Policy actions sorted A-Z.
Policy actions sorted A-Z.
A data protection organisation, which understands current risks and capabilities, exists to protect people’s information rights.
Most G20 countries have a data protection regulator. Most of these are a stand-alone organisation with jurisdiction over overall data protection matters in that country.
In Canada, there are regional offices for the data protection regulator.
Some countries without a data protection regulator delegate this area of responsibility to government ministries. For example, in China responsibility is split between Ministry of Industry and Information Technology and the State Administration for Industry and Commerce.
Japan: The Consumer Affairs Agency delegates and oversees the implementation of the Act on the Protection of Personal Information (PDF) by government departments. The government department is responsible for data protection in their area, for example, the protection of medical data by the Ministry of Health, Labour and Welfare.
Australia: The Office of the Australian Information Commissioner enforces wider privacy law, but the Spam Act, that regulates unsolicited communications, is enforced by the telecoms regulator, the Australian Communications and Media Authority.
Jurisdiction between different government departments could be unclear.
Loose definitions of personal data could allow data controllers to take advantage of gaps of coverage.
Insufficient technical ability or understanding in the organisation.
People have the right to find and request access to data held about them by data controllers so that they can understand what is held about them, by whom and correct errors.
United Kingdom: Subject Access Requests give data subjects the right to access their data under the Data Protection Act. They are entitled to know if their personal data is being processed, to receive a description of the data, to receive a copy of the data and to know the details of the source of the data.
European Union: In Article 16 of the General Data Protection Regulation, data subjects are entitled to have their data altered if it’s inaccurate or incomplete. Data controllers must respond within one month, or within two months if the request is complex.
Elsewhere: Most other G20 countries have legislation that allows data subjects to request their personal data and request corrections. Of particular interest, in the United States, the Children’s Online Privacy Protection Act allows parents to view personal data collected by a website about a child and correct or delete it. In the Quebec region of Canada, data controllers cannot charge a request fee.
Data controllers could make it difficult for people to request their data.
Companies may not keep track of who data is shared with and cannot update historic information.
People can access a history of who has viewed data held about them, so they can understand what is happening to their data and spot fraud and misuse.
United States: Under the Health Insurance Portability and Accountability Act, “patients can request an account of the manner their private health information has been used”.
Credit report services show when lenders have accessed an individual’s credit report.
A team or service exists to inform companies about best practices for digital security, consumer privacy and consent models.
United Kingdom: The National Cyber Security Centre provides guidance to organisations and government to manage their IT and information more securely. CareCert, part of NHS Digital, provides information security advice for the public health sector.
United States: The United States Computer Emergency Readiness Team, from the Department of Homeland Security, publishes advice on computer security for a non-technical audience.
Elsewhere: Various countries have computer emergency response teams that respond to information security emergencies.
Guidance is issued in specialist terms, requiring third parties to interpret it.
Guidance doesn’t adapt quickly enough to changing threats or technologies.
Digital services should be forced to be limit the way they use children’s data. This ensures children’s right to privacy is maintained when they may not be in a position to make their own consent decisions.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.
The law requires the use of strong customer authentication for certain kinds of service.
Estonia: A chipped identity card is used as secondary authentication when accessing digital services.
European Union: the European Banking Authority requires the use of “strong authentication”, defined to mean “multi-factor authentication”, in online payments.
Implementing multi-factor authentication into existing systems could be costly.
If designed poorly, multi-factor authentication can make a service less usable.
Data controllers handle and protect personal data that is generated through consumer transactions to protect the privacy of consumers.
Most countries have a general right to privacy written into their national law or constitutions.
Different industries have their own data privacy laws.
Confidentiality of medical data is enforced in the United States by the Health Insurance Portability and Accountability Act. In Turkey, patient privacy is guaranteed in Articles 78 and 100 of Legal Code 5510. In Canada, medical confidentiality is protected at federal and provincial level. In Australia, it is protected under the Personally Controlled Electronic Health Records Act 2012 and the Privacy Act 1988.
Financial institutions also have implied privacy unless required to disclose transactional information to law enforcement.
UNGCP 2016 and OECD Privacy Guidelines 2013 mention recognition of right to privacy as a major element of consumer protection.
LEGO’s website, which connects children through games, has no third party cookies or connections to social media accounts, and advises users to use pseudonyms.
The same data is treated differently across industries and national borders, weakening how people perceive the right.
Challenges in identifying, defining and quantifying risks, as well as enforcing the right.
Individual services comply, but, in the aggregate, companies breach intent of privacy.
Government or industry bodies agree a set of standards for securing specific data and transaction types so that people can expect a minimum level of security.
PCI is a proprietary credit card security standard operated by the major global credit card companies.
GOV.UK Verify is a delegated method of identity verification, available from multiple providers, for use in UK government digital services.
3-D Secure is a protocol for additional identity verification when making online purchases. It is branded by Visa and MasterCard as “Verified by Visa” and “MasterCard SecureCode” respectively.
ISO/IEC 27002 is an international standard on information security, providing best practice for both digital and physical security.
Set a minimum period where manufacturers must provide software updates to ensure customers are reasonably protected against software vulnerabilities without having to make new purchases.
Some software manufacturers have fixed support periods. Microsoft has a 10 year support period for Windows 10. Ubuntu, a Linux operating system, designate every fourth version as “Long Term Support”, where the update period is extended from 9 months to 5 years for server software and 3 years for desktop software.
Netherlands: Consumentenbond is campaigning for mobile phone manufacturers to provide longer support periods for Android.
The United States Navy paid Microsoft $9.1 million to continue support for Windows XP, a version of Windows released in 2001 but has widespread use in government IT because of the time between the following version being released.
David Wheeler writes that updates should be legally mandated for three years after purchase, or the customer should be offered a refund.
Mandating a minimum period of software updates could be financially straining for smaller software developers.
Longer mandatory update periods could increase costs for consumers.
Laws and processes exist to prosecute data controllers in the event of a data breach. Punitive measures are intended to incentivise data controllers to better protect consumers data to avoid punishment.
Most G20 countries have data protection laws that, at minimum, enforce a monetary fine.
European Union: The General Data Protection Regulation allows the levying of a fine for €20 million or 4% of global turnover for an organisation. Section 82 of the GDPR states that data subjects have a right to compensation for “material or nonmaterial damage”. Data controllers are exempt from liability when they can prove they are not responsible for the data breach.
Brazil: The Brazilian Regulatory Framework for the Internet enables a 10% fine on domestic gross income and a potential temporary suspension of data collection activities. This fine is proportionate to the nature of the data breach. Consumers are able to bring a data breach case to court for material and nonmaterial damages.
India: A data controller that doesn’t implement reasonable security practises is “liable to pay compensation for any wrongful loss or wrongful gain”. Claims below 50 million rupees are handled by the Department of Information Technology at state government level, claims above this are handled by civil courts. A data controller that discloses personal data without the consent of the subject may be liable to three years imprisonment, a maximum fine of around $7,500 or both.
Japan: Responsibility for data protection regulation is shared in Japan. The Ministry of Economy, Trade and Industry and the Financial Service Agency investigate companies for data protection compliance. They can issue a corrective order if they are found to be non-compliant. If a data controller fails to follow a corrective order, they may be liable for imprisonment up to six months or about a $2,600 fine.
Could drive organisations to be less transparent about breaches.
Accountability for breaches could be hard to pinpoint due to complex arrangements between service providers and third parties.
Set rules that require data to be encrypted when it’s stored by a data controller to mitigate the risks of a data breach.
Australia: Office of the Australian Information Commissioner recommends data is encrypted when stored.
United States: A law in the New Jersey state legislature prohibits health insurance companies from keeping unencrypted patient information.
Set rules that require data to be encrypted when sent across the internet to prevent it from being intercepted by an unauthorised third party.
United Kingdom: Part of the Government Digital Service Standard requires the use of HTTPS.
United States: Memorandum M-15-13 from the Federal Chief Information Officer that stated that all publicly accessible Federal websites and web services must only do so through a secure connection.
In-transit encryption is a requirement in the PCI credit card transaction standards.