Your personal data has been compromised. You might not be aware of it. It may not even impact your life that much, but somewhere out there are organisations who know things about you that they shouldn’t.
I’m not saying this as a scare tactic. Rather, it’s a reality of the world in which we live, where almost any service we use runs on our personal data. There is a due call for more accountability from businesses and governments on how personal data is used, which has led to laws like PoPIA (Protection of Personal Information Act) and GDPR (General Data Protection Regulation). But the regulations can only go so far, and it’s important for consumers to understand and take control of their personal data.
I’ve already written about the basics of data privacy for businesses, but what exactly do the rest of us need to know?
What is personal data?
PoPIA - our impending local data privacy regulation - defines personal data fairly broadly. There is the more obvious stuff - medical, financial, criminal or employment history - alongside demographic information such as race, sex, religion, and marital status. Phone numbers, addresses, email addresses and even biometric information are accounted for under the regulation, as well as a more subjective category that includes personal opinions or preferences.
Not all personal data is created equal however. Your views on pineapple on pizza are not going to have the same weight as your ID number. The context also differs depending on who’s collecting or retaining the data. While there might be reason for a pizza place to know whether you’re pro- or anti-pineapple, there’s no reason for the Department of Home Affairs to have the same information as part of their records.
What about the right to be forgotten? Can I make sure that information that I don’t want out is deleted?
Complicating the privacy question is the right to be forgotten, a principle that aims to give consumers a certain amount of control over their personal information - including the right to delete it. Just this year, a Dutch surgeon won a legal action to have damaging search results about herself removed from Google.
PoPIA does not grant an explicit right to be forgotten, but does allow for the deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully. And no, an embarrassing hairstyle does not fall under outdated information, so if you’re hoping to get those dodgy uni pics removed from the internet, you might want to think again.
Many other laws, such as the National Credit Act, place restrictions on the how long data can be retained – even where it was legally obtained. This is mostly based on what is deemed to be a reasonable timeframe for an organisation such as a credit provider or bureau to use that information. Different kinds of personal information have their own criteria for removal, and the legal retention periods will vary greatly. Ultimately, the ability to have a piece of personal information deleted will differ depending on context, as well as the purpose for which the information was originally obtained.
In other words, you can’t just complain to the regulator and have your tax records, credit record or employment record removed permanently. Every case is different, and some information - such as the government’s record of your ID number - just can’t be deleted.
What is the role of the ordinary person in all of this?
Regulations like PoPIA and GDPR put the onus on businesses to process customer data responsibly and within reason. It’s the “within reason” part that we should set our expectations against.
It is not reasonable to expect unfettered access to digital society - whether it is renting a home, buying a car or applying for a credit card - without some personal data being processed by other parties. Accessing any kind of service is going to mean an exchange of information - it is ultimately a transactional relationship where data is traded for value.
While it is organisations’ responsibility to be open about what kind of data they are exchanging in these transactions, and what it will be used for, we as consumers are ultimately responsible for making informed choices about who we allow access to our data.
What can I do to take control of my personal data?
You’ve probably figured out by now that there’s no single rule of thumb when it comes to personal data. That doesn’t mean we are powerless to take control of our privacy. There are plenty of ways the average person can reduce the risk that their data is misused.
- Do your research. Before signing up for anything - everything from full contracts to giving away personal details in a form – ensure that you know what you are getting into. Find out what permissions you are giving up on your phone when you use certain apps or what the user agreements say about how your data will be used.
- Practice safe data habits. You wouldn’t give out your credit card details to any random website, so treat your data the same way. How reputable is the website, app, or organisation you are engaging with? Do they have their privacy terms and conditions front and centre? Do they have opt-in or opt-out buttons? If you can’t find information about their privacy and data policies, don’t use them.
- Ask yourself if it’s worth it. As with any transaction, consider whether the value you’re getting is worth what you’re giving the other party. Is giving up your email address really worth that cute cat app? Are you open to being added to a marketing database for a discount or personalised recommendations?
- Know thy data. Keep an eye on what data about you is out there and who has access to it. Under PoPIA, you will have the right to ask organisations (such as direct marketers) what information they have on you - use it. Regularly review your credit and personal information for signs of suspicious activity as these are often the first signs that sensitive data has fallen into the wrong hands. Subscribe to a service, like the TransUnion Credit Alert service, that can help you detect identity theft.
- Don’t just sit back. Take action against those whose actions have exposed your personal data. If you have reason to believe an organisation has misused your data, lodge a complaint with the information regulator - it’s their job to investigate.
- Think beyond PoPIA. It’s not just local businesses you need to apply the above habits to, but the app you download on your phone, the competition you enter online and the information you share on social media.
The most important advice I’d give is to become ‘privacy literate’ by learning about how data shapes the products and services we use every day. The methods in which personal data is obtained and used are only going to increase – already, technologies like wearables are changing the game. It’s up to all of us, as participants in a digital society, to understand the value of our data, including the risks and benefits that come with each transaction.
What questions do you have around protecting your personal information? How well do you understand the world of data privacy, and what effect it has on your life?