Lee & White

Dedicated to Excellence
  • Home
  • About Us
  • Services
  • Blog
  • Press
  • Publications
  • News
Home > Blog
Go Back

  • Permission is the key

    Tuesday, November 18, 2008

    Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

    Companies or organisations continuing to spam after the 1st of July 2009 can be punished with a maximum fine of 450,000€. If spam is still sent, then a complaint is possible on the spamklacht.nl site. The OPTA (Independent Post and Telecoms Authority, the Netherlands) will be supervising compliance to the law. Only upon explicit permission to receive such electronic messages (including SMS and faxes), can these be sent to the receiving party.

    And what is the situation in Belgium?

    In Belgium, permission is the general rule, with a limited number of exceptions.

    With the Belgian E-commerce law, the opt in rule for publicity electronic messages is in effect. One can only send electronic messages for publicity purposes where there is a preceding authorisation. Also, the commercial communication, including its presentation, must be immediately recognisable to the receiving party as being such upon receipt of that communication. If this is followed, then it is technically not spam.

    However, the opt-in rule is subject to a few exceptions, making it a soft opt-in approach:

    First Exception: Own customers/clients
    The rule is exempted where the commercial communication is aimed at the organisation's own customers/clients (natural or legal persons). This exception only applies in the following conditions:

    a) The organisation has directly obtained the contact data of the person concerned in the course of a sale of a good/service. [NB: The privacy law concerning the collection of such data must be respected].

    b) The electronic contact data are exclusively used for similar products and/or services which the organisation itself provides.

    c) The organisation gives the customers (when the electronic data are collected) the possibility of objecting to the use of such data in an easy manner and free of charge.

    Second Exception: Legal persons
    The opt-in rule is exempted if the following 2 conditions are met:>

    a) If the contact data is impersonal, and

    b) If the product promoted is intended for that legal person.

    Hence, by laying down these ground rules, one can surely see that there is no room for spamming.

    So get the intended recipient's permission first if you can't resist sending that commercial communication of yours! 

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Spam Organisations Internet IT

  • Protecting People's Data

    Friday, August 29, 2008

    Confidential Data TheftOne of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

    Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

    Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

    Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

    They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

    According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

    Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Data Breach Personal Data Organisations IT

  • When selling a computer is more than selling a machine

    Wednesday, August 27, 2008

    The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

    So what is the current horror report on personal data floating around?
    "Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

    Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

    According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.
    Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

    However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

    Read the Full Story

    Posted by: Lee & White

    Category:

    Tags Private Persons Personal Data Organisations IT

  • The Early Bird

    Tuesday, August 19, 2008

    We manage IT projects on a daily basis, and in every project there is the returning constant of processing personal data.

    I must say that most clients we have worked with show the goodwill to properly handle personal data, but sometimes other priorities, like financial limitations or time constraints, make it such that proper processing is seen to be a lower, if not the lowest priority.

    Sometimes we get called in to audit a company to check existing processes and applications for compliance to data processing laws. We then need to inventorise what kind of data is kept and where, how it is handled, and what the procedures and communications are. Basically, a thorough in-depth audit that involves and affects all levels of the business.

    When we are involved from the very start, we can, even already on a requirements or functional level, pinpoint where issues would arise, and through small changes in the design and implementation process, ensure that applicable laws and good practices are met.

    It is the same for all problems; if you can catch and fix it at an early stage, the cost is a factor lower than if you have to fix it at a later stage. If, of course, even at that stage you do not fix it, then the cost of being caught after go-live is enormous. This can not only have financial implications, but also cause damage to reputation and brand, as well as have criminal consequences.

    A data protection officer should be involved at every stage of a new project. He should validate business requirements, check functional analyses, approve technical designs and audit proper handling after go-live. If properly executed, the amount of time (and budget) spent on this role would be minimal, and as such only big corporations need a full FTEto perform this role. Most companies can hire external consultants to do this on a part time or time and material basis.

    Some companies make the mistake of asking their in-house legal department or company lawyer to advise on data protection issues. Unfortunately, these individuals are not specialized to give this kind of advice and are usually fully booked to solve other company related legal issues. Also, they might be too deeply involved in the business to give impartial advice.

    Specialized legal consultants have the experience and know-how through different projects to handle these kind of problems on a daily basis. They can also deliver impartial advice without risk of conflict of interest.

    So, in conclusion
    1. Hire a professional to get a professional job done.
    2. Fix problems before they arise.
    3. Do not ignore laws and best practices.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Personal Data Organisations IT

    1. How your personal data is collected on a website.

      Wednesday, July 30, 2008

      The InternetWhen you surf on the Internet, and browse through a website, do you realise some of the methods by which your personal data are collected?

      Well, there are several ways:

      Personal data visibly collected on the website
      If you are aware that you are providing personal details on a website, then the website is visibly or explicitly processing personal data. To that extent, you can control the type of personal data you wish to divulge.

      Some ways in which personal data can be visibly collected include:

      Forms
      Most websites have more than one type of form, depending on the purpose of the form. Since forms are usually designed for a particular purpose, they are a good way of ensuring only relevant data is collected. At the same time, you can easily deduce and have a minimum form of control over the personal data you wish to provide - based on the fields you must fill in prior to submitting the form.

      Email forms however, may be contentious. Using an email to send the form is not a good system as it gives rise to the possibility of collecting another email address which is not disclosed by the user for some reason. For example, the sample below marks Name, Surname, Street and number, Postcode and Municipality as mandatory whilst email is amongst the optional fields.

      Online FormHence, whilst testing this form, I opted to leave out my email address. However, upon clicking SUBMIT, the message as seen below appeared and my email address would nevertheless be collected by the website despite negating to disclose it initially.

      Email
      Whether it is a mail-to function (an email link on the website) which enables you to contact the organization by clicking on the email link, or it is an email address given on the website for contact without the link, you will divulge your personal data such as your email address and name in the email you send. Postal address, phone and fax, phone calls made, faxes sent, or letters written to the organization, will also lead to personal data being divulged by you in the course of obtaining more information about the organization.

      To that extent, it does not differ from online forms on the website as the purpose is the same, and you should be informed that your personal data will/may be collected through these means as well.

      Personal data invisibly collected on the website
      This is where you are unaware of the collection - usually where a specific technology is used to perform the collection, unknown to you.

      Technology per se is advantageous, but it can unfortunately, prove to be a menace as
      well - sometimes by design, at other times by surreptitious use.

      Cookies are a common method of invisible collection and are widely used on websites. Here, it is important that you are informed of the technology used to collect your personal data. Otherwise, being unaware, you are no longer in control of your personal data and such act is a breach of privacy.

      Hopefully, this brief information on the subject will give you a hint on what to look out for before disclosing your personal data.

      For an in-depth read on the subject, please consider the Privacy Report 2006 on the compliance of Belgian non-profit organizations' and political parties' websites with regard to the processing of personal data in accordance with the Belgian Law on Privacy Protection in relation to the Processing of Personal Data, implementing European Union Directive 95/46/EC.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Private Persons Personal Data Organisations Internet IT

    2. What's the big deal anyway?

      Thursday, May 1, 2008

      "What's the big deal anyway?". A remark we hear very often when discussing personal data issues."Nothing to be concerned about, who would be interested in my personal data, and what can they do with it anyway?"

      Everyone agrees that a credit card number or bank account number is not something you should share (even Jeremy Clarkson eventually). But what can people do with my name and address, social security number or date of birth?

      Personal data can be used for identity theft - impersonating someone by using as much as you know about that person to get financial or other benefit in that person's name. For example you could go to a bank and request - and receive - a new credit card in the name of the person you are impersonating, with the bills of course being sent to the original person.

      How do criminals get their hands on your data? Everybody knows about skimming - a technique where a debit or credit card gets copied by attaching a small device onto an ATM machine. Another well known technique is to steal files from people's computers, by hacking them or by installing viruses or Trojan horses. And of course there is social hacking, asking seemingly harmless questions to a person online or in person, and using that information to build a complete profile.

      And criminals move with the times. A BBC team exposed, in a proof of concept, how easy it is to socially hack Facebook and harvest information on other users, including names, passwords and other information.

      How do criminals use this data? It seems that data thieves set up data supermarkets to sell stolen personal data to whomever might be interested. Yes, you can get a working credit card number for a few euro, or even buy complete corporate log files (containing names and passwords, server locations, numbers and confidential information) for as little as 200 euro. When closed down, they just reopen on another location.

      Stuff to think about. Perhaps you will consider this the next time before revealing some of your personal data to anyone.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Data Breach Private Persons Personal Data Organisations Internet IT

    3. The fine print

      Saturday, March 1, 2008

      TelecommunicationsFinally something is happening in the Belgian Data Protection World.

      OIVO, the research and information centre of the consumer organisations in Belgium, has filed a complaint against the Belgacom group to the Privacy Commission and the Federal Ministry of Economics.

      OIVO states that the privacy notification on the invoices sent out by Belgacom clause is a violation of the Data Protection law. This notification states that 'customer data is stored in databases of the Belgacom group (Belgacom nv, Belgacom Mobile, Telindus, Skynet) and can be used by any member of that group for customer management and to send commercial information'. It also states that if a customer does not want to receive such commercial information, it should contact customer service.

      This violates the data protection law on several points
      1. Belgacom has not given the customer the option to opt-in to commercial information.
      2. Belgacom does not mention how to contact customer service (address, email, phone number) and that this would be free of charge.
      3. Belgacom does not inform exactly what will be done with the personal data.
      Belgacom is surprised at the complaint from OIVO and state that they comply with the law by providing the opt-out option. A letter was sent to every Belgacom customer to launch the new free 0800 customer service number, which was sufficient information as already 13.592 people have called and noted that they do not want to receive personal data. They also note that OIVO's approach is not elegant and that they should have contacted Belgacom directly first.

      Of course OIVO's point of view is correct, and I am not surprised by Belgacom's reaction, as it is one of the most heard excuses used by companies and organisations. Even though Belgacom is making an effort to implement the data protection law, it needs to go the extra mile and do it exactly right.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Personal Data Organisations IT

    4. The privacy breach of one Dutch company

      Monday, January 14, 2008

      Dutch care insurance company, CZ, recently made the headlines as a result of a faulty online quote system. Personal information of about 55000 people with regard to past applications could be retrieved by other parties. Such information included the
      date of birth, bank numbers, social fiscal numbers, gender, name, address, post code, phone number and email address of these people. The online quote system has been removed from CZ's website.

      The blunder was first discovered by two programmers who used the system for a quote and found the leak. CZ was informed of this but five days later, the information was still accessible and this led to contact with the newspaper, Algemeen Dagblad.

      Whilst there is no proof of abuse of such personal information - or no proof yet, the fact that such a leak is happening should be sending warning bells to us. How many more websites visited are carelessly giving access to the same? How many more companies are just as negligent? This is just the privacy breach of one Dutch company - its negligence in implementing proper security measures to protect these personal information.

      Also, if you look at CZ's website, you will come to discover that the vital online privacy policy which should be available to inform visitors of CZ's privacy practice and security is lacking.

      What you should always look for when surfing on a website is its privacy policy and if you are not satisfied, do grill the organisation on it without divulging too much personal information. Use a pseudonym, or create a separate email account without using your name. Do read our previous entry Who is abusing my email? for more information on this.

      Well, just to let you know that personal information is carelessly handled everyday.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Private Persons Personal Data Organisations Internet IT

    5. Who is abusing my email?

      Tuesday, January 8, 2008

      SpamSummary: This article will show you how to stop people abusing your email address or at least find out who did.

      You start a company, you register a domain and you get yourself a nice email address with your name in it, firstname.lastname@mydomain.com, and everything is great.

      You now have a prestigious address at your own company and as nobody knows the email address, you receive no spam.

      And then you register with a few online websites, known or not, and suddenly the spam starts to trickle in, more and more each day, until it turns into a flood that wastes your time and often contains risks such as phishing mails and viruses.

      So what can you do? You can hardly change your name or company name. Listed below are a few options:

      1. Use another email address

      There are a lot of well known free email providers such as gmail.com,yahoo.com, hotmail.com, only to name a few, where you can get a free email address to receive your registration information.

      Another option is to use a disposable email address, which saves you the hassle of having to close down your email address once you received what you needed to receive. A few of these: Mailinator, NoClickEmail, or10MinuteMail. Just Google for 'temporary email' to find more providers.

      The downside of this method is that once your free or disposable email address is closed down, critical and genuine information can be missed.

      2. Track usage of your email address

      A little known fact is that you can append information before the @ sign in your address by using the + sign.

      An example: you visit a website called spammersite.net and you are asked to register your email address.

      For this, append +spammersite.net to your name, registering firstname.lastname+spammersite.net@mydomain.com. Emails sent to that address will be received on firstname.lastname@mydomain.com, but you will be able to see the extra information in the 'to:' field, showing you who has been messing with your information.

      Note that although most providers support this, it will not work with some. Send a test mail to yourself (with the + suffix) to test if it works.

      The downside of this method is that you are not stopping spam, but at least you can learn where it came from, taking legal steps to stop them.

      If you have any questions regarding this or other articles in this blog, send an email to comments@leeandwhite.com after reviewing our Privacy Policy.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags Personal Data Internet IT

    6. The secret of a good password

      Wednesday, January 2, 2008

      Strong passwordNumerous incidents of data loss or theft have occurred all through 2007 and before. A recurring cause of these incidents is the human factor. Information Technology these days is quite secure, and scam artists are turning more and more to the human factor as it is much easier to crack than those highly protected IT systems.

      If you look at the incidents that happened in 2007, you will notice that most were due to human error: a junior sending CDs with unauthorized copies of databases, mail getting lost, laptops and thumb drives getting stolen, gullible and greedy people getting scammed, user accounts being compromised.

      The latter is usually quite easy, as most people choose an easy to remember password such as the name of their child, spouse, dog or their date or city of birth. You would be surprised how many people still keep a post-it note with their password stuck to their screen or in their top desk drawer. Some even store it on their mobile phone.

      Some of the rules for a good password:
      • You need to be able to remember it without writing it down.
      • Do not reuse a password and use a different password for every user account or site.
      • Make it sufficiently long and complex so it cannot be easily be 'guessed' or 'cracked'.

      To avoid making passwords easy to guess or crack:

      • Use a password of at least 10 characters long.
      • Use a mix of upper- and lowercase letters, numbers and punctuation characters.
      • Do not use dictionary words, in your own or a foreign language, forward or reversed.
      • Do not repeat characters.
      • Do not use personal information such as your name, your spouse's name, phone numbers, memorable dates, your car registration or house number.
      • Do not encode dictionary words, substituting letters by numbers ('l' by '1' and 'e' by '3' in 'letter' to '13tt3r').

      The secret to making a password memorable and unique is to use a mix of the above techniques with a few memorable and/or imaginary words.

      For example, I need a password for my Facebook account. To create this, I will interleave the following ingredients:

      • an imaginary word with mixed case: 'sLopAry',
      • a memorable number, part of my phone number, namely the middle 4 digits: 1234,
      • some punctuation marks: * and ",
      • the name 'Facebook'
      Then the password would be: sLop12*Fcbk"34Ary composed of
      • The first 4 letters of my memorable word,
      • 2 digits of my memorable number,
      • the first punctuation mark,
      • the consonants of 'Facebook',
      • the second punctuation mark,
      • the last 2 digits of my memorable number
      • and finally the last 3 letters of my memorable word.

      If you would apply the same method for your LinkedIn account, you would obtain the following password: sLop12*Lnkdn"34Ary

      Devise a variation of the above algorithm, using the principles outlined, and you will have your own algorithm that allows you to create a unique password for every site you visit.

      It is important to keep a record of all sites where you used this method (not the passwords themselves), as it is imperative that you change all passwords created using this algorithm if one of the sites gets compromised, through whatever reason.

      Read the Full Story

      Posted by: Lee & White

      Category:

      Tags IT

    1    2    3   

    Archive

    • 2014
      • March 2014
    • 2013
      • October 2013
      • July 2013
      • May 2013
    • 2012
      • March 2012
      • February 2012
      • January 2012
    • 2011
      • December 2011
      • July 2011
      • June 2011
      • May 2011
      • April 2011
      • February 2011
    • 2010
      • December 2010
      • September 2010
      • June 2010
      • May 2010
      • April 2010
      • February 2010
    • 2009
      • October 2009
      • August 2009
      • June 2009
      • April 2009
    • 2008
      • November 2008
      • October 2008
      • August 2008
      • July 2008
      • June 2008
      • May 2008
      • April 2008
      • March 2008
      • February 2008
      • January 2008
    • 2007
      • December 2007
      • November 2007


    Tags

    • Best Practices (11)
    • Business Incentive (1)
    • Data Breach (8)
    • Data Handling Manual (5)
    • Data Protection Officer (1)
    • EU (4)
    • FSA (1)
    • Government (13)
    • Human Rights (6)
    • Internet (21)
    • IT (21)
    • Organisations (40)
    • Personal Data (48)
    • Private Persons (30)
    • Spam (4)
     

    Copyright © 2003-2025 Lee & White®. All rights reserved.

    Legal Notice  -  Privacy Policy  -  Contact