LWC 24/7      Press      Articles      News      Careers    
 




Archives:
  • November 2007
  • December 2007
  • January 2008
  • February 2008
  • March 2008
  • April 2008
  • May 2008
  • June 2008
  • July 2008
  • August 2008
  • October 2008
  • November 2008


    • Labels:
    •

     RSS feed

    If you would like to comment, please review our privacy policy and send an email to comments@leewhiteconsultants.com.

    Comments will be moderated and can be edited for length and clarity.


    LWC 24/7 Blog

    18 November 2008

    Permission is the key

    Whilst unwanted electronic messages to natural persons are already taboo in the Netherlands, as of July 2009, spam will be completely prohibited - extending the illegality of spam to cover companies and other organisations. Indeed, this is the result of a modification to the existing Telecoms law.

    Companies or organisations continuing to spam after the 1st of July 2009 can be punished with a maximum fine of 450,000€. If spam is still sent, then a complaint is possible on the spamklacht.nl site. The OPTA (Independent Post and Telecoms Authority, the Netherlands) will be supervising compliance to the law. Only upon explicit permission to receive such electronic messages (including SMS and faxes), can these be sent to the receiving party.

    And what is the situation in Belgium?

    In Belgium, permission is the general rule, with a limited number of exceptions.

    With the Belgian E-commerce law, the opt in rule for publicity electronic messages is in effect. One can only send electronic messages for publicity purposes where there is a preceding authorisation. Also, the commercial communication, including its presentation, must be immediately recognisable to the receiving party as being such upon receipt of that communication. If this is followed, then it is technically not spam.

    However, the opt-in rule is subject to a few exceptions, making it a soft opt-in approach:

    First Exception: Own customers/clients
    The rule is exempted where the commercial communication is aimed at the organisation's own customers/clients (natural or legal persons). This exception only applies in the following conditions:

    a) The organisation has directly obtained the contact data of the person concerned in the course of a sale of a good/service. [NB: The privacy law concerning the collection of such data must be respected].

    b) The electronic contact data are exclusively used for similar products and/or services which the organisation itself provides.

    c) The organisation gives the customers (when the electronic data are collected) the possibility of objecting to the use of such data in an easy manner and free of charge.

    Second Exception: Legal persons
    The opt-in rule is exempted if the following 2 conditions are met:

    a) If the contact data is impersonal, and

    b) If the product promoted is intended for that legal person.

    Hence, by laying down these ground rules, one can surely see that there is no room for spamming.

    So get the intended recipient's permission first if you can't resist sending that commercial communication of yours!

    Labels: , , , , ,

    posted by Legal Observer on Tuesday, November 18, 2008  0 Comments

    27 October 2008

    Data Handling Procedures

    So, here we are again with another case in the series of data handling blunders. The recent careless use of personal data of the Luxembourg branch of Kaupthing bank confirms that proper data handling procedures are crucial. Email addresses of customers were leaked due to the misuse of email.

    Inadequately defined procedures for data handling can, and will lead to improper and careless handling of personal data. We've seen this occur countless of times. For example, not too long ago, 25 million records were lost by the HM Revenue and Customs and according to the investigation, the problem was not with individual workers, but due to the lack of processes for data handling.

    All organisations should have reasonable security measures to protect personal data from misuse, loss, unauthorised access, and abuse. These measures can be stated in a Data Handling Manual, and must be implemented in a way where all concerned parties are well informed of the handling procedures. It is simply a guideline for handling personal data that should and must be adhered to by all in an organisation.

    Unfortunately, in most companies, not only are such manuals non-existent, but where there is such a manual, it is usually collecting dust in some shelf and most employees and contractors are not even aware of or do not adhere to the manual. The other problem is the fact that lack of adherence is usually not noted or if it is, it is not reprimanded regularly - well, at least until a big foul-up happens and becomes the headlines of major newspapers.

    It is perhaps more than timely for organisations to draw up these guidelines and train their personnel, ensuring regular audits to maintain adherence - in addition to appointing data protection officers and registering processes of personal data.

    If you would like some help in customising a data handling manual, please review our privacy policy and then contact Lee & White Consultants.

    Labels: , , ,

    posted by A_Voice on Monday, October 27, 2008  0 Comments

    29 August 2008

    Protecting People's Data

    Confidential Data TheftOne of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

    Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

    Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

    Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

    They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

    According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

    Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

    Labels: , , ,

    posted by IT Observer on Friday, August 29, 2008  0 Comments

    27 August 2008

    When Friends Sell You Out for a Date

    A Belgian dating website known as nicepeople.be has been sued by its competitor, toietmoi.be for requiring anyone who registers with them to give e-mail addresses of 5 friends. These people are then spammed with invitations to join nicepeople.be. It is nice to know that your friends can sell out your e-mail addresses in exchange for a bit of fun on a dating site - NOT.

    Nevertheless, applause goes to the Belgian court for convicting nicepeople.be of sending unsolicited e-mails and spamming these third parties' inboxes. Punishing them with a 10,000 EUR fine is a good start and indeed, it is high time precedence is set for these privacy law-breaking websites and the people behind them.

    The only question is, is there any way of stopping your friends from throwing in your e-mail addresses and any other personal information to the wolves? We know that the data protection law does not cover handling of personal data in the course of household activities, but what can we truly consider as being a strictly household activity and where do we draw the line? If it were up to me, the law should apply to these friends as well.

    Labels: , , , ,

    posted by A_Voice on Wednesday, August 27, 2008  0 Comments

    When selling a computer is more than selling a machine

    The frequency of one's personal data being so loosely taken care of is growing alarmingly fast these days. Then again, is it only now that such data is being mishandled, or has it been the case all along? Perhaps horror stories of mishandling of personal data have only recently emerged in the news owing to a growing awareness on the importance of privacy? If that was true, imagine the number of years gone by without our knowledge of the immensity of the abuse and mishandling of our personal data!

    So what is the current horror report on personal data floating around?
    "Bank customer data sold on eBay" - how does that sound? Frightful, I should think.

    Yes, this is one of the latest reports by the BBC News concerning the commencement of an investigation into how a computer containing bank customers' personal data was sold on eBay.

    According to the report, the computer was purchased by an IT manager for GBP77 and contained sensitive details of customers of three companies - including Royal Bank of Scotland (RBS) and its subsidiary Natwest, on its hard drive. Some of the details included customers' signatures, mothers' maiden names and mobile phone numbers.
    Now, was this due to carelessness and negligence on the part of these banks? How did the computer get on the eBay market for sale? All will be revealed after the investigation, I suppose.

    However, it surely does not look good for these banks to have made such a blunder - since security and protection of personal data is of utmost importance and this is a duty that should never have been shirked in the first place.

    Labels: , , ,

    posted by Legal Observer on Wednesday, August 27, 2008  0 Comments

    This page is powered by Blogger. Isn't yours?
     

      Contact

    Legal Notice - Privacy Policy  

    © 2003-2008 Lee & White Consultants®. All rights reserved.