Lee & White LWC24/7 Blog

Go Back

A True Story

Friday, April 23, 2010

A few weeks ago, Rachel called up her mobile phone service provider to change her subscription package. The Customer Service Officer who attended to her was a Mr. Hendricks who was very efficient in dealing with Rachel’s request.

A few hours after the call, Rachel received a call from Mr. Hendricks who told her that he found her voice very attractive and would like to take her out for dinner. Now, Rachel turned him down as she has a boyfriend. Mr. Hendricks was disappointed but decided he would keep calling, and after several calls and several refusals by Rachel, he decided he would press his luck and send a bouquet of flowers to her house.

Rachel was very frightened that Mr. Hendricks knew where she lived, and that he had complete access to all her personal information. She now has complete distrust in her mobile phone service provider and decides she will cancel her account with them.

Question to the consumer: Do you know who has your personal information and what they are doing with it?

Question to the organisation: What are you doing to prevent privacy breaches like this?

(Names have been changed to maintain confidentiality)

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Organisations
The ICO's new power

Wednesday, February 3, 2010

The UK's Information Comissioner's Office (ICO) has sharper teeth now to deter personal data security breaches - it can now serve monetory penalties of up to 500,000GBP to organisations for breaches of the Data Protection Act. The power is designed to deal with serious breaches of the Data Protection Act.

According to the ICO, for a data breach to attract a monetary penalty there must have been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. It gave the following examples:

Damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.

Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.

Deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.Now, this is a major step forward for a data protection authority (DPA), and it is about time.Unfortunately, at the moment, there are big differences regarding the position of the DPAs in the member states and not all the DPAs have the same power. According to the Article 29 Data Protection Working Party, this is because of differences in history, case law, culture and the internal organization of the member states.

Moreover, article 28 of Directive 95/46/EC lacks precision in several aspects, and has, to a certain extent, been poorly implemented in some jurisdictions -resulting in noticeable differences between the member states regarding, amongst others, the position, resources and powers of DPAs.In any case, with the growth of technology and globalisation, strong supervision and effective powers are needed by DPAs in addition to their current powers.

In Belgium, 97% of organizations' websites are non-compliant. If so, then the question is whether internally, these organizations are adhering to the data protection law.

Perhaps it is necessary for its Privacy Commission to be given a similar sanctioning power as that of the ICO. At the moment, the Privacy Commission has no teeth. Its powers are limited to advising, recommending and handling complaints. Coupled by the public's lack of awareness on data protection - which results in lesser complaints than the reality of the situation, many organizations abuse the situation and operate without fear or respect for the data protection law.It is hoped that someday soon, this will change.

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Organisations
House for Sale

Wednesday, October 14, 2009

You are in search of a house. You visit real estate agents, you drive around, you enter the World Wide Web.

The Internet. A good place to gather as much information as you need without having to leave your home. Perfect. Let's get started.

You begin your search using the search engines available. Hundreds and thousands of links appear on your screen giving you information about houses available for sale, for rent, and other connected information. You are pleased.

You dig deeper - looking for the right area, for the right number of rooms, for the best price.

Ah, you finally find a few potentials in these websites.

You begin contacting the agent or the property owner via email or the contact form.

You divulge your personal information such as name, email address and contact number for a viewing.

At the same time, note that the property owner has given his personal information such as name, address of the house for sale/rent, email address and contact number on the website too.

Basically, if you have used the website's contact form, then that website has collected your personal information. It now has both yours and the property owner's personal information.

You wait for an answer.

Some time later, one of the property owners contacts you - surprised that you have his contact information and asking about his house which has been sold - 2 years ago!

Another email you receive is from the postmaster stating that the message you have sent has been delayed - the email address is probably no longer in use.

Now think. What is the website doing with all these personal information stored? Why isn't old information being removed? Contact information and pictures of houses of property owners who have sold their houses ages ago are still advertised on the website and misleads the visitor. And through this misleading information, the website collects your personal information as well. So what is going to happen to your personal information? Are third parties getting hold of your personal information? There is no privacy statement informing you of the handling of your data. You contact the website but you receive no answer.

The property owner is also not happy. He contacts the website for his information to be removed. Days later, he checks the website. His information is still there! Spammers happily clog his mailbox using his email address advertised on the website and he keeps getting phone calls about his sold house.

It is a nightmare.

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Spam Internet
Tattletale gadgetry

Friday, August 14, 2009
We have all gotten so used to our gadgets that we are willing to sacrifice basic human rights to get our hands on them. People do not always know the value of their personal data, or value it so low that they are willing to give it up for peanuts (or a chocolate bar).

Often it is ignorance, and we are not aware that our gadgets or services are giving away important personal data. And then there are those of us who are aware of this fact, and are counting on our provider to treat our personal data properly, or at least according to their privacy statement, which of course we check thoroughly before buying or starting to use such gadget or service.

A few examples:
- Mobile phone Did you know that our mobile phones are 'anonymously' tracked for a range of services?
- Location based services You can now surf from your mobile phone to a service such as Google Maps which calculates your position - possibly using your built in GPS receiver - to inform you of the services that are available in your immediate vicinity.
- High street store loyalty card (and other credit cards) We are lured into using these cards, because they make us feel pampered by giving us a few small perks which the other customers do not get.
- Mobile Payments So convenient, we do not have to use coins anymore, or card. We can simply sms a message and the amount we want to pay for is automatically charged to our mobile phone bill.
I know that we cannot and should not stop technological evolution, but we need to ensure that every party involved treats personal data properly and always informs and gives the owner access to their personal data - which in the end remains their most personal property.
Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Internet IT
Your Personal Data is Priceless

Tuesday, June 9, 2009

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.

The general public fail to see that their personal data is priceless, and what are the consequences for not safeguarding their data. Identity theft has become a rampant crime (it is no longer a matter of "if it happens to you" but "when it happens to you"), and does not take an intelligent hacker to profile a person. The problem lies in the lack of education given to the public about identity theft, and that their personal data is the weapon in this crime. By not protecting our data we are aiding these criminals - can you blame these criminals when your identity is stolen?

The government and the media play an important role in creating awareness in the public on these matters, as well as educating them on the importance of protecting their privacy; how they should do so; and the technologies around that are used to monitor and to gain access to their data. The BBC is to be commended on its new programme calledWho's Watching You? that investigates surveillance in the United Kingdom. Programmes such as these raise awareness that we are being watched, and make us value our privacy and the protection of our personal data for sad to say, our personal data is not so private.

So, the key point here is that the public must be educated on the value of their personal data, and organisations such as the Privacy Commission and the media ought to play an active role. Unfortunately, the current situation in Belgium is such that privacy is the last thing on anyone's mind. Try calling your phone company and find out how it protects the personal data it collects from you. Look at a website and see if there is a privacy statement available - it is after all, the first positive step towards upholding your privacy. You will find very few are concerned about the proper handling of personal data. Nevertheless, hopefully, you will enforce your right and put the necessary pressure on those who handle your personal data to take care of it. It begins with you.

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Government Organisations
Privacy Always

Wednesday, April 29, 2009

Economic crisis, downsizing, budget issues, bankruptcy. These seem to be some of the more common issues faced by many companies today - so much so that if one approaches them concerning P-R-I-V-A-C-Y, they would show you the front door!

Who has the time to bother about someone's privacy and personal data when there are more "important" issues at hand? Perhaps at first glance, the protection of privacy seems minute at times like these, and even the data subject is not too concerned about the way his data is being handled - he has more pressing matters to think about such as the possibility of losing his job, going bankrupt and so on.

Nevertheless, do take note that whilst these matters affect your way of living and demand your immediate attention, they are not permanent - and life will go on, even if it is not the way we wish it to be. On the other hand, privacy and personal data IS your life - be it on paper or in an electronic carrier, and once breached, can have a lasting negative effect greater than we can imagine. Remember, the right to privacy is sacred, and should be protected - even in times of difficulty, because when the economic sun is shining again, you'll be glad you did.

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Organisations Human Rights
Permission is the key

Tuesday, November 18, 2008

Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

Companies or organisations continuing to spam after the 1st of July 2009 can be punished with a maximum fine of 450,000€. If spam is still sent, then a complaint is possible on the spamklacht.nl site. The OPTA (Independent Post and Telecoms Authority, the Netherlands) will be supervising compliance to the law. Only upon explicit permission to receive such electronic messages (including SMS and faxes), can these be sent to the receiving party.

And what is the situation in Belgium?

In Belgium, permission is the general rule, with a limited number of exceptions.

With the Belgian E-commerce law, the opt in rule for publicity electronic messages is in effect. One can only send electronic messages for publicity purposes where there is a preceding authorisation. Also, the commercial communication, including its presentation, must be immediately recognisable to the receiving party as being such upon receipt of that communication. If this is followed, then it is technically not spam.

However, the opt-in rule is subject to a few exceptions, making it a soft opt-in approach:

First Exception: Own customers/clients
The rule is exempted where the commercial communication is aimed at the organisation's own customers/clients (natural or legal persons). This exception only applies in the following conditions:

a) The organisation has directly obtained the contact data of the person concerned in the course of a sale of a good/service. [NB: The privacy law concerning the collection of such data must be respected].

b) The electronic contact data are exclusively used for similar products and/or services which the organisation itself provides.

c) The organisation gives the customers (when the electronic data are collected) the possibility of objecting to the use of such data in an easy manner and free of charge.

Second Exception: Legal persons

The opt-in rule is exempted if the following 2 conditions are met:>

a) If the contact data is impersonal, and

b) If the product promoted is intended for that legal person.

Hence, by laying down these ground rules, one can surely see that there is no room for spamming.

So get the intended recipient's permission first if you can't resist sending that commercial communication of yours!

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Spam Organisations Internet IT
Data Handling Procedures

Monday, October 27, 2008

So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White.

Read the Full Story

Posted by: Lee & White

Category:

Tags Personal Data Government Organisations Data Handling Manual
Protecting People's Data

Friday, August 29, 2008

One of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

Read the Full Story

Posted by: Lee & White

Category:

Tags Data Breach Personal Data Organisations IT
When selling a computer is more than selling a machine

Wednesday, August 27, 2008

The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

So what is the current horror report on personal data floating around?

"Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.

Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

Read the Full Story

Posted by: Lee & White

Category:

Tags Private Persons Personal Data Organisations IT