This post has been triggered by two things.
Firstly, I had a nice chat with Hugh Jones who is running the ICS’s Data Protection training (see www.ics.ie/dp) for details. Hugh is interested in raising awareness of data protection issues both for businesses and for individuals. I wholeheartedly agree with him that this is important, not least because Data Protection has a strong Information Quality component.
Secondly, just yesterday I saw two very clear examples of poor data protection practices. And that is not counting the dozen or so CCTV cameras I saw in the Dundrum Town Centre without any notification signage alerting me to the cameras or who to contact to get a copy of my personal image. Both of the incidents I saw related to sign up sheets for various things which were left in public places.
The first Data Protection heeby-jeeby
The least worrying one was in Wexford, where the sign up sheet for a contact list for a community group was left lying on a table that was unattended (although staff were standing near by). The information being captured was names, email addresses, mobile phone numbers and postal addresses. Each of those records would be worth approximately €100 to the right people. At 20 lines per sheet, each sheet would be worth €2000.
That pays my mortgage for 2 months.
Ideally, the voluntary organisation in question should have put someone sitting on a chair beside the clip pad to keep an eye on one of the most valuable things in the room.
The second Data Protection Heeby-Jeeby (and this one scared the bejesus out of me)
A car dealership has a display model parked up in the hallways of a large shopping mall in Arklow. On the table beside the car they have a sign up sheet (ho hum) inviting you to leave your personal details in order to be entered into a raffle.
The first problem here is that this is very obviously a way for them to collect sales leads, contact details for people who they can phone or write to to offer test drives and such like. However the sign up form doesn’t say that. There is no information about what the information is being captured for, what uses it may be put to, or who to contact if you have a query about the information. So, it is not being captured fairly for a specified use – that’s the first Data Protection breach.
More worrying is that the table (and the sheets and box full of personal data) were left unattended when I walked past yesterday afternoon. Personal data for about a dozen people was clearly visible on the table, unsecured, unprotected. I took a photograph with my phone. I had considered uploading it to this blog post, but there is some personal information clearly visible. So I won’t. But I have 19 rows of personal data, including at least 1 mobile phone number in an image on my (secure to a point of paranoia) archive drive at home.
Unfortunately, I suspect that someone else took something more as the sheet was gone a few minutes later. 19 rows of data at €100 a pop… not bad for 3 seconds work. The sheet may have fallen on the floor. However, even in that case the data was no longer in the control of the Data Controller.
So, to the car dealership that put that blue Hyundai I20 in the Bridgewater Shopping Centre in Arklow: you REALLY REALLY should consider sending a few of your staff to the Data Protection Lunch & Learn session or to the 1 day or 3 day Data Protection courses run by the ICS. Currently your entire marketing set up in the Bridgewater Shopping Centre is in breach of the Data Protection Act.
Conclusion
I would advise everyone to make themselves aware of the provisions of the Data Protection Act and to evaluate every time someone asks you for personal information. Don’t give your information to anyone who isn’t capturing it fairly, processing it fairly or treating it as a valuable asset. If they leaving it lying around in a public place unattended and unsecured… think twice.
If you are a person or organisation capturing personal information about people, then you should put some time and effort into planning how you will capture the information, secure it, prevent it being photographed, swiped or mislaid, and ultimately put it to use. You should avoid the temptation to promote your data capture as something that it is not… yes, offer a raffle prize but let people know if you are planning to use the data to drive a marketing campaign.
Why don’t you report the car dealership directly to the data Protection Commission instead of publicising a seminar which they will obviously not attend??
Bye, Barry
Barry,
Firstly, as I am not one of the affected data subjects I have limited standing under the Data Protection Act to report the issue. However, I am bringing it to their attention (along with a few other examples).
Secondly, it was not my intention to name and shame a particular company but rather to raise awareness of the lack of understanding of the Data Protection Act and the duties it imposes on Data Controllers and the rights it gives to Data subjects. The specific case I used as an example was one of many I could have used, but it highlighted the issue very well.
Another bug bear of mine is the massive growth in CCTV cameras on buildings which lack the legally required signage to notify people that there is a CCTV camera there. I do like asking for a copy of my image from the shops in question though.. (they are legally obliged to provide it unless there is onerous cost in doing so in a manner that is compliant with the legislation).
As for the seminar… it is up to people whether they attend but as information becomes an increasingly valuable asset in organisations I would put it to you that perhaps a little time invested in learning how to ensure compliance with relevant legislation is time well spent. Also, the seminar is part of the overall Data Protection Certification qualification that has been developed by the Irish Computer Society. I had thought I knew the legislation pretty well until I had a chat with Hugh and some of the other people involved in developing and delivering the course… but I didn’t know it half well enough.