I was having lunch with an old colleague today who was convinced that the new EU Regulation due to come effective in 2015 or 2016 was going to change everything! What’s more nothing is decided, so everything is floating in the air….
Don’t panic. First the EU Regulation will be based on a foundation of what exists today, i.e. the Directive. The problem with the Directive is that it is not enforced effectively in member states, and the local laws are not a direct interpretation of the Directive. For example each country has interpreted the laws as they understand the directive…now just think about the language challenges, cultural challenges. Each country has their own interpretation of the Directive. What is more is that each member state may have legislation that has been around for a long time that has priority over any data protection law that is enacted, this creates all sorts of issues. For example in Sweden the personal ids of citizens are considered as public records, so they are not protected by the data protection law.
When it comes to enforcement and fines for misalignment with the Directive, some member states have been more active than others. Now this will change with the new Regulation.
Clearly there are aspects that we don’t know. Basically the member states cannot come to an agreement. However what you should focus on is what we know, and that is the incumbent Directive. Use that is your baseline, leave the unknown aspects until later. Believe me you have enough work already!
I was about to write an email to someone I respect deeply about how my thinking on information security had changed since we last met in the summer of 2013. Then I wondered if I’d actually written a blog post on this? I searched and found nothing, so surprised that it is not here. It is pretty straight-forward, on the verge of “obvious my dear Watson” 😉
Clearly security is broken, however hard we work, our security programs interlaced with security technologies are not effective. Our security programs are not watertight.
So here we go:
1. Security is only as strong as the weakest link – an obvious deduction even for the non-security geeks amongst us 😉
2. The weakest link in the chain is the Human Factor of Information Security, something David Lacey wrote a whole book on in 2009.
3. If the identity thing, you know the technology aspect of ‘the human aspect of information security’ had been architected correctly from the start, we wouldn’t be in the shit that we are today when it comes to a water-tight security programmes!
Great read from Panopticon blog… they provide essential legal insights into issues pertaining to personal privacy. Read about what they have to say here.
For those of you that missed this program on SVT2 Avsnitt 9: Big data – så kartläggs hela ditt liv here is the link. It was played this evening in Sweden at 20:00. The program is mainly in English with Swedish subtitles.
I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.
This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.
How do you do this is:
- Visit www.extrakoll.se and search for the name of the individual you are investigating;
- Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
- You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
- The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!
There is no way you can prevent others from requesting this information on yourself.
Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!
There has been quite some debate over the replacement of the patient journal system in Region Skåne in Sweden. I’ve been thinking about patient journal systems in general and the challenges with patient confidentiality.
How important is it that patient data is secured and its confidentiality enforced? I guess it depends how sick you are, and who you are, or what you have been treated for. Nevertheless, I feel that not enough debate is ongoing in Sweden concerning the lack of privacy controls on patient data.
It is really more than confidentiality which is an issue here. There is also integrity of patient data… life and death depend on this.
What’s more is that there is a growing trend in America for something called ‘medical identity theft’. This is where your medical insurance is used by fraudsters to get treatment at the expense of the victim. There is more than this, their treatment could cause incorrect diagnosis and/or decisions on treatment by the doctor on the victim, because medical decisions made on the fraudster are included in the victim’s patient journal. This can lead to life and death situation for the victim!
Coming back to Sweden and risks. Medical identity theft I don’t see as a significant risk. Medical care in general is almost free in Sweden, we pay through our taxes, and all regardless to level of income have a right to medical care, thank goodness! So Swedes you can relax for now, and focus can be on enforcing privacy and integrity of your sensitive information 😉
Lots to talk about here, but not now, I’ll pick this up again later!
There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!
If you want to go, you can register here (http://www.nordicitsecurity.com).
Look forward to seeing you there. I will probably be posting more on this later!