Lee & White

We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTEto perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

So, in conclusion

Hence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

Email
Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

Personal data invisibly collected on the website
This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

Technology per se is advantageous, but it can unfortunately, prove to be a menace as
well - sometimes by design, at other times by surreptitious use.

Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

With this right, we are able to strengthen essential values such as the freedom of thought, conscience and religion and the freedom of expression.

And alongside this right is a duty to protect it. This fundamental duty affects everyone as employers/persons processing personal data. Basically, if you determine the purposes and means of processing personal data, whether or not you are a natural person, you become the data controller and you are imposed with the duty to protect the right to privacy. Of course, failure to uphold your duty would give rise to illegal intrusions to the personal data and privacy of those whom you are supposed to protect and consequentially, you will be held responsible.

So whose personal data are you responsible for? You are responsible for all personal data that you collect apart from those you collect in the course of exclusively personal or household activities, for the processing of personal data carried out exclusively for journalistic, artistic or
literary expression purposes, or for public security.

Hence, your responsibility encompasses the protection of personal data belonging to your employees, potential and actual customers and suppliers, visitors, consultants and job applicants.
Of course, your duty to protect personal data does not imply a prevention of processing that personal data. To do so would paralyse businesses. It is indeed unavoidable that a data controller will process personal data.

However, whilst you, as the data controller, can establish that processing personal data is a necessary course of business, you must not be allowed to abuse the personal data received. It's a balancing act of right and duty. The only way to resolve the conflict of interests between
the company and the individual is by building trust into the individual who is about to divulge his personal data.

And transparency in processing personal data is the source of that trust relationship. Offer this from the very instant personal data is about to be collected and this attitude of yours towards upholding a person's privacy (both online and offline) will measure your failure or success in building a relationship with your customers, gaining their trust and developing that essential viable edge in the marketplace.

Believe it or not, you stand to gain a lot when you comply with your duty. It is a chain reaction - so get the ball rolling.

Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.

1. Belgacom has not given the customer the option to opt-in to commercial information.
2. Belgacom does not mention how to contact customer service (address, email, phone number) and that this would be free of charge.
3. Belgacom does not inform exactly what will be done with the personal data.

Belgacom is surprised at the complaint from OIVO and state that they comply with the law by providing the opt-out option. A letter was sent to every Belgacom customer to launch the new free 0800 customer service number, which was sufficient information as already 13.592 people have called and noted that they do not want to receive personal data. They also note that OIVO's approach is not elegant and that they should have contacted Belgacom directly first.

Of course OIVO's point of view is correct, and I am not surprised by Belgacom's reaction, as it is one of the most heard excuses used by companies and organisations. Even though Belgacom is making an effort to implement the data protection law, it needs to go the extra mile and do it exactly right.

According to Mr. Franco Frattini, the EU Commissioner for Justice and Security, there are no laws against tracking mechanisms in colour printers and photocopiers. "... the information based on tracking printed or copied material does not necessarily include data relating to identified or identifiable individual, i.e. personal data.

To the extent that individuals may be identified through material printed or copied using certain equipment, such processing may give rise to the violation of fundamental human rights, namely the right to privacy and private life. It also might violate the right to protection of personal data."

The EU acknowledges that this tracking system is a violation to human rights and is an invasion of our privacy. We have the laws to protect our privacy but seeing this tracking system in printers is part of the U.S. government's policy how far will the EU go to protect us?

We must applaud the ICO for taking enforcement action on this matter. Without a doubt, the ICO seems to be taking centre stage these days with the heightened number of privacy breaches in the UK (and believe me, with the rest of the world too). It is now asking for several improvements to its powers which are currently too weak to enforce the law effectively.

According to Privacy Laws and Business, the House of Commons Justice Committee published a "Protection of Personal Data" report on the 3rd of January 2008 amongst others, recording evidence given on the 4th of December 2007 by Richard Thomas, the Information Commissioner, to the Justice Committee hearing on the protection of personal data. The ICO is seeking for mandatory audits, criminal offence and data breach notification.

In Belgium, the situation is no better. Perhaps it is worse - for many breaches are not publicised, contrary to the UK. Perhaps we need to put it out in the open here. Perhaps we need to complain more, and not just accept it when something goes wrong with our personal data. Perhaps the Belgian public must be better educated. Perhaps Belgian organisations too. Perhaps we need the Belgian press to provide greater publicity on privacy issues.

And perhaps the Belgian Privacy Commission should follow in its fellow privacy defender's footsteps and demand the same. These privacy promoters are currently toothless lions, sad to say.

Currently, the Belgian Privacy Commission's powers are merely supervisory - giving advice and recommendations, and whilst being able to send warnings, and denounce violations to the public prosecutor, it is unable to sanction. One must remember though, that with regard to the latter powers, a complaint must first reach the Commission. Yes, so it does have to start with you, the individual who suffers.

Given the large number of malpractices in organisations with regard to the protection of personal data, and given the attitude of the public in not wanting to prolong their suffering, Privacy Commissions' powers, both in the EU and the rest of the world should be reviewed. It is high time they are given greater control and ability to protect personal data. It is after all, for our well-being.