed’ (Data protection office for the

private sector, 2008: 11). This statement was part of a surveillance report by a private investigator in

a Lidl Discounter branch in Germany 2008. In the UK, it would not be clear if a similar issue would

have success if prosecuted under the data protection act. A claim trough the human rights act may

have more success to protect individuals privacy (Human Rights Act, 1998; Bange et al., 2012).

A more rigorous implementation of the European Data Protection directive was attempted by

Luxembourg. Lommel and Reding (2014), on behalf of the data protection agency, deplored that the

European directive is too narrow and does not contain previsions about surveillance and monitoring.

Based on this default, the legislation in Luxembourg has been extended and is claimed to be part of

the most restrictive and protective among European member states (Lommel and Reding, 2014: 10).

8

The data protection act Luxembourg include previsions for the use of covered and open CCTV

surveillance in the workplace, the conditions in which monitoring of IT equipment as the internet,

private and corporate emails, the recording of phone conversations, use of biometric systems, GPS

tracking of company vehicles and employees as well as access control and time keeping conditions

(Lommel and Reding, 2014). The law recognizes that monitoring and surveillance cannot be

eliminated from the workplace; it recognizes the right to associate trade unions and staff

representatives before implementing extensive surveillance measures. Workplace surveillance

requires a government license which is accorded depending on the specific purpose and objective a

company outline and the form and scope of the surveillance. Strict rules do apply when it comes to

covered CCTV monitoring, audio recording of employees or the CCTV surveillance of permanently

occupied workplaces. It can be claimed that the data protection legislation in Luxembourg do balance

the interests of individual employees against the companies interest adequately and security

managers are provided with detailed guidelines to be able to conduct surveillance in the frame set by

the national data protection legislation.

Regarding the protection of private data, regulations between European member states are far more

consistent. This may be caused by the fact that private data is less abstract than privacy and can be

better described and evaluated. Many data protection agencies provide listings on what data

employers are authorized to collect and to process (e.g. Government Digital Service 2014). This

simplification based on standard lists does have shortcomings and impacts which can be citizen.

Public data protection records, selected randomly from the Information Commissioners Office

(2015f) demonstrate a high level of uniformity. In many cases, the obvious difference between

records is the name and address of the companies which supplied the notification. It can be

concluded that the records are generated through a tick boxing process instead of a true assessment

on the companies’ particularities and needs (Information Commissioners Office, 2015a; Information

Commissioners Office, 2015b; Information Commissioners Office, 2015c; Information Commissioners

Office, 2015e). Public records in Luxembourg on the other hand include qualitative data which could

not be obtained through tick boxes. It can be assumed that an alarm monitoring centre such as

CUSTODIAN MONITORING (Information Commissioners Office, 2015d), a randomly selected

company, do routinely record incoming and outgoing phone calls as part of their service provision. If

such is the case this data would fall data protection because it is ‘data which relate to a living

individual who can be identified from those data’ (Data Protection Act, 1998, Article 1). It can be

stated that data protection in the UK is a formality which do not reflect the true extend of data

collection and processing in corporations. Another point which would challenge the efficiency of data

protection legislation is the use of biometric systems. Are faces, eyes, hands and fingerprints data

9

which falls under the data protection act and need to be protected and notified? According to article

one of the act, they are, but there is little guidance from the act how to apply protection to this data

which is publicly displayed, as a face which is exposed to facial recognition technology. Already

mentioned above was the case of the US Corporation Acxiom. The company had been accused to sell

personal data, compiled in large data bases to third parties. On the same time, Acxiom assures data

subject’s through its policies that no such data is sold without the consent of the individuals

concerned, a misleading claim which were seen as a breach of fair trade concepts (Rotenberg et al.,

2003). Mysteriously, Acxiom is part of the safe harbour program and guarantees the highest data

protection standard according to EU regulations. A reasonable conclusion would be that, in the

workplace environment, there is little consideration for data protection principles when it comes to

business advantages and profitability. Safe harbour as a tool to reinforce international trade,

contrary to its original purpose to guarantee the protection of data. The situation in the UK seems to

be similar half-hearted. As a leader in collecting and processing private data through public and

private CCTV, the legislator have not been able to implement adequate safeguards in the data

protection act (Barrett, 2013).

Throughout this essay, it was attempted to evaluate the balance of interests between individuals and

security managers, when it comes to privacy and data protection. Important consideration has also

been given to the interests of corporations which differ with that of security managers. It was

conclusively demonstrated that individuals’ data and privacy are increasingly affected by their

employers for no-security purposes which are out of the influence of security managers. Evidence

had been given which outline the association between data protection and privacy. However, UK

Data protection focuses exclusively on data protection. A comparison was drawn with other

countries data protection legislation and it was outlined, in the case of Luxembourg, that privacy and

the protection of data can be combined in the interests of individuals, a situation which seems to

have been neglected in the UK. This essay was voluntarily restricted to the workplace environment at

this seems to be the only area where security managers do have an impact on policing and

application of legislation. In the final part, this essay demonstrated that data protection legislation in

UK is inadequate to protect workers interest which seems to be better served by other regulations

such as the human rights act or the fair trade concept in the US. It have also been noticed that the

data protection notifications which pretend to protect individual interests, are superficial and

standardized and do not take the complexity and variety of privacy into account. To conclude, it can

be claimed that the current data protection act fail to balance the interests of individuals with the

interest of security managers and corporations.

10

References

Ahlers, M. M. (2013) 'TSA removing 'virtual strip search' body scanners', 19th January 2013: n.p., http://edition.cnn.com/2013/01/18/travel/tsa-body-scanners/, (accessed 15th June 2015).

Ball, K. (2010) 'Workplace surveillance: an overview' Labor History 51(1): 87-106.

Bambauer, D. E. (2013) 'Privacy versus Security' Journal of Criminal Law and Criminology 103(3): 667-

683.

Bange, V., Hann, G., Jeffery, C. and Annereau, S. (2012) An overview of UK data protection law [e-

book], London: TaylorWessing LLP. Available at: https://www.taylorwessing.com/uploads/tx_siruplawyermanagement/NB_000168_Overview_UK_data_protection_law_WEB.pdf (accessed 19th June 2015).

Barrett, D. (2013) 'One surveillance camera for every 11 people in Britain, says CCTV survey', 21st

June 2015: n.p., http://www.telegraph.co.uk/technology/10172298/One-surveillance-camera-for-every-11-people-in-Britain-says-CCTV-survey.html, (accessed 21st June 2015).

Bird, S. J. (2013) 'Security and Privacy: Why Privacy Matters' Science and Engineering Ethics 19(3):

669-671.

Blume, P. (2004) 'Data protection in the private sector' Scandinavian Studies in Law 47(1): 297-318.

Carey, P. and Berry, D. (2002) 'DATA PROTECTION — SECURITY: DATA SECURITY — THE KEY TO

PRIVACY' Computer Law & Security Review 18(2): 112-113.

Cavoukian, A. and Deloitte & Touche (2003) The Security-privacy Paradox: Issues, Misconceptions and

Strategies, Ontario, Canada: Information and Privacy Commissioner/Ontario.

Data Protection Act 1998 (c29), London: HMSO.

Data protection office for the private sector (2008) Pressemitteilung [Press Statement] [e-book],

Stuttgart, Germany: Home Office of the free state Baden-Würtemberg. Available at: https://www.datenschutzzentrum.de/presse/20080911-bw-lidl-bussgeldverfahren.pdf (accessed 8th June 2015).

European Union (2012) 'Charter of fundamental rights of the European Union' Official Journal of the

European Union 55(1): 391-407.

Government Digital Service (2014) Personal data an employer can keep about an employee,

https://www.gov.uk/personal-data-my-employer-can-keep-about-me (accessed 20th June 2015).

11

Heim, P. (2014) 'The quest for clarity on data protection and security' Network Security 2014(2): 8-10.

Herold, R. (1995) European Union Data Protection Directive of 1995 [e-book], Computer Security

Institute. Available at: https://www.informationshield.com/papers/EU%20Data%20Protection%20Directive%20FAQ.pdf (accessed 18th June 2015).

Human Rights Act 1998 (c42), London: HMSO.

Information Commissioners Office (2015a) Data Protection Register - Entry Details - G4S SECURE

SOLUTIONS (UK) LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=257471 (accessed 21st June 2015).

Information Commissioners Office (2015b) Data Protection Register - Entry Details - MITIE SECURITY

LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=49195 (accessed 21st June 2015).

Information Commissioners Office (2015c) Data Protection Register - Entry Details - SECURITAS

SECURITY SERVICES LTD, https://ico.org.uk/ESDWebPages/DoSearch?reg=259633 (accessed 21st June 2015).

Information Commissioners Office (2015d) Data Protection Register - Entry Details - SECURITY

MONITORING CENTRES LIMITED, https://ico.org.uk/ESDWebPages/DoSearch?reg=441630 (accessed 21st June 2015).

Information Commissioners Office (2015e) Data Protection Register - Entry Details - ULTIMATE

SECURITY SERVICES LTD, https://ico.org.uk/ESDWebPages/DoSearch?reg=270373 (accessed 21st June 2015).

Information Commissioners Office (2015f) Register of Data Controllers, https://ico.org.uk/ (accessed

21st June 2015).

Kaser, D. (2012) 'Where Privacy Meets Security' Information Today 29(8): 3-3.

Lommel, G. and Reding, J.-C. (2014) La surveillance sur le lieu de travail [Surveillance at the

workplace], Dialogue Thématique, Luxembourg: Commission nationale pour la protection des données.

Metter, T. (2009) Möglichkeiten der Überwachung von Arbeitnehmern [Possibilities of surveillance of

employees], München: GRIN Verlag.

Moore, R. H. (1987) 'Civil liability of private security: Enforcer of moral obligations to right legal

wrongs' American Journal of Criminal Justice 11(2): 133-150.

12

Nixon, M. (2005) 'Workplace Security confronted by rules on privacy', 22nd February 2005: n.p.,

http://web.a.ebscohost.com.ezproxy3.lib.le.ac.uk/ehost/viewarticle?data=dGJyMPPp44rp2%2fdV0%2bnjisfk5Ie46bZLr6e1UK6k63nn5Kx95uXxjL6srUmzpbBIr6ueT7ipt1Kzr55Zy5zyit%2fk8Xnh6ueH7N%2fiVbOrtEi1p65OsZzqeezdu33snOJ6u9j1gKTq33%2b7t8w%2b3%2bS7ZLOqr0mwrbBR0bnAaqTc7Yrr1%2fJV5urrhMTr6oTS2%2faM&hid=4206, (accessed 10th June 2015).

reed.co.uk (2015) Security Manager jobs, http://www.reed.co.uk/jobs/security-manager (accessed

17th June 2015).

Rotenberg, M., Sobel, D. L., Hoofnagle, C. J. and Hofmann, M. (2003) Complaint and Request for

Injunction, Investigation and for Other Relief, In the Matter of JetBlue Airways Corporation and Acxiom Corporation, https://epic.org/privacy/airtravel/jetblue/ftccomplaint.html (accessed 19th June 2015).

Solove, D. J. (2002) 'Conceptualizing Privacy' California Law Review 90(4): 1087-1155.

U.S. Commercial Service (2015) Acxiom Corporation - Public Record Safe Harbor [e-book],

Washington: U.S. Commercial Service. Available at: https://safeharbor.export.gov/companyinfo.aspx?id=28247 (accessed 19th June 2015).

Van Lieshout, M., Friedewald, M., Wright, D. and Gutwirth, S. (2013) 'Reconciling privacy and

security' Innovation: The European Journal of Social Sciences 26(1/2): 119-132.