Young asian woman is pulling elephant outdoorLatest I heard is that some form of final version is coming out on 20 December. Does it mean that it is final? No, not yet. However this does not stop you thinking, and planning next steps in privacy compliance, to get ahead of the crowd, based on what we do know! Why should you start now? Well I’ve written on that already, but to summarize. Because the party hasn’t started yet. When it does, you will know, as the legal guys will be having a party at your expense!

When the party starts, you will know, as the legal guys will be having a party at your expense!

Where should a Privacy Program belong in your organization? And this the fundamental question you need to ask yourself, who owns privacy, is it legal, is it IT operations, or security operations? If you were to look around at global organizations that have privacy programs, you will find that they are sitting under the legal arm, and hence populated with legal guys and girls. (As a side-note, that’s one of the cool things about privacy, there is balanced gender diversity. I even have to queue to the rest-rooms at privacy conferences, which is not the case in information security ;))

So you have an interesting mental activity to occupy yourself over the Christmas and New Year break. Visualize how it’s going to work in your business, as a ‘thought experiment’.  Clearly I have my opinions which I’m going to share with you now…

To give you an appreciation of what lies ahead of you, and why I think as I do. One of the first projects that you will need to task yourself with is documenting every personal data collection point in your organization. For example, a web-page where your customers share their name and address, your sales & marketing engines. Depending on the size and nature of your business, this can be daunting. If you get this wrong, and hand the privacy program to your legal team, you risk creating a chasm in your business between a legal team focused on being ‘legally’ compliant with IT/ security operations, and the executive team. And why? Because nobody in your business understands legal jargon except the legal guys, who basically speak from a ‘legal’ standpoint, and basically no sane individual wants to read and interpret legal text except for a legal guy! The question and challenge is how to map this to your business?

Create a ‘Privacy Architect’ role to be the ‘spider’ in your privacy ‘web’, i.e. Privacy Program

What I see as one of the largest initial risks is that your privacy project risks becoming an enormous elephant that will basically give you indigestion if you try to execute. This is where I say do not bring in the legal guys yet. Get some of your senior information security team that are great architects and PM guys (Project Managers), involved. You need to train them though, but it’s much easier to train these guys in privacy than it is to train legal expertise in your business operations. What’s more if you pull together the right guys, they will thank you, as privacy is such a cool career move! Your privacy team will be motivated and bring loads of energy, a recipe for success in your privacy program.  In fact I would advise you create a ‘Privacy Architect’ role, give them a ‘carrot’ to get certified in privacy and data protection principles (Certified Information Privacy Professional, CIPP). This individual should be tasked to map all data collection points in your business, packaged them into individual projects, and pass them onto project managers, who are trained in privacy -who you could call your ‘privacy champions‘. Your ‘Privacy Architect’ will be the ‘spider’ in your privacy ‘web’. Clearly you need to bring in the legal guys, but do this as, and when necessary.

What is smart by doing it this way you map your privacy program into neat  projects aligned to privacy ‘purpose’ that has in fact been around since 1973!

  • A privacy principle mentioned in Fair Information Privacy Practices (FIPPs) in the US in 1973;
  • ‘Purpose Specification’ privacy principle is 1 of 8, defined in 1980 by OECD  Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. These guidelines have become the framework of privacy practices and regulations worldwide;
  • As 1 of the 11 Privacy Frame Principles (ISO 29100) in 2011, of where it is described as ‘Purpose legitimacy & specification’.

So you have a awful lot to be starting with, and maybe even enough to go beyond the ‘thought experience’ mentioned at the beginning of this article.

data-privacy-000019536561_SmallQu.1 – Who owns personal data, is it the Data Subject or the Data Controller?

Does it really matter? Yes, because by asking this question you can weed out the real privacy experts from those who claim they are experts.

The answer to this question is fundamental to privacy and data protection principles, not just the Regulation. If you get this wrong, you will get it all wrong. The funny thing is that most IT and information security experts will get it wrong.  This is not surprising because they spend most of their working life protecting the intellectual property of their employers and clients, so it would never occur to them that personal data stored by the company (data controller) does not belong to the company, but the data subjects themselves.

Personal data belongs to the Data Subject, not the Data Controller!

So I’m a skeptic, but a deserving one at that, having come from the camp of information security experts myself. I almost cringe at my early consulting efforts to assist one especially large client, who decided that compliance with the Data Protection Directive would be a good thing. I was so focused on the information security aspects that I missed  everything else.

Qu.2 – Privacy is the flip side of the coin to Security?

I often hear that privacy is the flip side of the coin to security, when in fact the inverse is true. These sweeping statements imply that privacy is a part of security, or a mirror of security, or in best case that security versus transparency. However privacy is not security, or purely transparency.  Security is needed for privacy, and this is about as far as the boundaries of security goes within the scope of privacy.

Qu.3 – Privacy is about compliance the same as Information Security, right?

Any individual which claims that compliance with the Data Protection Regulation can be managed under the same umbrella as an InfoSec Program knows nothing about privacy. Much of the Regulation is focused on controlling the collection, quality and processing of personal data. It is about protecting the rights of the data subject. It is about ensuring transparency and openness between the data controller and the data subject. There must be evidence showing that the data controller is taking seriously their role as guardians of the personal data, and in the Regulation this will be strongly enforced.

Qu.4 – This is going to be expensive?

Now it is 2015 and the new Regulation is peeking at us just around the corner. I have during the second half of this year become increasingly concerned that this time and money wasting scenario that I inflicted on some poor client all that time ago, is going to be repeated 100s, 1000s and millions of times across the EU, by 100s, 1000s and millions of young, and older, energetic and enthusiastic information security consultants during the next 2 years and more. It’s going to be expensive unless you take some action yourself.

Qu. 5 – Now where do I start?

So what can you do to help yourself? Apart from the very simple question I posed at the beginning of this article, I have some nuggets of gold, where you can find some privacy wisdom, which you can check out for yourself…

  • If you want to get certified in privacy… read the next bullet point… would love to have you join the global movement of privacy professionals!
  • Visit the International Association of Privacy Professionals (IAPP) website. There you will find the real privacy experts from all around the world. You need to individuals that have the CIPP (Certified Information Privacy Professionals) certifications which can be likened with CISSP in information security. Here you will find experts in privacy that could be technical and/or security and/or qualified in law.
  • IAPP have great conferences globally. I was in Washington in April and Glen Greenvald (Snowden files) was keynote, it was a great place to absorb the amount of expertise on tap concerning privacy and data protection, and to network. The one scheduled to be in Brussels this week was cancelled.
  • They also have local KnowledgeNets around the world (even in the cold Nordics ;)) where you can network with the local privacy geeks.
  • 4 times a year a ‘Privacy After Work’ bash is scheduled wherever there are KnowledgNets, and next is on Data Protection Day, 28 January 2016, let me know if you want to join us for the one in Stockholm!

If you just want a basic grounding – I have just released an online 10 hour training available for only €225 that opens for registration on 1 December 2015. This is great and inexpensive route to get yourself or your privacy champions on boarded with the new Regulation.

I was having lunch with an old colleague today who was convinced that the new EU Regulation due to come effective in 2015 or 2016 was going to change everything! What’s more nothing is decided, so everything is floating in the air….

Don’t panic. First the EU Regulation will be based on a foundation of what exists today, i.e. the Directive. The problem with the Directive is that it is not enforced effectively in member states, and the local laws are not a direct interpretation of the Directive. For example each country has interpreted the laws as they understand the directive…now just think about the language challenges, cultural challenges. Each country has their own interpretation of the Directive. What is more is that each member state may have legislation that has been around for a long time that has priority over any data protection law that is enacted, this creates all sorts of issues. For example in Sweden the personal ids of citizens are considered as public records, so they are not protected by the data protection law.

When it comes to enforcement and fines for misalignment with the Directive, some member states have been more active than others. Now this will change with the new Regulation.

Clearly there are aspects that we don’t know. Basically the member states cannot come to an agreement. However what you should focus on is what we know, and that is the incumbent Directive. Use that is your baseline, leave the unknown aspects until later. Believe me you have enough work already!

64 thousand Swedish identities were hijacked in 2013. Population of Sweden is today around 9,5 million. This means that the crime of identity fraud impacted around 0,8 percent of the Swedish population.

“So what, that’s nothing?” You are thinking….

Nevertheless this is almost 1 in a 100 of Swedish residents who have been a victim to identity fraud in 2013 alone. Hence Sweden is not exempt from the growing trend of identity fraud globally.

However in Sweden it’s going to increase exponentially if Swedish law is not changed. What we can expect is that subsequent years will welcome an influx of fresh victims; that could be you if you are one of the 9.5 million residents or/and citizens of Sweden, your friends, or even your children.

Identity fraud in Sweden will increase exponentially if Swedish law is not changed!

identity-theftFirst a little history on how we got to where we are. Sweden is one of the few countries globally that is organized enough to have implemented a comprehensive personal identity numbering scheme. It was first introduced in 1947 and was probably the first of its kind globally that included every Swedish resident. Unfortunately, the fact that Swedish identities are organized with the use of a uniform identifier, i.e. YYMMDD-xxxx (YYMMDD = date of birth) makes their personal id much more vulnerable to hacking and fraud than a more random generated id. It is easy for an identity fraudster to work out a Swedish identity number using some simple data mining techniques.

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males, and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

To get the last 4 digits, easiest is to call the Swedish Tax Authority and ask, they are very helpful, since the personal identity number is public information

But what does it really mean to have your identity stolen, or hijacked as more often referred to in Swedish popular press? So here is how a Swedish identity could be stolen starting with a name to find the personal id number:

  1. Google the name of the victim, from here the fraudster will find date of birth (ratsit.sebirthdays.se), home address on a cute map, and other information (hitta.se);
  2. To get the last 4 digits the fraudster can ring up the Swedish Tax Authority direct and ask them, it is after all public information, and they are very helpful.
  3. Now the identity thief can go online and order a fraudulent ID card and/or a fake passport using the stolen personal id number. Hence since the personal number is a vital specific identification number to identify an individual is correct but the photo on the ID card or passport is that of the fraudster.
  4. He/she is ready to go on a spending spree at the victim’s expense! If they have no access to the victim’s credit/debit card, they could buy electronic goods on credit with a small down payment (avbetalning). The victim, get to foot the rest of the bill.
  5. A shop assistant when checking the id card, would feel that the details are correct and process the transaction.

And this is just the beginning of the nightmare for the victim. The fraudster can take out additional loans in their name, buy a car, a house, and default on payments in their name. The victim will be blacklisted by credit companies. Cleaning up this mess will not be easy. It will take a lot of energy and time to clear their name. The victim can forget about trying to get a loan or any type of credit at this time.

I guess after all this excitement that the victim will want to remove their personal information from the public domain? Sorry but there is more bad news. It’s quite impossible! Swedish residents have no legal right to protect their personal identifying information in Sweden. In fact credit reporting agencies have permission from the Data Inspectorate (Datainspektionen) to publish your personal information. They get something called an utgivningsbevis that gives them exemption from Personalupplysningslagen (PuL), that costs a couple of thousand Swedish kronor. On the date of this publication there were 913 companies that have been granted an utgivningsbevis. So in Sweden the Personal Identifying Information (PII) of data subjects is public information. Although the data subjects do have some say over the integrity of PII that is published, this is driven by the Kreditupplysningslagen. The Credit Information Act (Kreditupplysningslagen) are required to make changes in their database to correct faults, but the data subjects have no right to be omitted from the register unless they have a ‘protected identity’. Hence all residents in Sweden who are over the age of 16 are included and public.

All of this is despite the Personal Data Law (PuL) that is here to protect personal information of Swedish residents and citizens. In fact in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from the identities of Swedish subjects. It is a Mad Hatters Party for 931 companies abusing this right at the cost of Swedish citizens/residents!

As a Swedish citizen, I have nothing against companies making money from identities so long as:

  1. I’ve given active consent to this;
  2. I have the choice to have it removed;
  3. and if I have permitted my personal information to be used commercially, I should also be a beneficiary from sharing my personal information.

To summarise. If you are a Swedish citizen/resident your personal information is public information and is being exploited commercially. This exploitation makes you vulnerable to identity theft. You have no control over who publishes your personal information.

It is about time this problem was fixed don’t you think?

Further reading

http://www.datainspektionen.se/press/nyheter/2014/datainspektionen-kan-inte-ingripa-mot-sajt-som-hanger-ut-domda/

http://www.riksdagen.se/en/How-the-Riksdag-works/Democracy/The-Constitution/The-Fundamental-Law-on-Freedom-of-Expression/

http://www.radioochtv.se/en/Licensing/Internet/

http://sverigesradio.se/sida/avsnitt/404038?programid=2778&playchannel=132

I took this from Panopticon Blog concerning the outcome of the Google order. Now what if the rights of the Swedish citizen was to be escalated to the EU courts, would the outcome be the same?

“The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life. This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator. In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97).”

Panopticon blog have given a really clear/concise description on the changes to the Subject Code of Practice. The Information Commissioner (.ico) published his new ‘Subject Access Code of Practice’ only yesterday.

What I was delighted to find were rights of data-subjects when in social media context to know how/if their data is being used outside of its original intention. Also that social networking sites need to provide some means for the data subject to request for this information. I was really pleased to find the rights of children included to demand the right of access…. read below that I’ve cut&paste from Panopticon blog.

“a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly”

So what is the future for data protection regulation? I came across this very interesting post this morning. I haven’t read it all very thoroughly yet, but I plan too, so be prepared for some discussions concerning this 😉