Policy actions sorted A-Z.
Policy actions sorted A-Z.
People have the right to directly access, in a standardised format, data held on them by data controllers so they can understand what is held about them, by whom, correct errors and reuse the data elsewhere.
In Australia, various energy providers allow you to download energy consumption data from their online portal.
United Kingdom: midata, is a programme that promotes data portability around personal banking information
Accessing this data alone isn’t enough to understand it. A service may be needed to interpret the data and make it readable by people.
Format is crucial: data locked in print or pdf publications can be hard to reinterpret.
Issues around child data and people who have power of attorney over someone are difficult to resolve.
Create a central database of known software vulnerabilities. This will allow consumers to know what products and services are affected, and help developers fix vulnerable code. Software security research firms typically publish their findings publicly and have a unique vulnerability identifier attached to their work.
There may be inconsistency between software vulnerability databases operated by different organisations.
Government-owned vulnerability databases may be biased in the security interests of that state.
The data from these databases are technical in nature and aren’t accessible by the average consumer.
Government and technical organisations should recommend best practices to developers to ensure safety, particularly in environments where computers have control over the physical environment. Existing guidelines are biased towards space and nuclear science, but there will be a need for consumer advocacy here as self-driving cars near readiness for everyday use.
Provide a service where scams can be reported to reduce the effort required for consumers to get redress.
Nations including the United Kingdom, Australia, United States and India operate websites where consumers can report scams. These are operated either by the national police, a regulator or a government department.
International Consumer Protection and Enforcement Network operate a website for reporting international scams.
Some consumers may not be aware that these services exist.
Phishing websites could pose as official scam reporting services.
Software vulnerabilities are included in product recall notices and product recall notices are maintained and made available as open data, so that consumers are aware when they own an unsafe digital product.
European Union: The European Commission operate a database of product recalls. It allows people to subscribe to weekly product notifications.
OECD: Global Recalls collates data about product recalls from OECD member states. This information is available in English and French.
In 2016, the car manufacturer Tesla pushed an over-the-air update following a death caused by its autopilot system.
The changing nature of consumer products like cars mean that recalls can be avoided by pushing updates straight to the device. A report suggests that by 2022, 230 million vehicles could have this functionality.
A faster software update cycle could increase the risk that bugs are undetected.
Implementation of notices is a lost opportunity if it doesn’t incorporate shorter feedback loops.
The law requires services to monitor for suspicious authentication, for example signing in from another country, so fraud and data theft can be prevented.
Automated services could misinterpret legitimate behaviour.
Services built to sanction quickly, and don’t accommodate fair process or right to reply.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.