Lee & White

"Data Security" and "Data Protection" are terms which seem similar and have been regarded as interchangable by many. Ask an IT manager if his organisation is complying with the data protection law and he will say "Yes, we have all the data security measures in place."

In his mind, the security measures his organisation has taken (e.g. backups, data masking, passwords) with regard to ensuring that data is kept safe from corruption and that access to it is properly controlled is "data protection" - or, "data security", if you like.

For example, many organisations feel that if they perform an information assurance process, they have completed a similar process to that of a privacy impact assessment. This is not the case.

Whilst an information assurance process will enable an organisation to show compliance with the data protection law, this process does not take into consideration of the wider issues of whether a  particular project should be implemented from a privacy point of view. It does not ensure that external privacy concerns are identified and addressed or whether a particular marketing campaign is compliant with the data protection rights of individuals.

The point to note is that "data security" is a subset of "data protection". It is the part which helps an organisation to comply with the security measures that must be taken as prescribed in the Belgian data protection law and EU Directive. These security measures are to keep the personal information received safe. It does not however, cover the broader aspect of the data protection law which has introduced an obligation for transparency concerning the use of personal data. This transparency is revealed when the organisation (data controller) exercises its crucial duty to inform its customers (data subjects) of  the types, purposes and every single processing of their personal information, and provides them with the means for exercising their rights under the data protection law.

The duty to inform can be seen as part of an exchange of information - an organisation wants, needs personal information and so, in return for personal information, must provide the necessary information as to the use of the personal information it requests for.

Look at the principle at its simplest - you cannot take something belonging to another without giving your reasons for it.

Hence, the conclusion is that "data security" plays an important role alongside the "duty to inform" and the "provision of straightforward means for data subjects to exercise their rights" in ensuring that the data protection law is complied with and privacy upheld. These subsets together make up the circle of the correct use of personal information i.e. "data protection".

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

It's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

"You know what? Let's launch a quick campaign and mail our prospects!"

I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

And this is where it gets hairy:

• Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
• Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
• Did you exclude persons who opted out from your list?
• Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
• Are you not publishing your list of email addresses to every recipient?

A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

All you needed to do was:

• Ask for a prospect's email only when needed.
• If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
• Allow the prospect to review, change and delete his information at his simple request at any time.
• Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
• At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

It will save you in the long run!

A few weeks ago, Rachel called up her mobile phone service provider to change her subscription package. The Customer Service Officer who attended to her was a Mr. Hendricks who was very efficient in dealing with Rachel’s request.

A few hours after the call, Rachel received a call from Mr. Hendricks who told her that he found her voice very attractive and would like to take her out for dinner. Now, Rachel turned him down as she has a boyfriend. Mr. Hendricks was disappointed but decided he would keep calling, and after several calls and several refusals by Rachel, he decided he would press his luck and send a bouquet of flowers to her house.

Rachel was very frightened that Mr. Hendricks knew where she lived, and that he had complete access to all her personal information. She now has complete distrust in her mobile phone service provider and decides she will cancel her account with them.

Question to the consumer: Do you know who has your personal information and what they are doing with it?

Question to the organisation: What are you doing to prevent privacy breaches like this?

(Names have been changed to maintain confidentiality)

The UK's Information Comissioner's Office (ICO) has sharper teeth now to deter personal data security breaches - it can now serve monetory penalties of up to 500,000GBP to organisations for breaches of the Data Protection Act. The power is designed to deal with serious breaches of the Data Protection Act.

According to the ICO, for a data breach to attract a monetary penalty there must have been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. It gave the following examples:

Damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.

Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.

Deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.Now, this is a major step forward for a data protection authority (DPA), and it is about time.Unfortunately, at the moment, there are big differences regarding the position of the DPAs in the member states and not all the DPAs have the same power. According to the Article 29 Data Protection Working Party, this is because of differences in history, case law, culture and the internal organization of the member states.

Moreover, article 28 of Directive 95/46/EC lacks precision in several aspects, and has, to a certain extent, been poorly implemented in some jurisdictions -resulting in noticeable differences between the member states regarding, amongst others, the position, resources and powers of DPAs.In any case, with the growth of technology and globalisation, strong supervision and effective powers are needed by DPAs in addition to their current powers.

In Belgium, 97% of organizations' websites are non-compliant. If so, then the question is whether internally, these organizations are adhering to the data protection law.

Perhaps it is necessary for its Privacy Commission to be given a similar sanctioning power as that of the ICO. At the moment, the Privacy Commission has no teeth. Its powers are limited to advising, recommending and handling complaints. Coupled by the public's lack of awareness on data protection - which results in lesser complaints than the reality of the situation, many organizations abuse the situation and operate without fear or respect for the data protection law.It is hoped that someday soon, this will change.

You are in search of a house. You visit real estate agents, you drive around, you enter the World Wide Web.

We have all gotten so used to our gadgets that we are willing to sacrifice basic human rights to get our hands on them. People do not always know the value of their personal data, or value it so low that they are willing to give it up for peanuts (or a chocolate bar).

Often it is ignorance, and we are not aware that our gadgets or services are giving away important personal data. And then there are those of us who are aware of this fact, and are counting on our provider to treat our personal data properly, or at least according to their privacy statement, which of course we check thoroughly before buying or starting to use such gadget or service.

A few examples:

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.

Economic crisis, downsizing, budget issues, bankruptcy. These seem to be some of the more common issues faced by many companies today - so much so that if one approaches them concerning P-R-I-V-A-C-Y, they would show you the front door!

Who has the time to bother about someone's privacy and personal data when there are more "important" issues at hand? Perhaps at first glance, the protection of privacy seems minute at times like these, and even the data subject is not too concerned about the way his data is being handled - he has more pressing matters to think about such as the possibility of losing his job, going bankrupt and so on.

Nevertheless, do take note that whilst these matters affect your way of living and demand your immediate attention, they are not permanent - and life will go on, even if it is not the way we wish it to be. On the other hand, privacy and personal data IS your life - be it on paper or in an electronic carrier, and once breached, can have a lasting negative effect greater than we can imagine. Remember, the right to privacy is sacred, and should be protected - even in times of difficulty, because when the economic sun is shining again, you'll be glad you did.

Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.