DPO Stories #1 - Hyves digging into personal messages

THE POWER OF STORIES

Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them with books like Story Wars and Made to Stick and startups like story.me and GoAnimate. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-) 
(This intro will move downward in the next post of this series.)

ONCE UPON A TIME...

Hyves is a social network that is strong in the Netherlands and up until 2012 gave facebook some resistance in that country. At some point quite a number of renouned Dutchmen are on Hyves, especially politicians as the 2006 elections are coming up. One of them is Wouter Bos, a candidate for prime minister of the Netherlands.

One night Wouter Glaser, the PR guy for Wouter Bos, calls Raymond Spanjar, the CEO of Hyves, still a startup at the time.

"Raymond, you HAVE to help me!" You can hear the fear in his voice. "I have accidentally sent a message to a girl I met in a bar last weekend via the account of Wouter Bos."

Wouter Glaser handles the Hyves account private mailbox of Wouter Bos, as a lead of a team to which he flips questions that need more research. That way he keeps close to the heartbeat of the voters. That evening he had the account of Wouter Bos open on one screen, but... also on another screen his own email in which he was a.o. corresponding with a hot girl. As he hit the "send" button, his heart skipped a beat. He saw the profile picture of Wouter Bos.

"Crap!"

He realised that he had sent his pick-up lines ("Let's have a drink.")... via the account of Wouter Bos... coindicentally to a blond 25-ish cute female voter from Amsterdam. And as the message is signed by "Wouter" the mistake is not clear in itself.

What if the media would get a hold of a screenshot of that email?

"Can you guys delete that message?"

Raymond doesn't know how to do that, so he calls his CTO, Koen. A real techie Koen sleeps with his phone and his computer near his pillow. Via a remote login Koen can delete the content of the message. The girl will see that there was a message from Wouter Bos, but what it said remains unknown.

(source: Raymond Spanjar, Hyves, p. 153 - Dutch - freely downloadable here)

COMMENT

Hard to tell if the story is not a bit pollished to avoid a top politician getting into trouble. But that is irrelevant for the main dilemma: was it and is it ever justified as a social network platform provider to go into the personal messages of the users?

The story doesn't really play out the dilemma for the CEO and the CTO of Hyves. But they should have been worried for their integrity... and their reputation should it have come out. Moreover going into the communication between third parties is quite often a criminal offense. Shouldn't they just have kept out of the mess? Theoretically, very likely the answer is yes. It is not because something is technically possible, that you should do it.

However, in practice they did not. And nothing came of it. And that happens as well. Sometimes the risk doesn't materialise, and in such a case a DPO is often looked at as the boy who cried wolf.

Obviously there is also the moral of the story for email / social media users: before you send, do not only check the content and who you send it to - tons of stories about that -, but also which account you are working in.

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Fait Divers - The Origin of "Spam"

Spam, basically, is the overload in messages, mass sent and not asked for.

• They are not per se commercial in nature. Not-for-profit organisations, e.g. political parties, religious activist groups, etc, can just as easily engage in sending spam.
• They are also not per se unwanted or without added value. It is very likely that in the millions of recipients, some people are interested in the content.

The term "spam" is said to originate in a scene from the Monty Python's Flying Circus TV series (season 2, episode 12 of 15 December 1970)

Being a meme it was used then on early "social media" like bulletin boards and chat rooms to interrupt the conversation with quotes from the scene, and later any kind of meaningless message. And that is how it entered the realm of ICT.

Periodic Awareness Tip #4 - Make It Personal

INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So we periodically and in no particular order share some awareness raising materials. 

VIDEO

"This could REALLY happen to us," is about where you want to get with your message. Realistic scenarios may trigger that reaction.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.  
Specific: how do you make awareness action realistic?

Periodic Awareness Tip #3 - Social Media

INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. That  is why I periodically and in no particular order share some awareness raising materials.

VIDEO

Ellen DeGeneres has a talkshow in which (for a period of time) she rumbled through the facebook pages of the members of her audience. With the reach of that show she may have done quite a lot in teaching people how (not) to behave on social media. This is just one example, just search for The Ellen Show and "You posted that on Facebook?" and you will find tons more. Again something that may spur the discussion in the hallway and near the watercooler.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.  
Specifically for this one: how do you raise awareness on the (mis)use of social media?

Periodic Awareness Tip #2 - Movie clips

INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. That is why I periodically and in no particular order share some awareness raising materials.

VIDEO

It does not always have to be a clip specifically made for data protection / security awareness training. Sometimes movie clips can be eye-openers as well or at least enough to start the conversation around the watercooler. Stories and discussions, even light-hearted, do engage co-workers.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.  

What are movie clips you would use for the purpose of awareness raising?

ECJ on search engines and the right to be forgotten (in a way) - C131/12

Today, 13 May 2014, the European Court of Justice has pronounced an arrest in a case in which a Spanish citizen demanded Google (USA) and Google Spain to stop the publication of links to two newspaper articles as results of a google search on his name.

The official reference to the case is C-131/12. It can be found on the website of the ECJ as well as a press release (pdf).

First of all the ECJ had to apply the rules on the scope of the EU Personal Data Protection Directive (Directive 1995/46).

1. Is a search engine processing data? Yes (nr. 28-31)
2. Is a search engine processing personal data? Yes, even if it also processes other data (nr. 27).
3. Is the operator of a search engine a controller? Yes (nr. 33 + 41), as the case may be jointly with the publisher of the data (nr. 40), as he may set up technical barriers to block being shown in search results.
4. Is the EU law applicable? Is there a territorial link? Yes (nr. 59), a.o. as Google Spain, although a separate legal body, is to be considered an establishment of Google (USA) as it gathers advertisers to be placed next to the search results (nr. 55-57).

Then the ECJ had to look at the rights of the data subject in relation to the search engine operator:

1. Can a data subject exercise the rights (s)he is granted in the law vis-à-vis the search engine operator? Yes, as the search engine operator is a controller (nr. 83).
2. Shouldn't the data subject first and foremost address the publisher of the data? No, it can be that that requirement would undermine the protection by the law (nr. 84) and/or that the publisher can defend the publication (nr. 85-86).
3. Is there such a right as a "right to be forgotten" even if it is not explicitly mentioned in the Directive, but by mere interpretation of the "right to block" or the "right to object to processing"? In a way, yes (nr. 94-96), but that right is to be balanced against other rights of the general public nr. (97-99) e.g. should the data subject be in the public life like politics or so.

This obviously is a very short summary of the court's decision. I hope you are interested in reading the entire text.

Periodic Awareness Tip #1 - Means

INTRO

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

Sidenote: as this week is the Asian Data Protection (Awareness) Week, there are a lot of materials to be found that are developped especially for the occasion. The same goes for the 28th January of each year, which has been proclaimed Data Protection Day. Those are moments to harvest new ideas and sow their fruits in your organisation for the rest of the year.

VIDEO

I like this video as it shows - in a fun way - that data can be protected with the means one has. In my experience a concern that a lot of staff members have: "but I don't have the means". That can be true to a certain extent, but one can already do a lot with the means at hand.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc. 

EU Data Protection on one slide

I tend to explain European personal data protection based on this one slide. It covers the basic notions which are then used to dig deeper in further sessions. 

We will go through the five areas on this slide. 

1.     The “when?” or the scope;

2.     The “who?” or the players on the stage;

3.     The “why?” which is both positive and negative;

4.     The “what?” or in this case the general goal of the regulations and the bridge to the last part ;

5.     The “how?” or the rather technical rules the (European) legislator has set to process personal data, which I like to present as this quadrant or flower if you wish, which can later be unfolded as we enter into more detail.

So let us skim through it, to lay the foundations on which we will build later on.

First, when do the (European) data protection regulations apply?

Remember 4 words: “processing of personal data”, which is a broad concept. There is some more to it, as there also has to be a jurisdictional node with Europe; but the activity in scope is “processing of personal data”.

Personal data is defined as “any information relating to an identified or identifiable natural person” (the data subject). The data subject is considered to be identifiable when he or she “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity”. So we are not only talking about your identity card, but also all information that is linked to your social security number, to your DNA or fingerprints, to your linkedin or facebook profile, to your photograph, to your telephone number, to your customer or credit card number, etc. And there is the increasing angle of combining so many data that ‘only you’ come out, often referred to as big data analytics.

Processing is defined as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” We can fairly say that is almost everything you can do with personal data.

 

Second, who are the player on the stage of this all?

The protagonist, the lead character, is the data subject. He or she is the natural person to whom data is linked to make it personal data.

The antagonist, the character opposite the data subject, is the controller. It is the body, often a corporation or government, “which alone or jointly with others determines the purposes and means of the processing of personal data”. If the latter is determined by law, the law can indicate who the controller is. The controller is the prime target of the (current) (European) data protection regulations.

And thirdly there is the side kick of the controller, the processor. It is the body, often a corporation, distinct from the controller or his staff, that following the instructions of the controller does (some of) the actual processing on behalf of the controller.

Now that we know the major notions of the scope and the players, and before moving on to what should be done and how, let us look at why you should be interested in the rest of the story? Well, there are the three perspectives of the players.

a.   The data subject wants to know what his rights are under the law.

b.  The processor wants to know what the controller is required to do under the law, to understand

a.     In cases where agreements are negotiated

                                               i.     why the controller wants a written agreement with him,

                                              ii.     what clauses are the minimum the controller needs to have to be compliant,

b.     in cases where the processor for whatever reason wants to work with standard terms and conditions

                                               i.     how he can draft terms and conditions that a customer–controller, subject to the law, can and will (more easily) accept

                                              ii.     (or to move even a step further on the ladder of customer “service”) how he can facilitate things for that customer–controller, subject to the law, not in the least to convince its lawyers, compliance or information security department, or data protection officer, e.g. by providing clear, to-the-point information in the contracting phase and by providing third party audit assurance during the execution of the agreement,

c.     And last but not least, the controller wants to comply to the law

a.     To avoid negative consequences

                                               i.     to avoid fines, and other sanctions

                                              ii.     to avoid the hassle of a procedure or even an investigation of the data protection authorities on his premises

                                             iii.     to avoid reputational damage should a non-compliance (a breach, but others like inappropriate use of data as well) make the news headlines or start a protest on social media

                                            iv.     to avoid being the target of active hacking

b.      (but more and more also) to reap positive benefits of compliance

                                               i.     to give comfort to their customers and staff, or even better to make them proud to be part of such “ethical”, “respectful” community

                                              ii.     to differentiate themselves from their competitors, and thus to use it as a marketing tool

                                             iii.     to leverage it into better internal procedures

                                            iv.     to be prepared when – unexpectedly – there is an incident, so that they can profit from the “remote miss” advantage

I hope you are convinced ! At least to continue exploring the rest… 

So now let’s jump back to what is regulated. The (European) regulations mainly want to support the unified market of the European Union. Therefore there has to be free flow of goods, people, capital, and services; but also of information and (personal) data. However, for the member states to trust each other, a bar of minimum protection of that data had to be set, to allow a free flow of personal data (in Europe). To set that bar the European legislator has looked at information theory, and has chosen to put the data subject and his trust and (reasonable) expectations central. Around that they build the rule set that primarily targets the controller.

The regulations themselves are – at present - mainly set out in a 1995 Directive. 

A Directive is – in short – a legislative tool for the European legislator to indicate what the member states should implement in their national legislation. So the Directive by itself in principle is not meant to have immediate effect in the member states’ jurisdictions. That is the reason why the actual implementation may (slightly) differ from member state to member state.

But the big pillars can in my opinion be presented like this. The controller should be in control of the data he processes, as he received a “mandate” (if you want) from the data subject to process the data and he should live up to the trust the data subject gave him. 

• That trust is purpose bound. The data can only be used for a certain finality. And that finality, purpose or goal will impact how the data is processed at the start (the collection), during its lifetime (keeping it accurate), and at the end of its lifetime (when it should be deleted).

• For each use of the data there should also be a basis for legitimacy. As a baseline there are 6 theoretical basis for legitimacy, where most corporations that are controllers, can only use 4. Next to that baseline, there are more specific rules for

(a) special categories of data like sensitive data or judicial data and

(b) in case the data is (partially) processed outside of the European Union

• Thirdly the regulations require transparency on the data processing, both the the data subject (best known as “privacy statements”) and to the authorities (in notifications that sometimes require the authorities to allow the processing).

• As a forth pillar I use the broad concept of organization. Obviously the controller has to organize for the other aspects as well, but here we are looking at  

(a) the internal governance and accountability, which is a link to your general organizational structure and (risk) management, including outsourcing (to processors) 

(b) the organizational and technical measures to secure the data, more or less your classic information security 

(c) how the organization should be able to promptly react to a data subject exercising one of the rights acknowledged by the law

These four pillars should be respected throughout the data processing, end-to-end from collection to deletion of the data.

They should also be applied proportionately. The more important the (reasonable) expectation of the data subject or the divergence therefrom, in other words the implementation effort should be in line with the importance of the data in terms of volume and sensitivity.

All this may still sound a bit abstract. That is why in follow-up presentations these aspects will be further elaborated.

Hope you follow along on the journey.

(CALL-TO-ACTION: should anyone with a good voice be willing to read this post to a microphone and send it to me in an audio-file to assemble it under the slide in a video, I would be very greatful. I tried doing it myself, but my voice does not seem to lend itself for this kind of work. :-))