Your personal data has been compromised. You might not be aware of it. It may not even impact your life that much, but somewhere out there are organisations who know things about you that they shouldn’t.
I’m not saying this as a scare tactic. Rather, it’s a reality of the world in which we live, where almost any service we use runs on our personal data. There is a due call for more accountability from businesses and governments on how personal data is used, which has led to laws like PoPIA (Protection of Personal Information Act) and GDPR (General Data Protection Regulation). But the regulations can only go so far, and it’s important for consumers to understand and take control of their personal data.
I’ve already written about the basics of data privacy for businesses, but what exactly do the rest of us need to know?
PoPIA - our impending local data privacy regulation - defines personal data fairly broadly. There is the more obvious stuff - medical, financial, criminal or employment history - alongside demographic information such as race, sex, religion, and marital status. Phone numbers, addresses, email addresses and even biometric information are accounted for under the regulation, as well as a more subjective category that includes personal opinions or preferences.
Not all personal data is created equal however. Your views on pineapple on pizza are not going to have the same weight as your ID number. The context also differs depending on who’s collecting or retaining the data. While there might be reason for a pizza place to know whether you’re pro- or anti-pineapple, there’s no reason for the Department of Home Affairs to have the same information as part of their records.
Complicating the privacy question is the right to be forgotten, a principle that aims to give consumers a certain amount of control over their personal information - including the right to delete it. Just this year, a Dutch surgeon won a legal action to have damaging search results about herself removed from Google.
PoPIA does not grant an explicit right to be forgotten, but does allow for the deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully. And no, an embarrassing hairstyle does not fall under outdated information, so if you’re hoping to get those dodgy uni pics removed from the internet, you might want to think again.
Many other laws, such as the National Credit Act, place restrictions on the how long data can be retained – even where it was legally obtained. This is mostly based on what is deemed to be a reasonable timeframe for an organisation such as a credit provider or bureau to use that information. Different kinds of personal information have their own criteria for removal, and the legal retention periods will vary greatly. Ultimately, the ability to have a piece of personal information deleted will differ depending on context, as well as the purpose for which the information was originally obtained.
In other words, you can’t just complain to the regulator and have your tax records, credit record or employment record removed permanently. Every case is different, and some information - such as the government’s record of your ID number - just can’t be deleted.
Regulations like PoPIA and GDPR put the onus on businesses to process customer data responsibly and within reason. It’s the “within reason” part that we should set our expectations against.
It is not reasonable to expect unfettered access to digital society - whether it is renting a home, buying a car or applying for a credit card - without some personal data being processed by other parties. Accessing any kind of service is going to mean an exchange of information - it is ultimately a transactional relationship where data is traded for value.
While it is organisations’ responsibility to be open about what kind of data they are exchanging in these transactions, and what it will be used for, we as consumers are ultimately responsible for making informed choices about who we allow access to our data.
You’ve probably figured out by now that there’s no single rule of thumb when it comes to personal data. That doesn’t mean we are powerless to take control of our privacy. There are plenty of ways the average person can reduce the risk that their data is misused.
The most important advice I’d give is to become ‘privacy literate’ by learning about how data shapes the products and services we use every day. The methods in which personal data is obtained and used are only going to increase – already, technologies like wearables are changing the game. It’s up to all of us, as participants in a digital society, to understand the value of our data, including the risks and benefits that come with each transaction.
What questions do you have around protecting your personal information? How well do you understand the world of data privacy, and what effect it has on your life?