Lee & White

Dedicated to Excellence
  • Home
  • About Us
  • Services
  • Blog
  • Press
  • Publications
  • News
Home > Blog
Go Back

  • How your personal data is collected on a website.

    Wednesday, July 30, 2008

    The InternetWhen you surf on the Internet, and browse through a website, do you realise some of the methods by which your personal data are collected?

    Well, there are several ways:

    Personal data visibly collected on the website
    If you are aware that you are providing personal details on a website, then the website is visibly or explicitly processing personal data. To that extent, you can control the type of personal data you wish to divulge.

    Some ways in which personal data can be visibly collected include:

    Forms
    Most websites have more than one type of form, depending on the purpose of the form. Since forms are usually designed for a particular purpose, they are a good way of ensuring only relevant data is collected. At the same time, you can easily deduce and have a minimum form of control over the personal data you wish to provide - based on the fields you must fill in prior to submitting the form.

    Email forms however, may be contentious. Using an email to send the form is not a good system as it gives rise to the possibility of collecting another email address which is not disclosed by the user for some reason. For example, the sample below marks Name, Surname, Street and number, Postcode and Municipality as mandatory whilst email is amongst the optional fields.

    Online FormHence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

    Email
    Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

    To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

    Personal data invisibly collected on the website
    This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

    Technology per se is advantageous, but it can unfortunately, prove to be a menace as
    well - sometimes by design, at other times by surreptitious use.

    Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

    Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

    For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations Internet IT

  • Basic understanding of your duty as the data controller

    Monday, June 30, 2008

    Personal Data Protected A person's privacy is a fundamentalright which requires recognition and protection. Whilst it is incapable of precise definition, the concept has been linked with data protection, which interprets privacy in terms of management and handling of personal data.

    With this right, we are able to strengthen essential values such as the freedom of thought, conscience and religion and the freedom of expression.

    And alongside this right is a duty to protect it. This fundamental duty affects everyone as employers/persons processing personal data. Basically, if you determine the purposes and means of processing personal data, whether or not you are a natural person, you become the data controller and you are imposed with the duty to protect the right to privacy. Of course, failure to uphold your duty would give rise to illegal intrusions to the personal data and privacy of those whom you are supposed to protect and consequentially, you will be held responsible.

    So whose personal data are you responsible for? You are responsible for all personal data that you collect apart from those you collect in the course of exclusively personal or household activities, for the processing of personal data carried out exclusively for journalistic, artistic or
    literary expression purposes, or for public security.

    Hence, your responsibility encompasses the protection of personal data belonging to your employees, potential and actual customers and suppliers, visitors, consultants and job applicants.
    Of course, your duty to protect personal data does not imply a prevention of processing that personal data. To do so would paralyse businesses. It is indeed unavoidable that a data controller will process personal data.

    However, whilst you, as the data controller, can establish that processing personal data is a necessary course of business, you must not be allowed to abuse the personal data received. It's a balancing act of right and duty. The only way to resolve the conflict of interests between
    the company and the individual is by building trust into the individual who is about to divulge his personal data.

    And transparency in processing personal data is the source of that trust relationship. Offer this from the very instant personal data is about to be collected and this attitude of yours towards upholding a person's privacy (both online and offline) will measure your failure or success in building a relationship with your customers, gaining their trust and developing that essential viable edge in the marketplace.

    Believe it or not, you stand to gain a lot when you comply with your duty. It is a chain reaction - so get the ball rolling.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations Human Rights

  • What's the big deal anyway?

    Thursday, May 1, 2008

    "What's the big deal anyway?". A remark we hear very often when discussing personal data issues."Nothing to be concerned about, who would be interested in my personal data, and what can they do with it anyway?"

    Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

    Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

    How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

    And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

    How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

    Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Data Breach Private Persons Personal Data Organisations Internet IT

  • How much is your personal data worth?

    Friday, April 18, 2008

    Chocolate BarHow much or should I say, what would it take for you to give out your personal data? A trip to Paris? A brand new car? Or perhaps, a bar of chocolate would do? Apparently, based on a survey conducted by Infosecurity Europe on 576 office workers outside Liverpool Street Station in London, a free bar of chocolate is good enough for 45% of women and 10% of men to give out their passwords. Only 21% surveyed were unwilling to give their password of which 60% later provided personal data such as date of birth. 60% of men and 62% of women happily provided their names and telephone numbers to enter a draw to go to Paris.

    People are not aware of the extensive possibilities in which their personal data can be utilised. A mere name and telephone number is substantial information for a social engineer to gain further information about you which could then lead to your life being turned upside down. Call me dramatic or far fetched - remember Kevin Mitnick?

    As a bid to prove just how easily people do give out their personal data, the Belgian consumer organisation - OIVO, set up a website called CelBel which asks youths between 13 to 21 years of age to register with them in exchange for free mobile phone subscription until they reach the age of 21. Sounds too good to be true? Once the user has entered their information and clicked on the submit button, they are taken to a page which informs that the site is fake and then takes you to a website which explains the abuses of personal data.

    Well, good thing OIVO is legit, but do you see how easily the art of deception and manipulation can be practised on the Internet to get you to give out your personal data? And better still, do you see how easy it is for you to fall into that trap?

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data

  • Toothless lions need more bite

    Thursday, January 17, 2008

    The LawYesterday, the UK's Information Commissioner's Office (ICO) foundCarphone Warehouse, and its sister company TalkTalk, in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information. It has now ordered both these companies to refine their data protection practices or be prosecuted.

    We must applaud the ICO for taking enforcement action on this matter. Without a doubt, the ICO seems to be taking centre stage these days with the heightened number of privacy breaches in the UK (and believe me, with the rest of the world too). It is now asking for several improvements to its powers which are currently too weak to enforce the law effectively.

    According to Privacy Laws and Business, the House of Commons Justice Committee published a "Protection of Personal Data" report on the 3rd of January 2008 amongst others, recording evidence given on the 4th of December 2007 by Richard Thomas, the Information Commissioner, to the Justice Committee hearing on the protection of personal data. The ICO is seeking for mandatory audits, criminal offence and data breach notification.

    In Belgium, the situation is no better. Perhaps it is worse - for many breaches are not publicised, contrary to the UK. Perhaps we need to put it out in the open here. Perhaps we need to complain more, and not just accept it when something goes wrong with our personal data. Perhaps the Belgian public must be better educated. Perhaps Belgian organisations too. Perhaps we need the Belgian press to provide greater publicity on privacy issues.

    And perhaps the Belgian Privacy Commission should follow in its fellow privacy defender's footsteps and demand the same. These privacy promoters are currently toothless lions, sad to say.

    Currently, the Belgian Privacy Commission's powers are merely supervisory - giving advice and recommendations, and whilst being able to send warnings, and denounce violations to the public prosecutor, it is unable to sanction. One must remember though, that with regard to the latter powers, a complaint must first reach the Commission. Yes, so it does have to start with you, the individual who suffers.

    Given the large number of malpractices in organisations with regard to the protection of personal data, and given the attitude of the public in not wanting to prolong their suffering, Privacy Commissions' powers, both in the EU and the rest of the world should be reviewed. It is high time they are given greater control and ability to protect personal data. It is after all, for our well-being.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations

  • The privacy breach of one Dutch company

    Monday, January 14, 2008

    Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
    date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

    The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

    Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

    Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

    What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

    Well, just to let you know that personal information is carelessly handled everyday.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations Internet IT

  • Jeremy Clarkson - wise guy humbled.

    Tuesday, January 8, 2008

    Gear ShiftHow many of you know Jeremy Clarkson? The wise guy host of Top Gear?

    Well, like many people who do not seem to grasp the importance of keeping their personal data secure and ensuring that those who handle their personal data do the same, he has also thrown caution to the wind.

    But that is quite alright. According to the BBC, he has been superbly proven wrong. The man recently revealed his account numbers in the Sun newspaper after ridiculing the commotion over the loss of 25 million people's personal details on two computer discs in the UK. He wanted to prove that it was all a big fuss over nothing, but thanks to a reader, he has been put in his place! The details have been used to create a £500 direct debit to the charity Diabetes UK!

    "I was wrong and I have been punished for my mistake," says Clarkson.

    Indeed you have.

    Now the question is, have we all learnt our lesson or do we have to be proven wrong through a loss to understand the consequences of disregarding the importance of privacy?

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data

  • Personal data goes missing again!

    Wednesday, December 26, 2007

    ConfidentialWill it not end? Will we have to keep reading (almost on a daily basis now) about the security breaches involved concerning personal data?

    Where is the fire this time? NHS Trusts in the UK, it would seem.

    According to Reuters, nine National Health Service trusts have lost the records of hundreds of thousands of adults and children, in the latest embarrassing loss of data by official bodies.

    Ever since the concern for data protection was augmented not too long ago by the UK government when it acknowledged it had lost CDs with the names and bank account details of 25 million people and exposing nearly half the population to possible fraud and identity theft, more and more news of failures to protect personal data by official bodies have been pouring in.

    Yes, the government informed last week that one of its contractors had lost the detail of 3 million learner drivers! Now, how is this possible? How can it just be lost? What has happened to the compliance of strict procedures in protecting personal data? If this is happening within official bodies, how much more within companies and other organisations where almost no form of security procedure is adhered to concerning the protection of personal data? And whilst this is reported in the UK, where, mind you, they are much more strict about such matters, what is the situation like in other countries?

    I shudder to think what is happening in Belgium, for instance - whereby about 97% of the companies (in a research in 2005) are not compliant to the Belgian Data Protection Law. To top it off, in a research in 2006, none of the non-profit organisations including the political parties were compliant either. And in Belgium, many cases do not make it to the headlines for some reason.

    So, what do we do? Make more noise? Let this continue? If only those in power would start enforcing the sanctions and make examples of these organisations.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations

  • 'Tis the season to be spamming - Not!

    Wednesday, December 19, 2007

    Christmas MouseIt is remarkable how far Christmas and New Year celebrations have been utilised for commercial gain. From selling ridiculous products under the pretext of Christmas gifts to spamming, Christmas has become nothing more than a time for advertising and marketing.

    So what is Christmas spamming? Well, under the guise of sending you a Christmas and New Year wish through an email, these companies are actually trying to lure you into some new product or service. Yes, it is a commercial email and in many cases, there is no opportunity to unsubscribe from such emails and you might find yourself receiving it again in the following years if you don't put a stop to it instantly. A typical message would be something like:

    "We at XABCX wish you a very Merry Christmas and a prosperous 2008!

    By the way, do check our website http://www.xabcx.com as we are having some great promotions on VVVVV...    "

    Now, note that it is spam if you never asked or subscribed for such commercial emails. It is spam if you are not a customer of theirs and if you are a company, it is also spam if such goods/services offered are not similar to the ones in your company - meaning they are not intended for you. Oh and one more spam point. If the email is sent to your company at your personal email address, then that is spam too.

    So, do look out for such emails and please, do your bit and get them to stop spamming! Happy Christmas and a great 2008 everyone!

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations Internet

  • When parents should think more than feel

    Wednesday, November 21, 2007

    Father and Son trustWhen it comes to children, which parent does not want to announce to the world all about theirs?

    And let me add, what better way to "boast" (for lack of a better word) than by setting up a website displaying all possible information about your child/children?

    Indeed, from the start of the child's life to his/her daily development, many uninformed parents today seem to be putting up websites with all kinds of personal information regarding themselves and their children. Some soon-to-be parents even set up websites counting the days to their child's birth.

    You will usually and easily find the following information about a child in the order below:
    1. at birth - name of child, name of parents, weight and height of child, time of birth, contact details of the family for well wishes, and not to forget, pictures! Yes, and these pictures sometimes include pictures of their little ones in the nude - which in my opinion should not be published. You may think it is simply innocent and your child may look absolutely adorable, but in today's society where paedophiles roam and child pornography is rampant, I think it is better to keep your precious moment locked in your cupboard rather than displaying it on a global communications network!
    2. after birth - daily/monthly development of the child, pictures, likes/dislikes of the child, hobbies, etc, and again, contact details including the home address and phone number. Basically, you will know all about the child just by browsing through the website and never needing to have met him/her. And if a stalker or a kidnapper happens to be on the hunt for your child, how much easier can it get for them? The parent has given them all they need to know.

    What is wrong in wanting to share all about your child? Everything.

    Let us look at it from the perspective of the Belgian law of 8 December 1992 on the protection of privacy.

    We know that the Internet is a communication means that, in comparison to other communication means, promotes the distribution of and access to information freely and on a world scale. Such a distribution can easily bring with it a loss of control of the individual over his data which he has communicated online.

    There are many who cannot imagine that, when they disseminate personal information online, this data will be able to be used numerous times. This observation is even more apparent when children are surfing the Internet. Why?

    Well, a child is himself in a weak position when he comes into contact with third parties via the Internet: he/she is more impressionable than an adult, less suspicious and probably does not know all his rights. Given the fact that a child is innocent, impressionable and vulnerable, the law seeks to protect him/her by ensuring that his/her personal information is not freely available both on and off the Internet and that whatever information available is kept secure and only obtained by outsiders with the permission of his/her parents.

    Now take note. The law assumes that parents (who have supposedly reached the understanding capacity age) will take care and exercise their parental responsibility to protect and guard their children against harm. The law in fact entrusts parents with this duty. It goes without saying then that parents should only give permission to third parties to handle their children's personal information in necessary circumstances. All this is said on the acceptance of a child's vulnerability.

    Further on, whilst the granting of permission usually requires it to be anexpressed permission, a parent who sets up a website for himself and divulges his child's personal information is actually impliedly giving the world (an uncountable number of third parties) permission to make use and sometimes abuse such personal information.

    Can we stop to imagine the worst that could happen given the availability of such information concerning the child?

    For example, there is nothing stopping outsiders from profiling the family and saving the pictures of the child/children made available by his/her parents on the website by simply right-clicking with the mouse. Only God knows the potential abuse of innocent children's pictures that could take place.

    If we look at the Belgian Privacy Commission's recommendation concerning the protection of the privacy of minors on the Internet, when it concerns the distribution of pictures of minors, not only must their preceding permission be obtained, but also those of their parents in the case of a minor who has not yet reached the understanding capacity age. Just as it is with the case of sensitive data, so also is a picture of the object of a specific protection, framed with the theory of the right to image. By virtue of these provisions, in principle, the permission of the person concerned must be obtained for every use of his picture.

    Thus, those who wish to handle personal information including pictures, must obtain the expressed permission of the data subject, and in the case of children, the permission of their parents.

    But if parents themselves seem to shirk their responsibility in this matter and make such personal information including pictures of their children so readily available for abuse, then what more can the law do to protect these young ones? Who is to blame when something does go wrong? Do stop to ponder on what I have just said. Is what I am saying so far-fetched? I do not think so. Not in today's world at least. We are certainly not living in the age of well-manicured gardens, dutiful housewives and newspaper-pipe-slippers husbands.

    So, the next time you want to set up a website with your little child's pictures and personal details on because you are bursting with pride, think. Don't just feel. Then think again.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data

1    2    3   

Archive

  • 2014
    • March 2014
  • 2013
    • October 2013
    • July 2013
    • May 2013
  • 2012
    • March 2012
    • February 2012
    • January 2012
  • 2011
    • December 2011
    • July 2011
    • June 2011
    • May 2011
    • April 2011
    • February 2011
  • 2010
    • December 2010
    • September 2010
    • June 2010
    • May 2010
    • April 2010
    • February 2010
  • 2009
    • October 2009
    • August 2009
    • June 2009
    • April 2009
  • 2008
    • November 2008
    • October 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
  • 2007
    • December 2007
    • November 2007


Tags

  • Best Practices (11)
  • Business Incentive (1)
  • Data Breach (8)
  • Data Handling Manual (5)
  • Data Protection Officer (1)
  • EU (4)
  • FSA (1)
  • Government (13)
  • Human Rights (6)
  • Internet (21)
  • IT (21)
  • Organisations (40)
  • Personal Data (48)
  • Private Persons (30)
  • Spam (4)
 

Copyright © 2003-2025 Lee & White®. All rights reserved.

Legal Notice  -  Privacy Policy  -  Contact