Lee & White

It has happened again. It seems to be getting more and more frequent these days for organisations to lose or mishandle personal data belonging to employees, clients and/or suppliers. Proper security measures and procedures are not instituted or even if they are, these procedures are not complied with in the daily operations of the organisations.

It is a great shame that these companies cannot grasp the simple concept of privacy and its extreme importance. I cannot emphasize how vital the protection of personal data is. How many times must those advocating for privacy and the protection of personal data repeat the recurring problems that the world is facing with regard to such loose dissemination of personal information? Why can people not see the harm it is causing or likely to cause? Do you think it only happens to someone else and it is far-fetched to think it could happen to you?

Toyota Brussels is of no exception. It has joined the ever-growing pool of misfit companies with regard to the manner in which they handle personal data. The personal data of 2000 employees has gone missing. Great confidential information such as name, address, national number, date of birth and the names of partners and children of these 2000 members of staff.

According to spokesperson Etienne Plas, one of its employees took the CD with him and it was claimed to be stolen while using public transport on November 19. 'Of course, the disc should never have left our premises, but the employee was still young and inexperienced. We are taking the whole responsibility upon ourselves as a company, the man has hence not been fired.'

So, the mishap occurred on November 19. But when was this actually discovered by Toyota Brussels seeing that it is only out in the papers today, December 13? In the meantime, what has been happening to these personal data? Toyota Brussels says that the police and insurance companies have reassured the company that the chance of criminal abuse of the data is very small. It is confounding that they minimise the risk of abuse to make things not as bad as they seem. Everyday, personal data up for grabs are used by criminals for their benefit in every possible way - ranging from identity theft to kidnapping.

It is always the same sad story with these companies in Belgium. Never realising the risk, never understanding the consequences of failing to protect privacy. When such things happen in other EU member states such as the UK, the risk is not downplayed. It is emphasized repeatedly because the worst is possible. Yes, just take a look at one example from the UK's recent data loss which put 25 million people at risk of identity theft. At least they admit there is such a risk.

Toyota finds that the fact that the data is now up for grabs in the streets is very regrettable and apologises. But do you know what is truly regrettable Toyota? That you did not establish proper security measures and made sure they were followed through in the first place.

When we talk to people about the risks of publishing their own personal data on personal websites or social networking sites, their first reaction would usually be that they enjoy the fact that their friends or family members can see how they are and keep contact with them. They usually do not understand the implications of publishing on a world wide web without boundaries.

1. Search Engines

Search engines such as Google index and cache the information you publish on the web and keep this for an undetermined time on their servers. This can happen within seconds, so even accidentally publishing information and then -relatively- immediately removing it can already be too late, as the information can already be copied.

Any Internet-savvy user can use Google and other search engines to draw up a complete personal file of any person, including date of birth, address, mobile number, email address, work history, relatives and friends.

2. Aggregation

Blogging is very popular these days, and you can pen down your thoughts and feelings and share them with your friends.

What most people do not realise is that the standard settings of these blog sites (such as Blogger) are set in such a way that any posting is immediately sent (pinged) to aggregation sites (such as Feedburner), which aggregate part or complete articles and present them on their site. Some of these sites are also owned by or affiliated with search engine sites (resulting in the action above).

Furthermore, the aggregation is made using the initial post, so if you write a harsh article and then after consideration mellow it down, chances are great that the original article is not updated in the aggregation or search engine sites.

Most sites include a feature called RSS, which allows users to keep an eye on your site and get an alert when information is updated. For example, our site also publishes an RSS feed here.

This means that the lag time between publishing and reading is shortened even more, reducing your chance to correct mistakes.

3. Archiving

Certain websites keep a cache or archive of many sites on the Internet. Google is one example, another one is www.archive.org. Have a look at what Microsoft's website looked like in October 1996, or Google inJanuary 1999, or even November 1998.

Then have a look at your own information, and think what people in 2018 will think of this.

When it comes to children, which parent does not want to announce to the world all about theirs?

And let me add, what better way to "boast" (for lack of a better word) than by setting up a website displaying all possible information about your child/children?

Indeed, from the start of the child's life to his/her daily development, many uninformed parents today seem to be putting up websites with all kinds of personal information regarding themselves and their children. Some soon-to-be parents even set up websites counting the days to their child's birth.

You will usually and easily find the following information about a child in the order below:

1. at birth - name of child, name of parents, weight and height of child, time of birth, contact details of the family for well wishes, and not to forget, pictures! Yes, and these pictures sometimes include pictures of their little ones in the nude - which in my opinion should not be published. You may think it is simply innocent and your child may look absolutely adorable, but in today's society where paedophiles roam and child pornography is rampant, I think it is better to keep your precious moment locked in your cupboard rather than displaying it on a global communications network!
2. after birth - daily/monthly development of the child, pictures, likes/dislikes of the child, hobbies, etc, and again, contact details including the home address and phone number. Basically, you will know all about the child just by browsing through the website and never needing to have met him/her. And if a stalker or a kidnapper happens to be on the hunt for your child, how much easier can it get for them? The parent has given them all they need to know.

What is wrong in wanting to share all about your child? Everything.

Let us look at it from the perspective of the Belgian law of 8 December 1992 on the protection of privacy.

We know that the Internet is a communication means that, in comparison to other communication means, promotes the distribution of and access to information freely and on a world scale. Such a distribution can easily bring with it a loss of control of the individual over his data which he has communicated online.

There are many who cannot imagine that, when they disseminate personal information online, this data will be able to be used numerous times. This observation is even more apparent when children are surfing the Internet. Why?

Well, a child is himself in a weak position when he comes into contact with third parties via the Internet: he/she is more impressionable than an adult, less suspicious and probably does not know all his rights. Given the fact that a child is innocent, impressionable and vulnerable, the law seeks to protect him/her by ensuring that his/her personal information is not freely available both on and off the Internet and that whatever information available is kept secure and only obtained by outsiders with the permission of his/her parents.

Now take note. The law assumes that parents (who have supposedly reached the understanding capacity age) will take care and exercise their parental responsibility to protect and guard their children against harm. The law in fact entrusts parents with this duty. It goes without saying then that parents should only give permission to third parties to handle their children's personal information in necessary circumstances. All this is said on the acceptance of a child's vulnerability.

Further on, whilst the granting of permission usually requires it to be anexpressed permission, a parent who sets up a website for himself and divulges his child's personal information is actually impliedly giving the world (an uncountable number of third parties) permission to make use and sometimes abuse such personal information.

Can we stop to imagine the worst that could happen given the availability of such information concerning the child?

For example, there is nothing stopping outsiders from profiling the family and saving the pictures of the child/children made available by his/her parents on the website by simply right-clicking with the mouse. Only God knows the potential abuse of innocent children's pictures that could take place.

If we look at the Belgian Privacy Commission's recommendation concerning the protection of the privacy of minors on the Internet, when it concerns the distribution of pictures of minors, not only must their preceding permission be obtained, but also those of their parents in the case of a minor who has not yet reached the understanding capacity age. Just as it is with the case of sensitive data, so also is a picture of the object of a specific protection, framed with the theory of the right to image. By virtue of these provisions, in principle, the permission of the person concerned must be obtained for every use of his picture.

Thus, those who wish to handle personal information including pictures, must obtain the expressed permission of the data subject, and in the case of children, the permission of their parents.

But if parents themselves seem to shirk their responsibility in this matter and make such personal information including pictures of their children so readily available for abuse, then what more can the law do to protect these young ones? Who is to blame when something does go wrong? Do stop to ponder on what I have just said. Is what I am saying so far-fetched? I do not think so. Not in today's world at least. We are certainly not living in the age of well-manicured gardens, dutiful housewives and newspaper-pipe-slippers husbands.

So, the next time you want to set up a website with your little child's pictures and personal details on because you are bursting with pride, think. Don't just feel. Then think again.