When we are handing over our personal details, what is the first thing we think of? Our first thoughts might be: who is going to have access to this, and what could they do with it? These are my initial thoughts when I am handing over my address, email and telephone numbers. These thoughts are about the security of the data. One might not naturally think outside of the security issues…for example, how long the data is going to be processed and retained for; or the fact that records for roaming calls in Italy are only going to be held on my mobile provider’s systems for 6 months; or even that the location data associated with my call will be anonymised.
The European Data Protection Directives, and their transposition into member states’ legislation, are not just about ‘Data Security’, although this is a very big part, with severe consequences for non-compliance, both financially as well as socially. Organizations have the responsibility to ensure compliancy with these laws, which means understanding both “Data Security” and “Processing and Retention”. They need to appreciate that making customer data secure (ensuring confidentiality, integrity, accuracy, up-to-date-ness and completeness, as well as availability), does not in itself meet all the requirements of the European Data Protection Directives.
Article 17 of the EU Data Protection Directive 95/46 very much leaves the issue of “how to” ensure data security to the member state and / or organization itself. The law requires that the data security must be implemented at both organizational and technical levels (staff awareness, training, risk assessments and procedures, as well as technical implementations, and best practice standards). In other words, you might expect that a Customer Service Representative logging onto a workstation would be required to enter passwords to verify authorization to access the data.
However, the measures as defined by this law may not be as prescriptive as dictating that passwords must be encrypted using a specific type of encryption, or authorization must be dual factor; and that is after the Customer Service Representative has accessed the call center office via an access code! However, once an organization has implemented the appropriate measures to ensure Data Security, further requirements to comply with Data Protection must be met: specifically Data Processing & Retention. Directive 2006/24 – (Data Retention in publically available electronic communication networks and services) specifies that detailed personal data, such as: user-id’s, numbers called, subscriber names and addresses, must be retained for a minimum of 6 months and no longer than 2 years.
The fact that it is retained for 6 months or 2 years is not a data security issue, provided that the data is retained securely during the period of retention. Security of data does not specify what data you must/can collect, or how it must be collected (with or without consent), but once collected in accordance with the directive, it must be secure.
The Ministry of Justice has recently declared this directive as disproportionate and contrary to the principle of privacy protection. The outcome of this decision in terms of how Member States amend their national legislation (if at all) is unknown. Data security does not deal with when and how data must be deleted.
The fact that bill data must be deleted in relation to a period in which the bill can no longer be disputed or payment lawfully disputed (Directive 2002/58 – article 6 for traffic data) is not a Data Security issue. The fact that one operator might deem this period in terms of X days after the billing due date, billing nominal date, or tax point date, does not make the data more or less secure.
A starting point for addressing this is organizational: ensuring staff awareness, buy-in and training; and implementing an Information Security Policy standard such as that outlined by ISO27001. This must be managed by people that know the legislation (impending GDPR – suggests dedicated Data Protection Officer), and of course requires underpinning technology. Technology needs to be “flexible”, allowing multiple configurations to support both the matrix of rules and data classifications, as well as supporting the consumer’s right to change their mind on consent to process some or all of their data (the focus is on giving the consumer more awareness, autonomy and protection).
You can follow Linda @RegAffairsEMEA