Policy actions sorted A-Z.
Policy actions sorted A-Z.
A data protection organisation, which understands current risks and capabilities, exists to protect people’s information rights.
Most G20 countries have a data protection regulator. Most of these are a stand-alone organisation with jurisdiction over overall data protection matters in that country.
In Canada, there are regional offices for the data protection regulator.
Some countries without a data protection regulator delegate this area of responsibility to government ministries. For example, in China responsibility is split between Ministry of Industry and Information Technology and the State Administration for Industry and Commerce.
Japan: The Consumer Affairs Agency delegates and oversees the implementation of the Act on the Protection of Personal Information (PDF) by government departments. The government department is responsible for data protection in their area, for example, the protection of medical data by the Ministry of Health, Labour and Welfare.
Australia: The Office of the Australian Information Commissioner enforces wider privacy law, but the Spam Act, that regulates unsolicited communications, is enforced by the telecoms regulator, the Australian Communications and Media Authority.
Jurisdiction between different government departments could be unclear.
Loose definitions of personal data could allow data controllers to take advantage of gaps of coverage.
Insufficient technical ability or understanding in the organisation.
People have the right to pass on or delegate access to digital products and services after they die so that their digital legacy can be maintained by a trusted person. New organisations may be required to oversee this process.
Major social networks have mechanisms in place to deal with accounts after the user has died, for example, legacy contact on Facebook.
United States: Virginia, Connecticut, Rhode Island, Indiana, Oklahoma, Idaho and Nevada have laws governing access to the digital assets of the deceased.
Tom Steinberg proposes a digital public institution that handles the digital accounts of the deceased.
Part of a series of prototypes looking at what new services are possible through the General Data Protection Regulation, IF propose a guardian for digital identity, that will maintain digital accounts according to the wishes of the deceased based on Steinberg’s proposal.
People have the right to directly access, in a standardised format, data held on them by data controllers so they can understand what is held about them, by whom, correct errors and reuse the data elsewhere.
In Australia, various energy providers allow you to download energy consumption data from their online portal.
United Kingdom: midata, is a programme that promotes data portability around personal banking information
Accessing this data alone isn’t enough to understand it. A service may be needed to interpret the data and make it readable by people.
Format is crucial: data locked in print or pdf publications can be hard to reinterpret.
Issues around child data and people who have power of attorney over someone are difficult to resolve.
People have the right to port their data between service providers so that they have genuine choice of providers. This is distinct from “enable people to access data held about them in an agreed format” as the particular data about a consumer isn’t readily accessible to them, but a transfer between services can be made.
European Union: Article 20 of the General Data Protection Regulation gives people the right to obtain and reuse their data across different services.
United Kingdom: QR codes on utility bills contain energy usage data for quick comparison between providers.
United Kingdom: Current account switch guarantee automates the process of changing banks by automatically transferring balances and direct debit instructions.
Switching mobile phone number: Communication regulators in many countries mandate that mobile phone numbers can be transferred between different networks.
Large, interlinked services operating effectively as monopolies could block transfer of data to services with a narrower focus.
Companies could use anti-patterns that make it difficult for people to transfer data between services.
People have the right to find and request access to data held about them by data controllers so that they can understand what is held about them, by whom and correct errors.
United Kingdom: Subject Access Requests give data subjects the right to access their data under the Data Protection Act. They are entitled to know if their personal data is being processed, to receive a description of the data, to receive a copy of the data and to know the details of the source of the data.
European Union: In Article 16 of the General Data Protection Regulation, data subjects are entitled to have their data altered if it’s inaccurate or incomplete. Data controllers must respond within one month, or within two months if the request is complex.
Elsewhere: Most other G20 countries have legislation that allows data subjects to request their personal data and request corrections. Of particular interest, in the United States, the Children’s Online Privacy Protection Act allows parents to view personal data collected by a website about a child and correct or delete it. In the Quebec region of Canada, data controllers cannot charge a request fee.
Data controllers could make it difficult for people to request their data.
Companies may not keep track of who data is shared with and cannot update historic information.
People can access a history of who has viewed data held about them, so they can understand what is happening to their data and spot fraud and misuse.
United States: Under the Health Insurance Portability and Accountability Act, “patients can request an account of the manner their private health information has been used”.
Credit report services show when lenders have accessed an individual’s credit report.
Establish the legal concept of “digital personhood” so that rights afforded to people in the physical world are made applicable on digital platforms.
The right to privacy is a legal tradition found in many national and international laws. Establishing the concept of digital personhood would compel digital services to follow this convention for maintaining privacy in people’s online activities.
Duty of care is a common legal doctrine that requires reasonable care to be taken in activities that can cause harm. Application of this in digital services through digital personhood would ensure service providers took necessary measures by default to enforce this duty.
“Digital personhood” is not recognised universally, but we increasingly see hints of this as an approach: the OECD/G20 report “Key issues in Digitalisation” (PDF) raises the idea of a “digital impact assessment”, a concept that could be developed further to take into account the individual and collective impacts of digital.
Although treating consumers fairly should be an integral part of the good governance and corporate culture of all service providers, the digital aspects of this may not be taken seriously at a corporate level.
The national data regulator maintains a searchable database of data controllers so consumers can find their point of contact and easily retrieve their data policies.
United Kingdom: Information Commissioner’s office maintains a searchable register of data controllers. Entries for each controller contain their date of registration, the expiry of this registration, their postal address and what personal data is processed.
Argentina: A similar service to that found in the United Kingdom exists, showing the contact details of a data controller.
Existing legislation may not require the data protection regulator to make registration records public.
Online registers can be limited in use, because their interfaces are difficult to use or the data isn’t available in an open format.
The data covered in online registers may not be extensive enough.
Legislation that allows private individuals to request a data controller removes outdated or inaccurate information that might cause personal distress.
European Union: After a Spanish national took Google to the European Courts of Justice, the court ruled that people have the “right to be forgotten”.
South Korea: The Korea Communications Commission states that citizens are able to request search engines and website administrators to restrict individuals postings from being publicly accessible.
United States: A law in California requires websites to allow people under 18 to permanently erase their content. This “Eraser Button law” aims to prevent teenagers from being tied to content when they grow older.
Digital services should be forced to be limit the way they use children’s data. This ensures children’s right to privacy is maintained when they may not be in a position to make their own consent decisions.
The law requires services to monitor for suspicious authentication, for example signing in from another country, so fraud and data theft can be prevented.
Automated services could misinterpret legitimate behaviour.
Services built to sanction quickly, and don’t accommodate fair process or right to reply.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.
The law requires the use of strong customer authentication for certain kinds of service.
Estonia: A chipped identity card is used as secondary authentication when accessing digital services.
European Union: the European Banking Authority requires the use of “strong authentication”, defined to mean “multi-factor authentication”, in online payments.
Implementing multi-factor authentication into existing systems could be costly.
If designed poorly, multi-factor authentication can make a service less usable.
Data controllers handle and protect personal data that is generated through consumer transactions to protect the privacy of consumers.
Most countries have a general right to privacy written into their national law or constitutions.
Different industries have their own data privacy laws.
Confidentiality of medical data is enforced in the United States by the Health Insurance Portability and Accountability Act. In Turkey, patient privacy is guaranteed in Articles 78 and 100 of Legal Code 5510. In Canada, medical confidentiality is protected at federal and provincial level. In Australia, it is protected under the Personally Controlled Electronic Health Records Act 2012 and the Privacy Act 1988.
Financial institutions also have implied privacy unless required to disclose transactional information to law enforcement.
UNGCP 2016 and OECD Privacy Guidelines 2013 mention recognition of right to privacy as a major element of consumer protection.
LEGO’s website, which connects children through games, has no third party cookies or connections to social media accounts, and advises users to use pseudonyms.
The same data is treated differently across industries and national borders, weakening how people perceive the right.
Challenges in identifying, defining and quantifying risks, as well as enforcing the right.
Individual services comply, but, in the aggregate, companies breach intent of privacy.
Government or industry bodies agree a set of standards for securing specific data and transaction types so that people can expect a minimum level of security.
PCI is a proprietary credit card security standard operated by the major global credit card companies.
GOV.UK Verify is a delegated method of identity verification, available from multiple providers, for use in UK government digital services.
3-D Secure is a protocol for additional identity verification when making online purchases. It is branded by Visa and MasterCard as “Verified by Visa” and “MasterCard SecureCode” respectively.
ISO/IEC 27002 is an international standard on information security, providing best practice for both digital and physical security.
Consumers should be asked to renew their consent for data to be shared after a maximum period to ensure they are aware their data is being used and to provide an opportunity to reassess whether they want their data to be used.
United Kingdom: Information Commissioner’s Office have requested that the charities British Red Cross and Age International allow donors to review their opt-in consents every 12 months.
A recommendation by the National Council for Voluntary Organisations states that fundraising campaigns should refresh the consent they use to contact donors at least every 24 months.
Weak design patterns for renewing consent can be detrimental to the user experience of a service.
Difficult to persuade companies to refresh consent.
Set a limit on how long digital services can keep data after collection to mitigate the risk that old data may not reflect consumers at present.
European Union: The Data Retention Directive means that European nations can store citizens telecommunications metadata for a maximum of 24 months.
Australia: The Telecommunications Amendment Act 2015 puts a maximum storage time of two years for telecommunications metadata.
Laws and processes exist to prosecute data controllers in the event of a data breach. Punitive measures are intended to incentivise data controllers to better protect consumers data to avoid punishment.
Most G20 countries have data protection laws that, at minimum, enforce a monetary fine.
European Union: The General Data Protection Regulation allows the levying of a fine for €20 million or 4% of global turnover for an organisation. Section 82 of the GDPR states that data subjects have a right to compensation for “material or nonmaterial damage”. Data controllers are exempt from liability when they can prove they are not responsible for the data breach.
Brazil: The Brazilian Regulatory Framework for the Internet enables a 10% fine on domestic gross income and a potential temporary suspension of data collection activities. This fine is proportionate to the nature of the data breach. Consumers are able to bring a data breach case to court for material and nonmaterial damages.
India: A data controller that doesn’t implement reasonable security practises is “liable to pay compensation for any wrongful loss or wrongful gain”. Claims below 50 million rupees are handled by the Department of Information Technology at state government level, claims above this are handled by civil courts. A data controller that discloses personal data without the consent of the subject may be liable to three years imprisonment, a maximum fine of around $7,500 or both.
Japan: Responsibility for data protection regulation is shared in Japan. The Ministry of Economy, Trade and Industry and the Financial Service Agency investigate companies for data protection compliance. They can issue a corrective order if they are found to be non-compliant. If a data controller fails to follow a corrective order, they may be liable for imprisonment up to six months or about a $2,600 fine.
Could drive organisations to be less transparent about breaches.
Accountability for breaches could be hard to pinpoint due to complex arrangements between service providers and third parties.