After a short break I’m delighted to be back writing my Thursday Thoughts and on a Thursday too! Many reasons for the break in transmission Book Launches, Graduations and Family issues amongst them but mainly it was because there has been a lot of work to do. There have been Subject Access Requests, Data Protection Audits, Policy reviews and writing as well as many conversations had about what you can and cannot do with someone’s personal data (and when you should tell them what you are doing).
So this week I’ve taken a look at things from an individual’s point of view. That’s because there is loads of advice and guidance out there, lots of dire warnings about the risks to your data and advice on what your individual rights are … what there is a decided lack of (IMHO) is sensible advice on how to do things and signposts of where to go for help. So I’ve been through my notes and looked at the topics I’ve been dealing with over the last couple of months and here are the things that come up most often. Feel free to share with your nearest and dearest!
Of course there’s also interesting or essential news from the data protection world in case you’ve missed it. My video of the week is one from Action Fraud which shows the risks we take with our personal data without really thinking about it and the blog of the week from Gabriel Freelander discusses how we can find out what google knows about us all.
What Are My Rights When a Business Has My Data?
You have a right to know how the company is going to use your data when it is shared, with whom it is shared as well as how and when it will be disposed of or deleted. This should be articulated somewhere in a Privacy Notice or policy and this should be written in clear plain English. You also have the right to make a subject access request, you should be informed of a data breach if it will affect your rights and freedoms and depending on how they got the data you can ask the organisation to update, stop processing or erase your data.
What Is a Subject Access Request?
This is a way for you to ask to see ALL the data the company has on you. This will mean they will have to check hard copy files as well as all emails and internal documents that have your data in it and then they need to share this information with you. There is a timescale for this to be completed in (generally one month but for complex requests or in small organisations the period can be extended to 3 months). There are some myths out there so here are some points you may not know:
The company does not have to provide exact copies of emails just your data.
They should explain why they have not provided some information in their response and give you the opportunity to ask them to reconsider or complain to the ICO.
The company is not permitted to release anyone else’s data with yours so you won’t see anyone else’s name, phone number or email address in the response.
Opinions and other comments are likely to be redacted.
References are not usually provided as part of a subject access request.
If you say you want to see everything and there is a lot of data to go through the company are likely to take the full 3 months or longer to comply.
The Right to Be Informed About a Data Breach
You have a right to be informed of any data breach that will affect your rights and freedoms. This should be within 72 hours of the breach happening.
The Right to Be Forgotten
Individuals have the right to ask that data about them is erased or made more accurate. I see this most often used when someone leaves an organisation. It can take some time to locate and remove the data. How this will be achieved differs by organisation and you should remember this is not an absolute right as some information (HR and Tax especially) has to be retained because the law says it must. Other information that has been printed and published may need to be replaced at the next available opportunity.
I Know I Should Protect My Data but I Don’t Know How
Sometimes this is also translated as I just don’t have time to deal with this just now!
The most important thing is to protect your devices and then your accounts. Most devices require a password, thumb print or facial recognition. What you use is up to you but if it’s easy to guess then there is a potential risk. What I am not saying is that if the only number granny can remember is the year of her birth and this is what she uses to unlock the phone you should make her stop. It’s all about the likely risk. If there’s very little on the device, all the accounts are protected by 2FA and granny doesn’t go out much then the risk is much less than if it were your account with internet banking and your whole life on it and you are using 0000 with no other protection.
If you don’t know how to set up 2FA the NCSC has how to guides for all the major platforms and the company you purchase your device from should be able to help you set up protection on the device. https://www.ncsc.gov.uk/blog-post/two-factor-authentication--2fa---new-guidance-from-the-ncsc
Hers are a few thoughts on how to limit how you are tracked across the internet.
Don’t blindly allow tracking cookies 0 ask yourself do the 1400+ companies really need to know what you are looking at. Yes it’s bit of a faff but there are settings on your browser to restrict cookies and websites should have a reject all cookies option.
Check the privacy settings on your tech and accounts. Sometimes they go back to the default “tracking” mode when you update software or equipment.
Report suspicious emails and texts to the NCSC report@phishing.gov.uk or by text to 7726. They can investigate and take it down. You can then block the sender and delete the messages. If it is genuine the company can contact you another way.
Don’t use the same password for everything. Use “ThreeRandomWords”.
Check out haveibeenpwned.com to see if your data is at risk or is on a list of compromised information. Change the passwords on any accounts
Check out as a guest on websites you plan to use once or infrequently. They really do not need all your data.
Treat all links with suspicion whether they are in emails, SMS, WhatsApp, Facebook Messenger or direct messages on other apps. They are all potentially a source of malware. I had something this week with no subject and a sentence saying please click on this link to update your GDPR preferences – NOOO!
If you are asked to pay something for a service you’d expect to be free or told of a delivery you aren’t expecting then check if it’s a known scam.
Check out suspicious phone numbers and email addresses on google.
Remember that some websites track information before you submit it (while the visitor is still typing). If you don’t need to fill in the information leave it blank or make something up.
I Have Nothing to Hide So What Does It Matter What I Post
I hear this most often. But for those who have a social media account and use it often there are things to be careful of. Stuff others could use against us, comments that we make on line stay there forever so it’s helpful to also consider what our future selves would think of our posts. There are also cases where future (or current) employers look at social media posts to check out what they can learn about individuals. You can debate the legality or otherwise of this but it is something that happens time and time again. Here are my top take aways:
By not protecting our accounts with 2 Factor Authentication someone may use information you just posted to hack your account – it is often VERY hard to get an account back if it has been hacked, not only is it frustrating they can also impersonate you and post what they like!
Posting while you are on holiday is great but if you’ve already shared where you live on SM and it’s obvious that your home will be empty while you are away your insurance will be invalid should you be burgled (yes that was a shock to me too).
The organisation you work for (now or in the future) may have strict rules about sharing information and opinions on social media. Make sure you are aware of this before you post something for example about a new client.
Posting means you are happy for it to be public - a post about a great day out when you are on sick leave is likely to get you in trouble with your employer!
WhatsApp is designed for person to person informal communication (it is against their terms to use the standard version for business communications).
What is on a work phone, slack, teams or email account could be released if the company receives a Subject Access Request.
Platforms like YouTube have strict “cyberbullying and harassment involving minors” rules which includes recording and posting about someone “without their consent”. They can take down your account if you infringe this rule.
Data Protection News
Children’s Biometrics
The UK Government has just published guidance on the use of children’s biometric information in schools. From facial recognition to fingerprints if your school is thinking about using biometrics this will be a helpful read. You will find it here: https://www.gov.uk/government/publications/protection-of-biometric-information-of-children-in-schools
UK Data Protection and Digital Information Bill
The new bill was introduced to Parliament. It aims to simplify data protection following BREXIT and could have implications for the UK’s adequacy status. You can follow the progress of the bill or read all 192 pages here: https://bills.parliament.uk/bills/3322
Fake Accounts on Linked In
Fake accounts still appear on Linked In even though it has a system to block a fake account when it is first registered. Last year 11.9 million fake accounts were blocked in the way. Some still fall through the net so be cautions who you accept as a connection.
Apple Lockdown Mode
This will be particularly helpful for journalists and activists but also for those in government who are at risk of being targeted by spyware. Apple’s new lockdown mode will be released in the autumn and will block most messaging attachments, incoming facetime calls and blocking access to the iPhone when it is connected to an accessory or computer when locked.
Broadband Firms Commit to Do More to Help Customers Cope with Global Price Rises
Broadband and mobile operators have commitments to help customers with the rising cost of living. The measures, put forward by the government in consultation with vast majority of the UK telecoms industry, will ensure people struggling with bills due to the economic aftermath of the pandemic and war in Ukraine can continue to make calls, send texts and get online. You can find more details here: https://www.gov.uk/government/news/telecoms-industry-agrees-to-new-cost-of-living-plan-following-government-summit-led-by-digital-secretary-nadine-dorries
Landline Phone Switch Off
You may not know that at the end of 2025 the UK's telephone network is going digital and the current landline phones are being replaced. This means that the old copper network will be switched off and you will need new Digital Voice phones. The changes will affect businesses and domestic customers who have a landline they'd like to keep using. You can read more here: https://www.which.co.uk/reviews/broadband/article/digital-voice-and-the-landline-phone-switch-off-what-it-means-for-you-aPSOH8k1i6Vv
Video and Blog of the Week
Video of the week – Action Fraud -How Private Is Your Personal Data
This is a great video that demonstrates the risks we take with our personal data without really thinking about it. Remember - if something is free often you are the “product”. https://www.youtube.com/watch?v=yrjT8m0hcKU
Blog of the week - Gabriel Freelander - What Google Knows About Me
This is not for the fainthearted but if you want to find out what Google knows about you this blog explains what they hold and how to get a copy of it. https://www.wizer-training.com/blog/what-google-knows-about-me