How Is Your Personal Data Protected Online – The Law
With the rise in online activities such as social networking, shopping and banking, we now share vast amounts of information on the internet, personal and non-personal, but it should ultimately be down to each individual as to how much information they may want to disclose and what it is used for.
Why Your Information is Wanted
Data is a valuable commodity with many online business including the giants such as Google, Facebook and Amazon effectively trading on its value to power their advertising revenues and marketing strategies. These companies use profiling information to target their audiences more specifically for each product and service they are promoting. The more accurate the profile is the better they can judge whether the individual is likely to convert, i.e., respond to the advert and buy the product. How much information you disclose to these companies is ultimately down to personal choice and it may be that you are willing give more away in return for more personalised services. The common pitfall for online users when signing up for services they want, is to be tempted or encouraged into giving a little extra away without really realising it.
However, personal information is also used for more nefarious means by people in the criminal world, creating stolen or fake identities under which they commit crimes, most commonly fraud. If you’re not careful you can leave a trail of personal information on the internet which can be obtained and aggregated by anyone without any need to break the law. Many cyber criminals, though, also resort to illegal tactics such as phishing (emails which misguide you and encourage you to visit a fake site and supply personal information), pharming (where people try to redirect you to fake sites while surfing the net) and malware (viruses which can steal information stored on computers or log activity such as the keystrokes for passwords)
Data Protection Act
It is easy to see that attempts to steal your information would be classed as illegal but there are also laws that govern the appropriate use of data that you have willingly supplied online.
In the UK we are protected by the Data Protection Act. This act applies to all information whether paper based or electronic and at the heart of it is the stipulation that organisations can only use the personal information they have gathered for the explicit purpose for which you supplied it (this doesn’t apply to non-personal/non-identifiable information). To that end there are further specific principles such as the requirement that data is not held longer than is required for its purpose and that it is kept secure and accurate.
Organisations can however ask for permission to use your information for other purposes when you first supply it. You’ll often find that when you provide your name and email as part of a purchase process for example there is a checkbox asking if the same data can be used for marketing purposes too. The key is to be aware of what you are agreeing to – unfortunately that may mean reading the small print.
Privacy and Electronic Communications
You are also protected by the Privacy and Electronic Communications Regulations which cover the information that organisations use for marketing, data about online behaviour and data on user preferences. The regulations compliment the data protection act, providing more detailed guidance for online marketing, ensuring that your information, whether explicitly obtained or gleaned from online activity, cannot be retained, traded and used for any purpose that you are not benefiting from or have not agreed to. This applies even when the data can’t be used to identify you (e.g., a company just has your telephone number which they want to use for marketing purposes).
A recent update to the regulation in May 2011 tightened up the rules on cookies in particular. Cookies are the temporary files that a site can leave on your computer to help ‘remember’ you when you next visit the site. There are many different types of cookie ranging from those which contain no other information other than you have (or your computer has) been on the site before, to those that remember particular preferences. The majority will not contain any identifiable sensitive personal information. However, because they have often be deployed without much awareness from the end user, the new directive requires that you are initially asked to explicitly agree (to opt in) to each site that wants to use them when you first visit the site. You must also be provided with a sufficient level of information as to what the cookie will do and what information it holds before you do so.
There are of course those who will break the law either with the intention of committing further crimes such as identity theft and fraud or just to improve their business prospects. Part 2 of this article will look at what technology can help us stay secure.