Protecting your personal information – The Royal Gazette | Bermuda News, Business, Sports, Events, & Community

Log In

Reset Password
BERMUDA | RSS PODCAST

Protecting your personal information

What concerns would you have if somehow your medical information was obtained by your employer or your financial information was retrieved from a dumpster? I suspect most people would be really upset.

In this advanced digital age, when data can be moved around easily, the need to protect our own personal data has never been more important. However, several times a week we each have to complete a form or enter information into a web site to register for something where we are sharing some of this data, moving it away from our own control.

So what assurances do we have that the company with whom you have shared some of your most sensitive data will protect it as much as you would like? Well, it all comes down to basic trust, which is just not good enough. Bermuda lags behind many other countries in terms of personal data protection laws that require a company to protect your data. Other jurisdictions have had legislation in place for several years.

For instance, in the United States there are a number of laws which address the protection of personal data including:

State legislation for “Personally Identifiable Information” or PII which mandates that data about a person that are held by a company be given the appropriate level of protection. Among such data are full name, a national identifying number, address and finger prints.

Health Insurance Portability and Accountability Act (HIPAA) imposes very strict requirements on how personal health information is to be handled and secured.

Gramm Leach Bliley Act (GLBA), also known as the Financial Services Modernization Act (FSMA) while broad in nature, also includes very strict privacy requirements for non-public personal financial data.

The credit card industry is somewhat different, in that several years ago, in a successful strategy to fend off federal legislation, the card associations (Mastercard, Visa, Amex, Discover etc) joined forces to develop security standards for the handling of credit card data. The standards are called the Payment Card Industry Data Security Standards (PCI-DSS) and are enforced worldwide. Failure to adhere to the requirements can result in a company being unable to accept credit cards for payment.

The EU has had the Data Protection Directive in place for over 20 years and it is comprehensive in nature in terms of the regime it imposes for the protection of personal data. Comprised of eight principles, the Directive requires that:

an individual be notified of data being collected

the data are used only for the purpose stated

only the required data are collected

the data are accurate

the data are retained for the minimum period of time

the data are processed in accordance with the rights of the data owner

the appropriate security controls are applied to protect the data

The eighth principle is that the data cannot be transferred outside of EU unless the jurisdiction to which the data are being moved also has EU-sanctioned data protection laws. It is this principle that causes problems for multinational companies where there is a need to consolidate personal data across their multiple locations.

Apart from a simple desire for privacy, the threat of identity theft is real, as it is may not be that difficult for a perpetrator to gather the necessary personal information to “become you”. While some companies do not need legislation to incentivise them to implement the necessary security controls, other companies, when facing a tough economy and pressure to reduce expenses, may not implement controls unless legally required to do so.

I expect that at some point in the next 24 months, Bermuda’s own form of personal data protection legislation will be proposed. It is likely that it will look similar to that of the EU as the ability to exchange data with entities in the EU will require it to be so. Whenever it is proposed, it is important that individuals and companies participate in the consultation process to ensure that the correct balance is struck between the rights of an individual to protection of personal information and the ability of a company to protect it, practically and economically.

Ronnie Viera, CISSP, CISM, CISA

Disclaimer: Views and comments expressed are personal and do not necessarily represent those of Mr Viera’s employer.

You must be Registered or to post comment or to vote.

Published February 15, 2012 at 1:00 am (Updated February 15, 2012 at 6:54 am)

Protecting your personal information

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon