« Certifications can be good or bad?
Secure electronic voting and auditing »

Opinion - Who owns your data… Not you.

As reported in SANS NewsBites:

Study: Some IT Directors Using Live Data for Application Testing and Development (4 July 2006)
A study has found that of 100 UK IT directors, 44 percent use real customer data when testing and developing applications in violation of the Data Protection Act (DPA). The DPA’s second principle prohibits the use of customer data for any “purposes other than those for which it was collected.” Eighty-six percent of those surveyed said their companies sent customer data offshore protected only by a non-disclosure agreement.
http://management.silicon.com/government/0,39024852,39160080,00.htm

What’s really disturbing is that you may have no idea that this company even has your data.

Suppose this organization obtained your information via purchase from some other organization. This frequently happens as credit card companies trove for potential new customers. Ever wonder why you suddenly start getting credit offers from a company you’ve never heard of?

Next, this company, unbeknownst to you ships your data off to another organization for this sort of testing.

Your data has been bought, sold, and hand delivered to an organization that, for all intent and purposes, hasn’t a care in the world for that data’s secrecy.

All it takes is some disgruntled or profiteering soul in some off-shore development firm to take that data and sell it for personal gain.

How could companies skirt the issue here?

In order to comply with the DPA, would all they have to do is amend their privacy statement with the phrase “and to test enhancements to our systems?”

How many times have I read a site’s privacy statement?

And, if a company buys my info from someone else, what constitutes “purposes other than those for which it was collected?”

Good privacy laws are important, but I’m unsure of whether or not they can be effectively legislated and enforced.

Particularly here in the United States, where two situations thwart good privacy law:

  1. Individuals are not well organized, institutions that use your data are.
  2. Organizations that stand the most to loose have nearly limitless funds that they can expend “influencing the public process.”

The goal of privacy enforcing laws such as the DPA should ensure that the individual is in complete control of all information about themselves.

After all, my name is MY name.

Bill

This entry was posted on Monday, July 10th, 2006 at 8:30 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply