Lee & White

The UK's Information Comissioner's Office (ICO) has sharper teeth now to deter personal data security breaches - it can now serve monetory penalties of up to 500,000GBP to organisations for breaches of the Data Protection Act. The power is designed to deal with serious breaches of the Data Protection Act.

According to the ICO, for a data breach to attract a monetary penalty there must have been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. It gave the following examples:

Damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.

Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.

Deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.Now, this is a major step forward for a data protection authority (DPA), and it is about time.Unfortunately, at the moment, there are big differences regarding the position of the DPAs in the member states and not all the DPAs have the same power. According to the Article 29 Data Protection Working Party, this is because of differences in history, case law, culture and the internal organization of the member states.

Moreover, article 28 of Directive 95/46/EC lacks precision in several aspects, and has, to a certain extent, been poorly implemented in some jurisdictions -resulting in noticeable differences between the member states regarding, amongst others, the position, resources and powers of DPAs.In any case, with the growth of technology and globalisation, strong supervision and effective powers are needed by DPAs in addition to their current powers.

In Belgium, 97% of organizations' websites are non-compliant. If so, then the question is whether internally, these organizations are adhering to the data protection law.

Perhaps it is necessary for its Privacy Commission to be given a similar sanctioning power as that of the ICO. At the moment, the Privacy Commission has no teeth. Its powers are limited to advising, recommending and handling complaints. Coupled by the public's lack of awareness on data protection - which results in lesser complaints than the reality of the situation, many organizations abuse the situation and operate without fear or respect for the data protection law.It is hoped that someday soon, this will change.

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.

Economic crisis, downsizing, budget issues, bankruptcy. These seem to be some of the more common issues faced by many companies today - so much so that if one approaches them concerning P-R-I-V-A-C-Y, they would show you the front door!

Who has the time to bother about someone's privacy and personal data when there are more "important" issues at hand? Perhaps at first glance, the protection of privacy seems minute at times like these, and even the data subject is not too concerned about the way his data is being handled - he has more pressing matters to think about such as the possibility of losing his job, going bankrupt and so on.

Nevertheless, do take note that whilst these matters affect your way of living and demand your immediate attention, they are not permanent - and life will go on, even if it is not the way we wish it to be. On the other hand, privacy and personal data IS your life - be it on paper or in an electronic carrier, and once breached, can have a lasting negative effect greater than we can imagine. Remember, the right to privacy is sacred, and should be protected - even in times of difficulty, because when the economic sun is shining again, you'll be glad you did.

Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White.

One of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

A Belgian dating website known as nicepeople.be has been sued by its competitor, toietmoi.be for requiring anyone who registers with them to give e-mail addresses of 5 friends. These people are then spammed with invitations to join nicepeople.be. It is nice to know that your friends can sell out your e-mail addresses in exchange for a bit of fun on a dating site - NOT.

Nevertheless, applause goes to the Belgian court for convicting nicepeople.be of sending unsolicited e-mails and spamming these third parties' inboxes. Punishing them with a 10,000 EUR fine is a good start and indeed, it is high time precedence is set for these privacy law-breaking websites and the people behind them.

The only question is, is there any way of stopping your friends from throwing in your e-mail addresses and any other personal information to the wolves? We know that the data protection law does not cover handling of personal data in the course of household activities, but what can we truly consider as being a strictly household activity and where do we draw the line? If it were up to me, the law should apply to these friends as well.

When you surf on the Internet, and browse through a website, do you realise some of the methods by which your personal data are collected?

Well, there are several ways:

Personal data visibly collected on the website
If you are aware that you are providing personal details on a website, then the website is visibly or explicitly processing personal data. To that extent, you can control the type of personal data you wish to divulge.

Some ways in which personal data can be visibly collected include:

Forms
Most websites have more than one type of form, depending on the purpose of the form. Since forms are usually designed for a particular purpose, they are a good way of ensuring only relevant data is collected. At the same time, you can easily deduce and have a minimum form of control over the personal data you wish to provide - based on the fields you must fill in prior to submitting the form.

Email forms however, may be contentious. Using an email to send the form is not a good system as it gives rise to the possibility of collecting another email address which is not disclosed by the user for some reason. For example, the sample below marks Name, Surname, Street and number, Postcode and Municipality as mandatory whilst email is amongst the optional fields.