Data Privacy Day is recognised internationally on January 28th, as a day dedicated to empowering individuals and encouraging businesses to respect privacy, safeguard data, and enable trust. At the Barbados Chapter of ISSA (Information Systems Security Association), our members recognise this day as another opportunity to spread awareness of privacy’s importance. It is also an opportunity to highlight recent events and initiatives that affect privacy and personal information and remind the residents and businesses in Barbados of privacy as a human right and part of a profitable business.
Privacy in 2021
The past year has presented several challenges, losses and opportunities with the COVID-19 pandemic. Curfews and work restrictions have forced persons to develop or expand their online sales ventures, often using door-to-door deliveries.
With persons limiting their movements beyond their households, the use of the internet and social media allowed greater visibility for online advertising and sales.
With either a simple website or social media account, cottage industries have flourished, selling food, clothing, household items, accessories and personal hygiene products, to name a few. A flurry of online sales and communication has resulted in countless confidential information transmissions, including names, telephone numbers, emails, bank account information, credit card numbers, and GPS locations.
The storage of this information may remain online on websites, social media platforms and messenger applications for some time.
In the shadows, are we aware of who may also be looking at this information? Can we trust the persons we do business with to appropriately use, protect, and dispose of this personal information once the transactions are complete? How are we sure that this personal information, won’t be used for other purposes than intended, or worse, used to do us harm? If either of these were to be the case, what protections do our laws provide to protect us or allow us due process?
With the COVID-19 pandemic, we’ve grown used to contact tracing protocols requiring names, addresses, and telephone numbers at business places and gatherings. What stipulates how contract tracing information is managed from a privacy perspective with no local data privacy regulations? How should this information be stored, how long should it be retained, how is access to this information restricted, what limits it from being used for other purposes, and what is the appropriate disposal process? In the digital space, contact tracing apps walk a thin line of protecting both visitors and residents’ health and safety while allowing them the level of privacy they deserve.
Some contact tracing apps require adequate vetting for their functionality and data processes. Additionally, some contact tracing app deployment methods are questionable with some countries requiring the apps to be installed on mobile devices by visitors on arrival.
Organisations must collect contact tracing information for protection and not for profit. Providing free services at the cost of surveillance is a model which Google has perfected since the early 2000s with their “behavioural surplus” model. Their model allows machine intelligence to create valuable data which could then be sold or used directly for targeted advertising.
Using the information it collects about Barbados residents, Google can discern the Barbados economy’s recovery level since the pandemic started. Data about mobility trends for workplaces, public transport hubs, supermarkets, and parks/ beaches are available from Google (learn more at google.com/ covid19/mobility).
Governments, regulators, security professionals and the public are all concerned with the normalisation of surveillance.
We’ve become numb to the reality of being monitored and accepted it. We’ve grown addicted to “free services” which we indirectly pay for with our private data. Thanks to privacy regulations like GDPR (General Data Protection Regulation), the terms and conditions we agree to while visiting websites and using mobile apps are now being written in a language we can all understand. The mobile devices we carry with us almost at all times are the most significant risk to our privacy.
Data collected from our cellular phones are used to create metadata about us is sold, brokered, aggregated, analysed, and used to target us with items for sale. We enjoy using Google Maps to know whether there is traffic up ahead and take an alternate route.
Have we considered how many times our cellular phones transmit data back to Google about our locations to provide details about traffic? A 2018 study found that an Android device signed into Google sent data 340 times in 24 hours.
Recently, Facebook notified users about upcoming changes to WhatsApp’s terms and conditions, indicating their data may be shared with Facebook. Though the move is likely a precursor to integrating WhatsApp with Facebook Pay in the future, the move was met with some backlash. Barbadians have no basis for inquiring about how Facebook would handle their private data without any local data privacy regulation.
The need for regulation
Monolithic companies like Facebook and Google claim they collect data that allow users to be targeted with appropriate content and have the best user experience. Having local privacy regulations empowers Barbadians with the tools they need to protect themselves from companies like Facebook, Google, Apple and Amazon and hold them accountable when they don’t do what is necessary to protect our citizens’ privacy.The Barbados Data Privacy Act (“DPA”), passed in the Senate on July 24th 2019 is a first step towards providing the level of regulation needed to protect private information entrusted to local and international organisations. The Government is currently filling the Data Commissioner job position and hopefully bringing the act into law soon after. The new regulation’s impact would be most considerable for entities that process sensitive personal information, not just technology, tourism, and medical care practices. Unlike GDPR, which allows some record-keeping requirement exceptions for entities with less than 250 employees, the DPA does not. Though there are concerns about the burden of the regulation on small to medium entities, organisations overall need to be mindful of the sensitivity and importance of the information they manage, whether digital or printed.
But what would be the impact if we continue not to have a data privacy regulation, as we continue moving towards a digital economy? Missing from the process will be the ability to respect privacy as a fundamental human right. Regulations help limit the power of companies and governments and empower citizens with the rights they deserve.
Some companies may see Barbados as a haven for unethical activity in the absence of regulations, as some countries have seen with the absence of any regulations around cryptocurrency-related investment products.
Technology is changing so quickly that regulators are finding it difficult to keep pace with changes. In the current Fourth Industrial Revolution, characterised by hyperconnected devices, regulations are needed now more than ever.
Privacy regulations can help businesses better manage and use the information about customers and marketing audience for all interactions and ensure that all data is received with appropriate consent, processed in an agreed manner, adequately secured, retained for only as long as needed and disposed of promptly. Privacy may also be used as an advertising point for businesses. Persons generally feel reassured knowing their privacy is being respected, and organisations operate under the standards of local and international regulations.
Barbados’ prospects are great with a focus on serving citizens and residents, fostering growth even in an uncertain economic climate, and embracing technology as a critical success factor for the economy. However, regulations also play a part in enabling the growth process. Adequate data privacy practices and regulations must continue to be at the top of the agenda if our digital economy is to flourish.
By the Barbados Chapter of the Information Systems Security Association (ISSA).