Lee & White

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

So what is the current horror report on personal data floating around?

"Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.

Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTEto perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

So, in conclusion

Hence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

Email
Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

Personal data invisibly collected on the website
This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

Technology per se is advantageous, but it can unfortunately, prove to be a menace as
well - sometimes by design, at other times by surreptitious use.

Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

With this right, we are able to strengthen essential values such as the freedom of thought, conscience and religion and the freedom of expression.

And alongside this right is a duty to protect it. This fundamental duty affects everyone as employers/persons processing personal data. Basically, if you determine the purposes and means of processing personal data, whether or not you are a natural person, you become the data controller and you are imposed with the duty to protect the right to privacy. Of course, failure to uphold your duty would give rise to illegal intrusions to the personal data and privacy of those whom you are supposed to protect and consequentially, you will be held responsible.

So whose personal data are you responsible for? You are responsible for all personal data that you collect apart from those you collect in the course of exclusively personal or household activities, for the processing of personal data carried out exclusively for journalistic, artistic or
literary expression purposes, or for public security.

Hence, your responsibility encompasses the protection of personal data belonging to your employees, potential and actual customers and suppliers, visitors, consultants and job applicants.
Of course, your duty to protect personal data does not imply a prevention of processing that personal data. To do so would paralyse businesses. It is indeed unavoidable that a data controller will process personal data.

However, whilst you, as the data controller, can establish that processing personal data is a necessary course of business, you must not be allowed to abuse the personal data received. It's a balancing act of right and duty. The only way to resolve the conflict of interests between
the company and the individual is by building trust into the individual who is about to divulge his personal data.

And transparency in processing personal data is the source of that trust relationship. Offer this from the very instant personal data is about to be collected and this attitude of yours towards upholding a person's privacy (both online and offline) will measure your failure or success in building a relationship with your customers, gaining their trust and developing that essential viable edge in the marketplace.

Believe it or not, you stand to gain a lot when you comply with your duty. It is a chain reaction - so get the ball rolling.

Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.