Friday, October 18, 2019

Safeguarding personal data

The ease with which our personal data is being sought, the thoughtlessness in handing over the critical data relating to one and the reckless way in which such details are shared in public domain is scary, to say the least.

Recently, I attended a spiritually oriented event of a very popular and revered person who gives discourses on Ramayana, Bhagavatham, Narayaneeyam and other such spiritual activities attracting many devotees. At the event, it was announced that an exclusive group is being formed so that interested people are communicated about further events and to join the group a link was sent. The link led to a web page that asked for many personal data related to the potential member of the group. The page also warned that on submission, the name and photo associated with that particular account will be uploaded! Let me clarify at the outset, I have absolutely no issues in personal data being shared with this particular Group/ Event Management team as they are reliable, reputed and I have no reason to believe that they could leave the data unprotected leading to misuse.

But, the thought occurred as to what would happen, if the data so given is shared unintentionally but as part of further processing to some other third party organization, for maintenance? Or what is the guarantee of that third party keeping such data secure? What if there is a leak somewhere in this process, wherein data could be compromised and if so who is responsible for the same ?

So, while the persons seeking data may not be leaking or misusing it but are they aware of the risks and sensitivity of handling the same? More importantly in a group which is unlikely to be filled with only literates, what is their responsibility in seeking such data? In a belief blinded by other attractions and with some justifiable confidence on this group, many people are likely to share the data. But then, should the data seekers not perform their role and responsibilities in apprising the givers about the risks involved and / or confirming about their safety and security by an assurance of non-sharing with others without their consent ?

Normally with some technical know how, I believe, a reasonable profile outline could be created with one's expanded name, date of birth, contact number, email-id and photo. With the prevailing and proliferating instances of cyber crimes particularly over online banking transactions and with innovative cyber crimes like Sim Swap springing up everyday, while the basic security concern lie with the owner of the data, given the illiteracy and lack of awareness, should the data seekers not apprise the givers about the risks involved, so that the innocence and ignorance of the users are not exploited by some unscrupulous elements?

In another group, filled with bankers who could justifiably boast of atleast three decades of banking service, it is still a task to make them understand the risks in sending a mail to all thousand members and use of BCC in emails ! This is a classic case of the data collector unwittingly leaking personal data, which could have damning consequences !  Well then, can an ignorance be cited as an excuse ?

At the entrance of a popular saree shop in Chennai's busy Pondy bazaar, an young man with a neat neck tie was asking for the mobile number of all visitors under the guise of a free prize scheme!!

When the data collected at such different points are collated by any with crooked intention, will it be a huge task to build their profile? The above instances exhibit how personal data is collected with or without any dubious intention and this is what exactly common man should be aware of  before sharing his data.

I feel, fighting cyber crime must be multi-pronged - while the owners need to keep their personal data safe, the data seekers need to ensure privacy of data collected and also make sure that  before collecting the data, the provider is well informed about the risks involved in sharing. Organizations like Banks and other institutions should not only take up measures to ensure that data collected and also created out of the data provided and out of the business transactions are kept secure, but also subject themselves to security audits by recognized bodies or approved and qualified third party auditors, to gain customer confidence. Right now , these are being held more as a formal exercise towards compliance but the need of the hour is more towards customer protection than formal compliance to satisfy legal requirements

My point is data seekers should be more responsible in asking for data, as such acts could be misused by mischief mongers. For the well intentioned seekers- apprise the givers about the risks involved and the measures taken by them to protect their interest and also better not to ask for such data, unless they have the ways and means to protect them!   More importantly, individuals should be weary of sharing any data , unless absolutely essential or feel secured after a basic personal due diligence.  

2 comments:

  1. "A good post on the "Responsibility of data seekers". They should be aware. No doubt, they are legally accountable (though in practice, in the event of data theft, it may be difficult from which point the theft ORIGINATED). ......
    Good, Kapali, for starting a nice debate." - Mr V.Rajendran

    ReplyDelete
  2. "You are right Kapali . Why talk of giving data. If I search the web for any product there is always some ten ads related to the product or similar one popping up without my seeking it even after a day or two" - Mr Bharathkumar

    ReplyDelete