Lee & White

The electronic identity card or eID is the statutory or legal identity card in Belgium. Every Belgian citizen in Belgium above 12 years of age has an eID. In addition, foreigners, both within the EU and non-EU citizens residing in Belgium, having fulfilled the necessary residing requirements of the country, are also given an eID. With this eID, you are able to prove your identity and travel within the EU countries.

And it does not stop there. The eID, with a pincode, has a microchip which contains information not visible on the card itself such as one's address and electronic data (known as digital certificates). These certificates confirm your identity when you use the eID card reader. Through the eID, you can:

• prove your identity on the Internet
• place an electronic signature
• apply for official documents and fill in official forms
• and more...

Whilst anyone with an e-card reader can read the details on an eID by inserting the eID into the card reader and using the publicly available software, not everyone may - without a legitimate purpose and with the consent of the data subject. 

The presentation or submission of the eID card is not governed by the Data Protection Law. However, once the information on the identity card is read, copied or manually recorded, processing of personal data has taken place and is subject to the application of the Data Protection Law.

As such, it is of primary importance to establish that there is a legitimate purpose for the reading of the eID. Where the information is visible on the eID card to the naked eye, and sufficient to achieve the relevant purpose, the data controller should only copy/process that information and should not proceed with an electronic reading of the chip. This is because, as earlier stated, the microchip contains both information already visible on the card as well as hidden information which may not be necessary for the relevant purpose. If the data controller reads the information contained in the chip anyway, he is then processing irrelevant and excessive information unnecessary for his purpose(s) and is in breach of the Data Protection Law.

Hence, if you happen to be asked for your eID to be read by the card reader, which seems to be quite common in registering for mobile phone subscriptions and tenancy agreements, do exercise your right to know the specific purpose for reading your eID, and if the information required is visible on the card without having to read the chip, then do know that the data controller has no ground for making this request.

Despite many obvious reasons for ensuring both technical and organisational security measures within a company, many companies (don't be surprised) are yet to implement these.

Unrestricted access to server rooms (for purposes which will set you on the floor laughing, but sadly true), sharing of passwords between colleagues, unlocked cabinets, messy desks with confidential information displayed for all eyes, non-secure company websites collecting personal data, and so on. If you're nodding to all these as you read, then you've got a company who is in breach of the Data Protection Law.

Now, last week on the news, Sony Pictures was humiliated when hacking group LulzSec claimed it had accessed unencrypted personal data of SonyPictures.com and Sony BMG's Websites in Belgium and the Netherlands. According to the group, getting the information was not that complex - gaining access to SonyPictures.com with a single SQL injection.

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," they claimed. "This is disgraceful and insecure: they were asking for it."

According to Beth Givens, director of Privacy Rights Clearinghouse, the attacks on Sony would seem to indicate lax practices on Sony's part. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards." (Read more: cnetNews)

It is clearly another lesson to be learnt. But, are companies learning or ignoring this important legal and moral duty to its customers? How many companies will take the appropriate security measures now, or will it depend on the budget and short term profit?

Epsilon, the largest global online marketing company that manages communications for a number of the biggest international firms in the world, announced that it has suffered a breach in their e-mail system on March 30th, resulting in the theft of millions of customer data. It is said to be the largest data theft in history.

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said.

Epsilon sends out an estimated 40 billion permission based emails yearly on behalf of their 2,500 clients and brands which include some prominent names such as Citi, JPMorgan Chase, Capital One, Mariott Rewards, TiVO, Walgreens, McKinsey, and Kroger. It was initially believed that the breach had only affected customers of Kroger but it is likely that more companies are affected as more companies confirm that they have their data stolen as well. Clients of Epsilon have already begun to take steps to protect their customers by warning them of potential fraudulent emails.

"The information that was obtained was limited to email addresses and/or customer names only," claims Epsilon, and though this may be true, it is all the information needed for a hacker to gain more sensitive information by sending out phishing emails to subcsribed customers. Scams such as this have high success rates as they prey on gullible and uninformed users.

How does it work? Simple.

Take this scenario as an example. SJ, a customer of company XYZ subscribes to receive email notifications of their promotions. She receives an email with the latest products available, and clicks on a link assuming it would take her to the information page for a product she is interested in. What she is unaware of is this - it is a fraudulent email and clicking on that email takes her to a hoax page where she is prompted to enter her personal information. As she is oblivious to this deception, she submits her details, falling into the scammer's trap.

There are other simpler ways too. Such emails could be embedded with a virus that affects a user's computer by simply opening the email.

It is highly important that you are cautious and wary of whom, and to where you give your personal information; how your personal information is handled; and what security is in place to protect your information. A reputable company, and one that values its customers' privacy will inform on their data processing practices. It is their legal duty. You will find this in their Privacy Statement - if they do not have one, be wary. You are, by law, empowered to query such companies, and their third parties on the type and purpose of information kept about you. You have the right to access your information, and to request that this information be deleted where necessary.

You can approach sharing your personal data in two ways:

Some people absolutely refuse to use applications such as Facebook, Twitter and LinkedIn.

Others simply register with these sites in order to stop others from stealing their identity and using it to impersonate them. Other people go all out and share their whole life, successes and woes, likes and dislikes, and publish it for everyone to see.

The same goes for user profiling. Some people do not mind that their every move is being traced and companies build extended profiles on their habits, likes and dislikes whilst others have a high Big Brother feeling and absolutely avoid using most, or even any of the electronic tools we have at our disposal these days.

It is quite impossible to avoid being tracked, as every move you make on the Internet, using your fixed or mobile phone, credit and debit cards, bank transfers, purchases, driving on the highway and walking in public places, is monitored, registered, analysed, mashed up, stored and used for a multitude of purposes. Even if you do not use electronic tools yourself, the movements of your car are still registered by the numerous intelligent camera's, even your face gets recognized by surveillance cameras. Tourists take geotagged snapshots with you as accidental passerby, and Facebook puts your name to your face.

In fact, it is actually quite undesirable to have people move 'under the radar' so to speak as it opens the door to illegal, antisocial and unwanted activities and removes the feeling of social control.

The data protection law empowers us to retain control on who handles our personal data and what they can use it for. It also allows us to stop people or entities from processing our personal data if we have good reason to do so.

The benefits of user profiling are many. Instead of having to actively search for information and goods that interest us, companies can present us with relevant and interesting information and goods and not bother us with information that does not interest us. It is like the baker who knows which kind of bread you like and the tailor who knows your size and taste and helps you find the perfect garment in no time at all.

Of course, there are also possible abuses with user profiling - such as criminals knowing when people are not at home.

In conclusion, user profiling has many advantages and disadvantages, but it is here to stay and cannot be avoided.

It is up to us, the general public or data subjects as we are called in data protection law, to keep a grip on our information, to exercise our rights and to keep arming ourselves with the necessary legal arms to keep abuse at bay.

The data protection law must not be seen as restricting the use of personal data, but as a means to install trust and order between the data controller and the data subject. It leaves us with many ways to help us use personal data correctly for a long term relationship between customer and supplier.

There are many of us who widely publish our photographs containing images of ourselves, loved ones and friends on the Internet on networks such as Facebook, Friendster, Flickr and so on. And more often than not, we also publish photographs of others - including strangers and bystanders who happen to be in that picture when it was taken.

Now, not many people realise that pictures are also personal data, and therefore, fall under the protection of personal data by law. Many organisations also publish pictures of employees, contractors, customers, and members on their websites - usually without prior consent. Since many are unaware of the fact that a picture of a person amounts to information relating to an identified or identifiable natural person, there is no claiming of this privacy right by the affected individual nor a corresponding performance of the legal duty by the data controller.

Many questions can arise concerning this area - including the fact that if one publishes the pictures on a social network for a limited circle of friends and in the course of household activities (whereby the pictures are intended to be shared with close friends), and equates it to placing photographs in the traditional photo album, then surely, this does not fall under the Data Protection law. Then again, uploading pictures on the internet is hardly private despite the privacy settings on such networks because like it or not, the network provider has a copy of these pictures and what is eventually done with them is never fully certain. In addition, in the case of using other applications on a social network, it is a "forced consent" given by users because without permitting these third parties to access a user's general information including his/her profile picture, the user is unable to use the application he/she wishes.

Furthermore, pictures published are easily copied by everyone with a click of the mouse. What happens then?

Pictures of children published by ignorant parents who create websites for their children, boasting every bit of personal information such as address, date of birth, likes/dislikes of their child(ren) are becoming more and more rampant. This certainly opens a floodgate of unwanted attention and risks over the child(ren). Parents are supposed to protect their children - or has this changed?

And so, at what cost is one's image sold? Where is the ultimate control one has over his image? Over his personal data? Over his privacy?

How many people actually read the fine print?

One of the largest corporate insurers was recently fined by Britain's financial regulator, the FSA for the loss of customer data. Zurich Insurance PLC was fined a record £2.3m for losing 46000 customers' personal information which included identification information, details of bank accounts, credit cards and insured assets which could have resulted in significant loss to customers.

The loss of customers' data dates back to August 2008 when Zurich Insurance had outsourced data work to the company's South African unit which lost an unencrypted back-up tape. The loss however, was not discovered until a year later.

Companies would benefit from learning from the mistakes that cost Zurich Insurance PLC not only £2.3m in fine, but also the loss of its customers' trust which is a valuable asset for any company.

"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," said Stephen Lewis, chief executive of Zurich Insurance.

Now, what are you as a company doing to ensure that your customers' personal information is protected? Do you have a Personal Data Protection Policy in place in your company, and are your employees aware of them? It would do you well to look at this seriously and ensure you are protected by protecting your customers.

"Data Security" and "Data Protection" are terms which seem similar and have been regarded as interchangable by many. Ask an IT manager if his organisation is complying with the data protection law and he will say "Yes, we have all the data security measures in place."

In his mind, the security measures his organisation has taken (e.g. backups, data masking, passwords) with regard to ensuring that data is kept safe from corruption and that access to it is properly controlled is "data protection" - or, "data security", if you like.

For example, many organisations feel that if they perform an information assurance process, they have completed a similar process to that of a privacy impact assessment. This is not the case.

Whilst an information assurance process will enable an organisation to show compliance with the data protection law, this process does not take into consideration of the wider issues of whether a  particular project should be implemented from a privacy point of view. It does not ensure that external privacy concerns are identified and addressed or whether a particular marketing campaign is compliant with the data protection rights of individuals.

The point to note is that "data security" is a subset of "data protection". It is the part which helps an organisation to comply with the security measures that must be taken as prescribed in the Belgian data protection law and EU Directive. These security measures are to keep the personal information received safe. It does not however, cover the broader aspect of the data protection law which has introduced an obligation for transparency concerning the use of personal data. This transparency is revealed when the organisation (data controller) exercises its crucial duty to inform its customers (data subjects) of  the types, purposes and every single processing of their personal information, and provides them with the means for exercising their rights under the data protection law.

The duty to inform can be seen as part of an exchange of information - an organisation wants, needs personal information and so, in return for personal information, must provide the necessary information as to the use of the personal information it requests for.

Look at the principle at its simplest - you cannot take something belonging to another without giving your reasons for it.

Hence, the conclusion is that "data security" plays an important role alongside the "duty to inform" and the "provision of straightforward means for data subjects to exercise their rights" in ensuring that the data protection law is complied with and privacy upheld. These subsets together make up the circle of the correct use of personal information i.e. "data protection".

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

It's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

"You know what? Let's launch a quick campaign and mail our prospects!"

I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

And this is where it gets hairy:

• Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
• Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
• Did you exclude persons who opted out from your list?
• Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
• Are you not publishing your list of email addresses to every recipient?

A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

All you needed to do was:

• Ask for a prospect's email only when needed.
• If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
• Allow the prospect to review, change and delete his information at his simple request at any time.
• Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
• At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

It will save you in the long run!

A few weeks ago, Rachel called up her mobile phone service provider to change her subscription package. The Customer Service Officer who attended to her was a Mr. Hendricks who was very efficient in dealing with Rachel’s request.

A few hours after the call, Rachel received a call from Mr. Hendricks who told her that he found her voice very attractive and would like to take her out for dinner. Now, Rachel turned him down as she has a boyfriend. Mr. Hendricks was disappointed but decided he would keep calling, and after several calls and several refusals by Rachel, he decided he would press his luck and send a bouquet of flowers to her house.

Rachel was very frightened that Mr. Hendricks knew where she lived, and that he had complete access to all her personal information. She now has complete distrust in her mobile phone service provider and decides she will cancel her account with them.

Question to the consumer: Do you know who has your personal information and what they are doing with it?

Question to the organisation: What are you doing to prevent privacy breaches like this?

(Names have been changed to maintain confidentiality)