Keep up to speed on data protection<\/p>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t
Secure Futures<\/span><\/h3>\n\t\t\t\t\t\t\t\t\t\t\t<\/header>\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tWhat leaders need to know about tech and business <\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\tSubscribe now<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/article>\n\t\t<\/div>\n\t\nBut why does purpose limitation matter? Surely if someone chooses to give their data, your organization can use it without limit as long as you keep it private? Not so fast. This is one tin of spaghetti that fast turns into a can of worms.<\/p>\n
The young woman, the chaplain and the hospital<\/h3>\n
Some privacy trainers tell a story about a young woman who was asked to fill in a form when she was admitted to hospital. One question on the form is asking for her religion. Perhaps this information is important in medical care and she\u2019s been asked this question on forms before, so she dutifully fills in her religion as she always has.<\/p>\n
Why the question? This hospital uses the information to tell the hospital chaplain there\u2019s a patient who may appreciate a visit, but they don\u2019t tell the patient this.<\/p>\n
Small world \u2013 the hospital chaplain is a friend of the young woman\u2019s family. She is unmarried and is in hospital for a pregnancy-related issue. Her family doesn\u2019t know she\u2019s pregnant and she has no intention of telling them. Now, the young woman and the chaplain are in an awkward position.<\/p>\n
Apart from infringement of data use regulation, some might say the woman had free choice over whether to give the information, so the results are her responsibility. On the other hand, the trust patients place in hospitals is crucial to the hospital being able to achieve its purpose: To help patients get well.<\/p>\n
Any organization that gathers personal information, whether they\u2019re out to make money, help people or save the world, needs trust to be effective. <\/p>\n<\/blockquote>\n
Can organizations live up to the trust customers need to place in them?<\/p>\n
Data recycling happens all too often<\/strong><\/h2>\nSeveral incidents around customers surprised how companies used or sold their data, given why they provided it, have hit headlines recently. Take for example, the period-tracker app that fed customer data to Facebook<\/a>, where it was used to market products for expectant Moms. One user found herself suddenly marketed to as though she were pregnant, when she\u2019d only forgotten to use the app to log her period. It\u2019s easy to imagine how this kind of sensitive information re-use could emotionally harm some customers.<\/p>\nUber settled a complaint to the Federal Trade Commission out of court when it was found employees had used the software\u2019s \u2018God View\u2019 function to track the movements of politicians, celebrities and even ex-partners<\/a>. Although Uber hadn\u2019t sanctioned these misuses, it had no effective processes to prevent it.<\/p>\nWhen caught recycling personal data, companies often say, \u201cwe didn\u2019t mean to.\u201d They may be truthful, but it keeps happening. <\/p>\n<\/blockquote>\n
Do companies, and their employees, understand their responsibilities in limiting how they use customer data?<\/p>\n
Can you recycle personal data? What the law says<\/h2>\n
GDPR is up front on purpose limitation being a core principle of data protection<\/a>. Article 5 section 1b outlines how personal data must only be collected when its use is specified and explicit. The data cannot be further used in ways that don\u2019t match the original purpose. There\u2019s exceptions for historic, scientific and statistical uses, and \u201cif the legitimate interests of that controller or a third party override the interests of the data subject<\/a>.\u201d<\/p>\nThe European Commission gives guidance to help organizations know if what they\u2019re planning to do with data is consistent or inconsistent with its purpose<\/a>. They suggest considering for example, whether the data is <\/a>sensitive <\/a>(including health information, political beliefs and more)<\/a> and how further use could affect the person who gave the data.<\/p>\nWhile penalties for breaching the purpose limitation principle so far haven\u2019t been huge, there\u2019s been a steady stream of reputation-damaging prosecutions. Norway\u2019s data protection authority fined the Norwegian Public Roads Administration the equivalent of 50,000 US dollars for using \u2018security\u2019 cameras to monitor contractors\u2019 work<\/a>. Breaching the principle with just one customer\u2019s data doesn\u2019t mean lesser fines \u2013 Spanish authorities fined bank Bankia the equivalent of 50,000 US dollars for retaining and reusing one customers\u2019 data 16 years after they\u2019d stopped being a customer<\/a>.<\/p>\nWhen considering fines, regulators punish not for violation of principle, but for the consequences. For example, if companies don\u2019t comply with data processing purpose limitation, they may also violate other GDPR requirements, such as having a legitimate reason to process the data.<\/p>\n
It\u2019s not just Europe that has enshrined purpose limitation in data use law. California added a purpose limitation clause to their California Consumer Privacy Act (CCPA)<\/a> in 2018. The clause says businesses must, before collecting personal information, inform consumers how it will be used and need consumer agreement to use the data for another purpose.<\/p>\nWhat do businesses do to meet purpose limitation obligations?<\/h2>\n
\u201cEvery organization processes different kinds of personal data, in different ways, for different purposes,\u201d says Kaspersky\u2019s Head of Data Protection and Privacy for Europe, Alexey Testsov. \u201cGDPR requires data controllers and processors keep records of what data the organization gathers, why they\u2019re gathering it and how long it\u2019s kept for. Alongside information auditing and data mapping, these records are vital in complying with purpose limitation responsibilities.<\/p>\n
\u201cEmployees must know how to collect, store and use personal data within the law. Given the high risks of data processing, it\u2019s more reliable to discuss changes in processes with a security officer or legal department. Employees should know how to consult internal experts and not be afraid to do so.\u201d<\/p>\n
Here are two examples of identified problems that can lead to failures to control data use purposes.<\/p>\n
Systems to keep data separate<\/h3>\n
Effective safeguards to prevent any set of data being used for other purposes might have avoided some recent cases of data recycling. In the UK, the Information Commissioners\u2019 Office (ICO) fined a political campaigning organization and an insurance company 120,000 UK pounds (around 165,000 US dollars.) The ICO found personal information given for political campaigning had been used to market insurance. It highlighted ineffective data protection systems<\/a> within the two organizations. \u201cSystems for segregating the personal data of insurance customers\u2019 from that of political subscribers\u2019 were ineffective.\u201d<\/p>\nLook for changes in how upgraded software uses data<\/h3>\nData controllers and processors should keep in mind that incremental developments to software might lead to changes in how data is used, or \u2018function creep.\u2019 <\/p>\n<\/blockquote>\n
What leaders need to know about tech and business <\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
But why does purpose limitation matter? Surely if someone chooses to give their data, your organization can use it without limit as long as you keep it private? Not so fast. This is one tin of spaghetti that fast turns into a can of worms.<\/p>\n
The young woman, the chaplain and the hospital<\/h3>\n
Some privacy trainers tell a story about a young woman who was asked to fill in a form when she was admitted to hospital. One question on the form is asking for her religion. Perhaps this information is important in medical care and she\u2019s been asked this question on forms before, so she dutifully fills in her religion as she always has.<\/p>\n
Why the question? This hospital uses the information to tell the hospital chaplain there\u2019s a patient who may appreciate a visit, but they don\u2019t tell the patient this.<\/p>\n
Small world \u2013 the hospital chaplain is a friend of the young woman\u2019s family. She is unmarried and is in hospital for a pregnancy-related issue. Her family doesn\u2019t know she\u2019s pregnant and she has no intention of telling them. Now, the young woman and the chaplain are in an awkward position.<\/p>\n
Apart from infringement of data use regulation, some might say the woman had free choice over whether to give the information, so the results are her responsibility. On the other hand, the trust patients place in hospitals is crucial to the hospital being able to achieve its purpose: To help patients get well.<\/p>\n
Any organization that gathers personal information, whether they\u2019re out to make money, help people or save the world, needs trust to be effective. <\/p>\n<\/blockquote>\n
Can organizations live up to the trust customers need to place in them?<\/p>\n
Data recycling happens all too often<\/strong><\/h2>\n
Several incidents around customers surprised how companies used or sold their data, given why they provided it, have hit headlines recently. Take for example, the period-tracker app that fed customer data to Facebook<\/a>, where it was used to market products for expectant Moms. One user found herself suddenly marketed to as though she were pregnant, when she\u2019d only forgotten to use the app to log her period. It\u2019s easy to imagine how this kind of sensitive information re-use could emotionally harm some customers.<\/p>\n
Uber settled a complaint to the Federal Trade Commission out of court when it was found employees had used the software\u2019s \u2018God View\u2019 function to track the movements of politicians, celebrities and even ex-partners<\/a>. Although Uber hadn\u2019t sanctioned these misuses, it had no effective processes to prevent it.<\/p>\n
When caught recycling personal data, companies often say, \u201cwe didn\u2019t mean to.\u201d They may be truthful, but it keeps happening. <\/p>\n<\/blockquote>\n
Do companies, and their employees, understand their responsibilities in limiting how they use customer data?<\/p>\n
Can you recycle personal data? What the law says<\/h2>\n
GDPR is up front on purpose limitation being a core principle of data protection<\/a>. Article 5 section 1b outlines how personal data must only be collected when its use is specified and explicit. The data cannot be further used in ways that don\u2019t match the original purpose. There\u2019s exceptions for historic, scientific and statistical uses, and \u201cif the legitimate interests of that controller or a third party override the interests of the data subject<\/a>.\u201d<\/p>\n
The European Commission gives guidance to help organizations know if what they\u2019re planning to do with data is consistent or inconsistent with its purpose<\/a>. They suggest considering for example, whether the data is <\/a>sensitive <\/a>(including health information, political beliefs and more)<\/a> and how further use could affect the person who gave the data.<\/p>\n
While penalties for breaching the purpose limitation principle so far haven\u2019t been huge, there\u2019s been a steady stream of reputation-damaging prosecutions. Norway\u2019s data protection authority fined the Norwegian Public Roads Administration the equivalent of 50,000 US dollars for using \u2018security\u2019 cameras to monitor contractors\u2019 work<\/a>. Breaching the principle with just one customer\u2019s data doesn\u2019t mean lesser fines \u2013 Spanish authorities fined bank Bankia the equivalent of 50,000 US dollars for retaining and reusing one customers\u2019 data 16 years after they\u2019d stopped being a customer<\/a>.<\/p>\n
When considering fines, regulators punish not for violation of principle, but for the consequences. For example, if companies don\u2019t comply with data processing purpose limitation, they may also violate other GDPR requirements, such as having a legitimate reason to process the data.<\/p>\n
It\u2019s not just Europe that has enshrined purpose limitation in data use law. California added a purpose limitation clause to their California Consumer Privacy Act (CCPA)<\/a> in 2018. The clause says businesses must, before collecting personal information, inform consumers how it will be used and need consumer agreement to use the data for another purpose.<\/p>\n
What do businesses do to meet purpose limitation obligations?<\/h2>\n
\u201cEvery organization processes different kinds of personal data, in different ways, for different purposes,\u201d says Kaspersky\u2019s Head of Data Protection and Privacy for Europe, Alexey Testsov. \u201cGDPR requires data controllers and processors keep records of what data the organization gathers, why they\u2019re gathering it and how long it\u2019s kept for. Alongside information auditing and data mapping, these records are vital in complying with purpose limitation responsibilities.<\/p>\n
\u201cEmployees must know how to collect, store and use personal data within the law. Given the high risks of data processing, it\u2019s more reliable to discuss changes in processes with a security officer or legal department. Employees should know how to consult internal experts and not be afraid to do so.\u201d<\/p>\n
Here are two examples of identified problems that can lead to failures to control data use purposes.<\/p>\n
Systems to keep data separate<\/h3>\n
Effective safeguards to prevent any set of data being used for other purposes might have avoided some recent cases of data recycling. In the UK, the Information Commissioners\u2019 Office (ICO) fined a political campaigning organization and an insurance company 120,000 UK pounds (around 165,000 US dollars.) The ICO found personal information given for political campaigning had been used to market insurance. It highlighted ineffective data protection systems<\/a> within the two organizations. \u201cSystems for segregating the personal data of insurance customers\u2019 from that of political subscribers\u2019 were ineffective.\u201d<\/p>\n
Look for changes in how upgraded software uses data<\/h3>\n
Data controllers and processors should keep in mind that incremental developments to software might lead to changes in how data is used, or \u2018function creep.\u2019 <\/p>\n<\/blockquote>\n