Lee & White Consultants

One of the largest corporate insurers was recently fined by Britain's financial regulator, the FSA for the loss of customer data. Zurich Insurance PLC was fined a record £2.3m for losing 46000 customers' personal information which included identification information, details of bank accounts, credit cards and insured assets which could have resulted in significant loss to customers.

The loss of customers' data dates back to August 2008 when Zurich Insurance had outsourced data work to the company's South African unit which lost an unencrypted back-up tape. The loss however, was not discovered until a year later.

Companies would benefit from learning from the mistakes that cost Zurich Insurance PLC not only £2.3m in fine, but also the loss of its customers' trust which is a valuable asset for any company.

"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," said Stephen Lewis, chief executive of Zurich Insurance.

Now, what are you as a company doing to ensure that your customers' personal information is protected? Do you have a Personal Data Protection Policy in place in your company, and are your employees aware of them? It would do you well to look at this seriously and ensure you are protected by protecting your customers.

"Data Security" and "Data Protection" are terms which seem similar and have been regarded as interchangable by many. Ask an IT manager if his organisation is complying with the data protection law and he will say "Yes, we have all the data security measures in place."

In his mind, the security measures his organisation has taken (e.g. backups, data masking, passwords) with regard to ensuring that data is kept safe from corruption and that access to it is properly controlled is "data protection" - or, "data security", if you like.

For example, many organisations feel that if they perform an information assurance process, they have completed a similar process to that of a privacy impact assessment. This is not the case.

Whilst an information assurance process will enable an organisation to show compliance with the data protection law, this process does not take into consideration of the wider issues of whether a  particular project should be implemented from a privacy point of view. It does not ensure that external privacy concerns are identified and addressed or whether a particular marketing campaign is compliant with the data protection rights of individuals.

The point to note is that "data security" is a subset of "data protection". It is the part which helps an organisation to comply with the security measures that must be taken as prescribed in the Belgian data protection law and EU Directive. These security measures are to keep the personal information received safe. It does not however, cover the broader aspect of the data protection law which has introduced an obligation for transparency concerning the use of personal data. This transparency is revealed when the organisation (data controller) exercises its crucial duty to inform its customers (data subjects) of  the types, purposes and every single processing of their personal information, and provides them with the means for exercising their rights under the data protection law.

The duty to inform can be seen as part of an exchange of information - an organisation wants, needs personal information and so, in return for personal information, must provide the necessary information as to the use of the personal information it requests for.

Look at the principle at its simplest - you cannot take something belonging to another without giving your reasons for it.

Hence, the conclusion is that "data security" plays an important role alongside the "duty to inform" and the "provision of straightforward means for data subjects to exercise their rights" in ensuring that the data protection law is complied with and privacy upheld. These subsets together make up the circle of the correct use of personal information i.e. "data protection".

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

 

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

It's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

"You know what? Let's launch a quick campaign and mail our prospects!"

I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

And this is where it gets hairy:

• Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
• Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
• Did you exclude persons who opted out from your list?
• Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
• Are you not publishing your list of email addresses to every recipient?

A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

All you needed to do was:

• Ask for a prospect's email only when needed.
• If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
• Allow the prospect to review, change and delete his information at his simple request at any time.
• Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
• At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

It will save you in the long run!

A few weeks ago, Rachel called up her mobile phone service provider to change her subscription package. The Customer Service Officer who attended to her was a Mr. Hendricks who was very efficient in dealing with Rachel’s request.

A few hours after the call, Rachel received a call from Mr. Hendricks who told her that he found her voice very attractive and would like to take her out for dinner. Now, Rachel turned him down as she has a boyfriend. Mr. Hendricks was disappointed but decided he would keep calling, and after several calls and several refusals by Rachel, he decided he would press his luck and send a bouquet of flowers to her house.

Rachel was very frightened that Mr. Hendricks knew where she lived, and that he had complete access to all her personal information. She now has complete distrust in her mobile phone service provider and decides she will cancel her account with them.

Question to the consumer: Do you know who has your personal information and what they are doing with it?

Question to the organisation: What are you doing to prevent privacy breaches like this?

(Names have been changed to maintain confidentiality)

The UK's Information Comissioner's Office (ICO) has sharper teeth now to deter personal data security breaches - it can now serve monetory penalties of up to 500,000GBP to organisations for breaches of the Data Protection Act. The power is designed to deal with serious breaches of the Data Protection Act.

According to the ICO, for a data breach to attract a monetary penalty there must have been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. It gave the following examples:

Damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.

Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.

Deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.Now, this is a major step forward for a data protection authority (DPA), and it is about time.Unfortunately, at the moment, there are big differences regarding the position of the DPAs in the member states and not all the DPAs have the same power. According to the Article 29 Data Protection Working Party, this is because of differences in history, case law, culture and the internal organization of the member states. 

Moreover, article 28 of Directive 95/46/EC lacks precision in several aspects, and has, to a certain extent, been poorly implemented in some jurisdictions -resulting in noticeable differences between the member states regarding, amongst others, the position, resources and powers of DPAs.In any case, with the growth of technology and globalisation, strong supervision and effective powers are needed by DPAs in addition to their current powers.

In Belgium, 97% of organizations' websites are non-compliant. If so, then the question is whether internally, these organizations are adhering to the data protection law.

Perhaps it is necessary for its Privacy Commission to be given a similar sanctioning power as that of the ICO. At the moment, the Privacy Commission has no teeth. Its powers are limited to advising, recommending and handling complaints. Coupled by the public's lack of awareness on data protection - which results in lesser complaints than the reality of the situation, many organizations abuse the situation and operate without fear or respect for the data protection law.It is hoped that someday soon, this will change.