Facts vs Fiction: What’s the ‘Right to be Forgotten’ Really About?

There’s still a vigorous debate going on about the ‘right to erasure’, also referred to by some as ‘the right to be forgotten.’ Its detractors strongly argue that it is tantamount to censoring lawful and factual information, and is dubious on principle. They also believe it to be deeply flawed as a method of protecting privacy.

I believe those to be simple-minded positions. The ‘right to erasure’ allows for data subjects to have their data scrubbed when it is no longer necessary for the purpose an organization originally collected it. It is also key when there is no overriding legitimate interest for an organization to continue with the processing. It also protects an individual when their data is being processed unlawfully or when an organization has to adhere to a court ruling.

To be more specific, Article 17 of the GDPR outlines the conditions under which the right to be forgotten takes precedent. An individual has the right to have their personal data erased when:

  • The personal data is no longer required for the original purpose an organization collected or processed it;
  • An organization is relying on an individual’s consent as the lawful basis for processing the data and that consent is withdrawn;
  • An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing;
  • An organization is processing personal data for direct marketing purposes and the individual objects to this processing;
  • An organization processed an individual’s personal data unlawfully;
  • An organization must erase personal data in order to comply with a legal ruling or obligation; and
  • An organization has processed a child’s personal data to provide them with specific information services.

However, there are several instance which override the right to erasure:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a legal ruling or obligation.
  • The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
  • The data being processed is necessary for public health purposes and serves in the public interest.
  • The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
  • The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair halt progress towards the achievement that was the goal of the processing.
  • The data is being used for the establishment of a legal defense or in the exercise of other legal claims.
  • Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.

As is evident by a deeper look at the GDPR, a number of factors contribute to successfully having your data erased. Each request has to be assessed individually, the request must not interfere with other fundamental rights, it shouldn’t take precedent over the public interest, or countermand law enforcement requirements, etc. It is NOT a lawful reason to erase history or hide data about yourself that is embarrassing, and it doesn’t generally allow you to obscure your criminal past.

That being said, the issue of outdated and irrelevant information remaining indefinitely online is one that law has not effectively addressed (especially in the Internet Age). And it’s a dilemma that is predominantly more harmful for those who aren’t public figures — the folks who are in greater need of privacy protections from the law.

The Impact of the GDPR on the Hospitality Sector

Today I held a General Data Protection Regulations (GDPR) awareness seminar for members of the Barbados Hotel and Tourism Association (BHTA).

With regards to data security, there are few sectors more vulnerable to data-related threats than the hospitality sector. The volume of processed personal and credit card information being handed over to hotels, restaurants, etc. on a daily basis makes the sector extremely vulnerable. With the enforcement deadline having passed on 25 May, several companies in the sector have not updated their data protection processes, and are at risk for large financial penalties.

The seminar touched on key areas such as the following:

  1. Major Differences between the Data Protection Directive 95/46/EC and the GDPR
  2. Overall readiness across the hospitality sector
  3. Capturing and using personal data going forward
  4. Consent and contextual use of personal data
  5. How the GDPR affects repeat business and email marketing
  6. How the GDPR affects third-party data processors
  7. The rights of data subjects under the GDPR
  8. The difference between ‘personal data’ and ‘sensitive data’, and how they should be treated
  9. Other key aspects of the GDPR such as the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIA) and ‘privacy by design’
  10. How to update strategies for websites, data governance, and marketing to become GDPR compliant

My takeaway from this session was that many businesses — small to large — have not made any steps to align their operations and processes with the requirements of the GDPR. Several others are defiantly refusing to address privacy and data protection within their organizations. However, what was gratifying is that I received a torrent of emails in the hours and days after from hoteliers, many of them eager to engage subject matter experts (SMEs) to assist in improving their control framework to meet the rigorous demands of the GDPR. Hopefully, this interest and willingness to improve is sustainable. There’s a lot of work to be done!

 

 

How Secure is Barbados’ New Centralized Healthcare Information System?

health

Think about the following scenario for a minute:

A Caribbean government deploys a health information system (HIS) with the goal of improving the quality and coordination of patient care in the public service. For all intents and purposes, expert consultants from Europe and the USA are brought down to implement the system and to ensure that best practices for securing and protecting sensitive clinical data are used. The project is successfully completed, the consultants leave, and hand off day-to-day management of the system to the government’s IT staff.

The government has no overall IT security policies, procedures and guidelines to ensure that the system and the data housed in it continue to be secure and protected from malicious threats. There are no trained or experienced IT security experts on the government’s payroll. There are no data security standards enforced by the government. There is no data protection legislation in place to provide a control framework for protecting highly confidential healthcare data from being stolen by hackers or to prevent data from being accidentally lost or leaked.

Eventually, all these weaknesses together result in persistent compromises of the system by hackers, and all the private clinical data of the citizens of the country are posted on the Internet or otherwise made available for the world to see.

Does the above scenario make you shudder? I know it scares me to death.

The rest of this article will demonstrate how close to reality this is in the Caribbean region.

In the past week or so, the Government of Barbados informed the public of the launch of their Med Data healthcare information system (HIS) and electronic medical records (EMR) scheme. Let me first commend the government on this much-needed initiative to drive efficiency and improved standards of care in public healthcare. However, I have a number of grave concerns about the manner in which this project has been undertaken.

Data Protection Legislation

First of all, no data protection legislation has been discussed, ratified, and implemented through Parliament. Simply put, healthcare data must be processed fairly and with the consent of individuals, especially as it pertains to whom data is shared with and in what context. Legislation should address key areas such as mandatory data breach notifications, heightened enforcement, heavy penalties for breaches, and expanded patient rights. Moreover, any data protection legislation should have a broader scope and include the management and protection of data in areas outside of healthcare, namely banking, insurance and law enforcement.

In essence, data protection legislation would hold both private and public institutions accountable and liable for damages in the event of a security breach. It would also make it mandatory that all breaches are reported to the public so that data owners can take steps to protect their identities. And finally, it allows for heavy fines to be levied on any institution that fails to maintain strong security controls for data.

Data Security Standards

Secondly, there has been no development of data security standards to accompany the legislation and to provide best practice guidance for accessing, exchanging, transmitting, and storing healthcare data in a secure manner. On a broader scale, the Government has no risk management framework, no IT governance processes, and from an operational perspective, no procedures for responding to IT security incidents. There has been an initiative in play for some time now to create a Computer Security Incident Response Team (CSIRT), but it has stalled due to lack of resources (human and financial).

Given the number of security incidents that have occurred in the public sector over the last couple of years, one would think that government officials would be taking data privacy and security more seriously. Key systems at the Royal Barbados Police Force, Inland Revenue, and the Ministry of Foreign Affairs have been hacked in the last couple of years (and these are only the ones that have been made public or that the government are aware of).

But enough criticism of the government; let’s talk about solutions. There is no doubt that IT governance, risk and control (GRC) is an area that requires major attention from the Government of Barbados. The question is: How do we address these deficiencies?

Recommendations

For one, I would suggest that public officials engage local groups such as the Caribbean Cyber Security Center, Information Systems Security Association (ISSA) Barbados Chapter, Institute of Internal Auditors (IIA) Barbados Chapter, and the Barbados IT Professionals Association (BIPA) to assist them in building the necessary competences to improve the control framework and information security posture of the public sector.

Additionally, an online register of consultants should be established to allow the government to create a repository of world-class professionals — not only in IT, but across disciplines — who can assist them in delivering critical initiatives such as the Med Data project. All the expertise does not reside in Europe or North America. We have talent pools (of awesome individuals) across the Caribbean region that remain untapped.

Another area for improvement is around developing policy and legislation. There needs to be greater engagement of the general public and other interested parties in such processes — effective dialogue is constructive. Mechanisms such as e-participation or crowdsourcing can provide the government with a better understanding of the inherent risks, latent issues or knowledge gaps that may exist in program management and project delivery.

Finally, organizational management and intellectual capital development should be foremost on the minds of public officials. The leaders that we have elected need to think more strategic and create organizational structures that are agile and can respond expediently to the needs and demands of the people and address the key risks that the country is faced with. Centralized strategic planning and oversight of the tactical and operational aspects of IT are needed. Key positions such as the Chief Information Officer and Chief Information Security Officer must be defined and filled appropriately. Government employees have to be trained in disciplines such as project management, risk management, IT service management, business continuity, and cybersecurity.

The aforementioned recommendations are not meant to be a panacea. They are basic parts of a maturity model; one that will permit the government’s risk response mechanisms to evolve to better defend against the threats that exist and emerge. But more importantly, they are of critical importance to building trust in the e-government systems that the public are expected to use. They hopefully should also foster a risk-oriented philosophy that pervades throughout the public sector.

Should We Fear the Era of Ubiquitous Computing?

Eye Looking Over Person On Computer

More and more, technology is becoming an integral part of our lives. In a not so distant future, there will be a major convergence of entire industries in the fields of media, consumer electronics, telecommunications, and information technology. But the approaching wave of the technological revolution will affect us more directly, in all aspects of our lives – it is becoming apparent that our future will be characterized by the appearance of computing devices everywhere and anywhere. This concept is known as ubiquitous computing. Ubiquitous computing encompasses a wide range of existing technological platforms and emerging research topics, including distributed systems, ad hoc sensor networks, mobile computing, location-based services, context-aware computing, wireless networks, machine-to-machine (M2M) communication, artificial intelligence, and human-computer interaction.

Case in point, the functionality in smart mobile devices is constantly expanding into previously unthinkable dimensions. Wi-Fi positioning systems (WPS) and GPS can deliver location services as exact as 10 meters in an outdoor setting. Short-range radio interfaces (Bluetooth, ZigBee, Z-Wave, IrDA, etc.) are creating personal area networks (PANs) that better facilitate intrapersonal communication. Mobile phones can now be employed as personal base stations or “access points” that connect a universe of “smart devices”. As it relates to the unbanked or under-banked, technologies such as Near Field Communication (NFC) and Unstructured Supplementary Service Data (USSD) are allowing more individuals and entrepreneurs to participate in the ever-burgeoning mobile economy. From the perspective of e-health and remote patient monitoring, mobile watches (essentially wearable computers) are able to capture a user’s health data and, if necessary, transmit vital statistics back to a medical center via telemetry. In this regard, new qualities and functions are developing due to the proximity to the body that a normal mobile phone could not previously achieve.

Former IBM Chairman Lou Gerstner conceptualized a “post-PC era” where he foresaw, “…a billion people interacting with a million e-businesses through a trillion interconnected intelligent devices.” Smartphones with high-speed data connections, geo-location positioning, and voice recognition capabilities that contextually interact with their environment are the first indicators of this type of ubiquitous virtual network of technical devices and day-to-day objects. Such developments are only now being realized due to rapid advances in technology. For example, semiconductor technology has progressed to a point where complex functions have been miniaturized; so as to obtain drastically reduced form factors — weight, size and energy consumption. The field of “Body Area Networks” has broken new ground whereby the human body can be employed as a transmission channel for low voltage electromagnetic signals. Touch, gesture and other tactile interfaces can initiate individualized communications, and be deployed for user authentication, personalized device configuration, or billing of products and services.

While determining concrete applications for such technologies is a difficult task, the potential for objects to communicate with each other, use available Internet services, and access large online data stores, is simply mind-blowing. The field of ubiquitous computing, and its array of technologies, is creating linkages between the mundane world and everyday objects, between products and services and capital assets, and between e-commerce platforms and supply chain management systems. They are effectually removing human beings as intermediaries between the real and the virtual world. As a result, new business models are emerging that are providing incremental benefits to manufacturers, suppliers, and customers. More importantly, we are seeing the ultimate creation of a plethora of new services such as the persistent personalization or customization of products throughout their entire life cycle.

Despite the obvious social and economic value of ubiquitous computing, particular attention needs to be focused on the issues of security and privacy. The promise of ubiquitous computers is accompanied by a broadening of the traditional Internet problem of “online history” (i.e. the collection of online user activity into big data sets) to include an even more extensive “offline history”. As such, whereas the online surveillance of individuals has been restricted to Internet usage, there will now be no clear delineation between “online” and “offline” data collection in a world of pervasive smart objects. Without a doubt, this will make the resulting data much more valuable. But who will be deriving value from this data (or more so profiting)? Whereas previously a limited profile of an individual could be “built” through data analytics, a much more comprehensive view of this person and his/her daily activities can be obtained in the ubiquitous reality. The question is: Do we really want others to have this much insight into our lives?

In his lecture, “The Ethicist’s and the Lawyer’s New Clothes: The Law and Ethics of Smart Clothes,” Glenn Cohen asserts that the ubiquity of computers threatens to “disrupt the place of refuge.” He warned that even when we switch off our mobile phones, given the prevalence of smart devices, “we squeeze out the space for living a life.” He concludes, “Lots of people have things they want to do and try but wouldn’t if everything was archived.” Should we expect the government and the rule of law to protect us in the ubiquitous world? In the post-Snowden era, we would be foolish to harbor such false expectations. Taking into consideration that most online surveillance activities are undetectable, the odds of anyone securing a legal claim against corporations or governments are slim to none.

In an ideal world, having business responsible for baking robust privacy controls into their products seems to be an optimal solution. But this means that we have to be able to trust the companies (a tall order in my estimation). Most recently, the technical community, in the form of the Internet Engineering Task Force (IETF), has renewed its commitment to building greater security into Internet protocols such as HTTPS and through the use of Transport Layer Sockets (TLS) and Perfect Forward Secrecy (PFS). However, there are significant limitations in the use of technology-only fixes to enhance privacy and security on the Internet (and ubiquitous computing will be no exception). Operational practices, laws, and other similar factors also matter to a large extent. And at the end of the day, no degree of communication security helps you if you do not trust the party you are communicating with or the infrastructure and devices you are using. With all that has happened over the last 24 months in terms of pervasive online surveillance, should we be fearful of what the ubiquitous era holds for us? I wouldn’t necessarily say that I’m afraid, but neither am I brimming with unbridled confidence.

Mind you, I am not by any means a pessimist. There is no doubt that ubiquitous computing will provide vast opportunities for improvement in the realms of our political, commercial, and personal existence. However, the multitude of concerns around governance, standards, integration, interoperability, security, and privacy will necessitate an effective multi-stakeholder approach. The demand will be for unprecedented collaboration among the technical community, academia, business, and government. My fear is that the concerns of the end user will be largely ignored amidst the jostling for position by the others players.