Some thoughts on EU Data Protection Day from Advent IM and Security Institute Director, Mike Gillespie.
Today (Jan 28th) Is EU Data Protection Day #DPD2014 and it has sparked some interesting content and discussion on Social Media so far.
It has also afforded those organisations who bang the drum for Data Protection and Privacy to bang it a little louder and longer, trying to get the attention of those that really need to take heed.
Anyway, the topic of off-shoring services and functions and with going personal data , cropped up. As a data subject I ought to be able to expect to be explicitly consulted if my data is going offshore to a country not on the trusted country list. Personal data according to Principal 8 of the Data Protection Act (1998)
“…shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
Principle 2 states
“Personal Data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”
No organisation should be allowed to hide the intent to offshore personal data in it’s “small print” or to decide to offshore personal data without consulting the data subjects. Some companies pay only lip service to this requirement and data can be shipped around the world to suit the business and without the explicit agreement of the data subject.
Bottom line, businesses off-shore services to save money. However, the cost of maintaining data protection and privacy of personal data and offshore is prohibitive and so guess where the cost is cut? Cheap hosting in non-compliant countries is the cost-saving great hope, it seems. Buying hosting space from a Cloud Broker for instance, means that data could be shuttled around the world to wherever the space is cheapest if end points have not been specified in the SLA and let’s face it, if you priority is cheap then I can’t imagine it being much of a priority…
The European Data Protection Directive defines consent as-
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him, being processed”
So we may expect that the individual may signify agreement other than in writing. However non-communication should not be interpreted as consent. In other words, opt-in not opt-out…
The problem is that companies can exploit vague language in the law. For instance, Personal data should only be processed fairly and lawfully. In order for that data to be classed as ‘fairly processed’ at least one of these six conditions must be applicable to that data (Schedule 2)
- The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;
- Processing is necessary for the performance of, or commencing, a contract;
- Processing is required under a legal obligation (other than one stated in the contract);
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary to carry out any public functions;
- Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject
So the argument might be that it is OK to offshore because “processing is necessary for the performance of or commencement of a contract and as I have moved my call centre to (for the sake of argument and only as an example) India, and as my contract requires the provision of a call centre then my contractual obligation also requires the move of the personal data to India.
Even when consent is given, it should not be assumed that it is forever. although in most cases, consent lasts for as long as the personal data needs to be processed – individuals may withdraw their consent, depending upon the nature of the consent and the circumstances in which the personal information is being collected and used. How many orgainsations like supermarkets or banks offer you this option? Ever had one of those personal injury or PPI calls and asked them to take you off their list only to be told they can’t delete you because of Data Protection!?
So the Terms and Conditions is where the sneaky stuff hides in clauses that says they reserve the right to have a cavalier attitude to your data (or move it elsewhere for further cheaper processing once its initial processing is complete) should they choose and then label that as your consent…
You can connect with Mike and enjoy further Security Discussions on Linkedin.