The collection of Protected Personal Information or Personal data is not a new phenomenon. Since the early ages, civilizations have collected and kept records of users. However, with the ever advancing developments in information technology and the changing nature of big tech, come new challenges for Personal Information and its exploitation.
In the 21st century the average user shares more information than ever before. This trend has become ubiquitous in our daily lives, as businesses and enterprises collect information at an unprecedented rate, without considering the possible impacts that such collection may have.
The current developments in communication technology and the ever increasing social connectivity of humanity, have added to the demand for collecting, sharing and possible exploitation of Protected Personal Information. Computers and handheld devices such as mobile phones, lent additional imputes to collecting, sharing and transmitting of personal information at rapid and ever-increasing rates. This ever-expanding connectivity and collection of information places immense pressure on companies to find data protection solutions that secure data from users.
However, it is not only the businesses and enterprises that freely collect and share information. Users of social media platforms also share information in varying quantities both voluntarily and involuntarily, also via commercial platforms such as relating to purchasing activity, loyalty programmes and competitions.
However, it must be born in mind that information can be collected surreptitiously by technological inventions such as Bluetooth and Wi-Fi devices.
What data can be classified as Personal Protected Information or Personal Data?
From the onset, many users believe that personal information may only relate to their names, surnames, identification numbers, mobile numbers and email addresses commonly known as Personally Identifiable Information (PII)1. This is not incorrect, however Personal Protected Information is far more than that.
1) any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymizing previously anonymous data can be considered PII.
Most data protection laws, international instruments and regulations define Personal information or data as any information, directly or indirectly related to the identification or identifiability of a user or of a natural person. Identification or identifiable data, is any specific data that may distinguishes us from other individuals or users and were such personal information or data must be directly or indirectly related to the user or person. This being said, what is defined as personal information? Personal information can include, but not limited to the following information:
- Personal information relating to the name, surname, age and date of birth
- Biometric information including fingerprints, facial patterns and voice recognition
- Any identifying number including national identification number, mobile or land line number, e-mail address and physical address
- Online and social identifiers including social networking sites, search history, internet protocols, cookies and location information
- Physical and psychological data including medical records, health and well-being and disability information
- Genetic data including gender, race, colour and information relating to genetic inheritance
With this extreme boom in big data comes new and unprecedented risks with associated challenges and problems, relating to protection of personal information. In previous attempts, organisations would focus on collection of personal information, however negate the importance of protecting such information. Only limited security measures were in place, including security mechanisms such as firewalls and anti-virus. However, these security measures did not mitigate the importance of protecting personal information.
Further, risks associated with data collection and processing be it manual or automatic, include the accuracy of the data which could be inaccurate, incomplete or irrelevant and the disclosure of unauthorised information and data.
Why do we need Data Privacy Laws?
The need for data privacy laws as a regulatory instrument more than ever, is of utmost importance. Data privacy laws set the regulatory standards for data controllers during the stages of data processing and storing, which include the collecting and sharing of personal information. It can thus be related that data privacy laws, set measures aimed at safeguarding the user’s data from any possibly; harm or risk, during processing and the storage thereof.
- Data Privacy Laws allow the user to have greater control over their personal information, allowing them to deicide for how long and for what specific purpose an organization may collect, store and process their personal information.
- Data privacy laws set standards and regulate those that serve in the Information Industry to be more accountable and protect subject user’s information under industry best practice governance.
Risks associated with the collecting and sharing of Personal Protected Information
- Digital and data security risk of more exposure
The enhanced access and sharing of information has resulted in enterprises information systems This may expose parts of the enterprise’s information and may lead to digital security threats, including the disruption of and integrity or confidentiality of information, collected. The consequences that enterprises may suffer include reputational, competitive, economic, financial and social risk.
- Increased impact of data breaches
Data breaches may cause privacy violations to user’s data which has been exposed? Breaches and their associated privacy violations continue to increase for example, in 2004 AOL lost 92 million records in a breach and the latest as of 2020, were the Combination of Many Breaches totaled some 3.2 Billion unique usernames and password breaches.
- Violation of privacy, intellectual property rights and other rights
Data breaches go beyond the breach of personal data and include security risks of violating contractual and socially agreed terms of data re-use, thus risking the reasonable expectation of users. Such risk may include the risk of consent and privacy expectations, contractual terms between third parties and the protection of intellectual property.
- Loss of control of data
Once the users has shared his information and consented to have such information re-used or shared, the users loses certain control over his or her personal data. Loss of control over data is perceived as a major concern to both organisation and individuals. In addition, data lost due to breaches often becomes traded on both the open web and the dark web by criminals attempting to reap financial gain. Once this happens, there is minimal chance of recovering such data. Additionally, traded PII may lead to further impacts as it gets used to access associated accounts or becomes implicated in scams (identity theft).
The data protection landscape has resulted in a tremendous amount of knowledge being shared via technology experts, industry analysts, consulting firms, privacy lawyers and other non-profit organisations that have a vested interest in data security, which has become an afterthought for many businesses, as organisation prioritize speed and profit over security and data integrity.
Compliance to Data Protection Laws and policy implementation may assist organisations in implementing the necessary data protection that is required throughout businesses, assisting these to mitigate the necessary risks that may engulf them. Sharing information, acquiring expert knowledge and assisting one another in the implementation process may be the key to successful mitigation of cybercrimes and attacks.
Ever-advancing technology and subsequent collection and sharing of personal information, the necessity of data protection laws is more important than ever before. The associated risks of sharing too much information can lead to increased commercial use and misuse of data and potential exposure to breaches.