News/Legal UpdatesLatest Legal Developments

5 Data Privacy Tips for #DataPrivacyDay2020

January 28, 2020
Related Attorneys
5 Data Privacy Tips for #DataPrivacyDay2020

By Sean McWeeney Jr.

Nassau, The Bahamas – In recognition of International Data Privacy Day, we would like to share with you five valuable data privacy tips to help you protect your personal information.

Tip 1: Use a Virtual Private Network

From a data protection and cybersecurity standpoint, the Internet can be a hazardous space. Surfing the web has become inherently unsafe as you instantly expose yourself to potential malware, phishing, identity theft, hacking, drive-by downloads and the storage of unwanted cookies that can track your online activity. One can minimise these threats by using a Virtual Private Network (VPN). VPNs enable you to connect securely to the Internet by virtually anonymizing your Internet Protocol (IP) address while simultaneously encrypting your data – thus, hiding your identity and location. VPNs are legal in The Bahamas and are often used by companies within industries that are under the constant threat of cyberattacks (e.g. law firms, accountancy firms, banks, etc.) and consequently require an extra layer of cybersecurity.

Tip 2: Review your smartphone settings

The smartphone has become a ubiquitous object. For many of us, our smartphones have replaced fixed telephones, cameras, flash drives, computers, calculators, alarm clocks, calendars, and notepads (just to name a few). Amidst the rapid pace of technological innovation and the dizzying amount of apps being released, the smartphone user must also be cognizant of the privacy features and settings of their respective phones as downloading third-party apps can pose a unique cybersecurity threat and put your data at risk. Most smartphones today run on either Apple’s iOS or Google’s Android platform which both feature settings that the user can either enable or disable to reduce chances of a data incident.

A few security features you will want to enable include:

  • A strong passcode (between 4 and 6 digits) known only to you to unlock your phone.
  • Two-factor authentication (which provides an extra layer of security when accessing private settings and apps, especially for cloud storage and electronic mail).
  • Do-not-track (which allows the smartphone user to opt-out of being tracked by websites visited through the smartphone’s Internet browser).
  • Device auto-lock for a period of less than 1 minute (so as to minimise the risk of someone accessing your phone without your permission once you set it down somewhere).
  • Automatic “wiping” of phone after failed unlock attempts (this feature will erase all of the data you have stored on your phone in the event that the passcode has been incorrectly entered a pre-determined number of times – a very useful feature for those persons who have sensitive work data or electronic mail stored on their phones).

Smartphone users will also want to regularly update their devices as soon as the platform offers the option to do so. These software updates usually contain phone security upgrades or patches. Any delay in updating your phone leaves your data more vulnerable to security flaws and the risk that your data could be unlawfully accessed.

Tip 3: Read the Ts & Cs

How many times have you visited a website or app and read through the privacy policy or terms and conditions? This will spell out the type of data the company will be collecting from you as you browse the page or app. Most websites now will ask the visitor whether they agree or disagree to having cookies collected while using the site or service. It is also common to display an ‘agree and continue’ or ‘exit’ option. Take the time to read, review and familiarize yourself with the policies of the websites or apps you visit with as there is usually legal information contained within them that could place you at a disadvantage in the event that you later wish to make a legal claim. Some of the items included in a typical privacy policy or terms and conditions include:

  • The governing data protection laws for the agreement to use the website.
  • Any third-party service providers that will have access to analytics derived from the website.
  • Contact details for the organisation if there is a complaint or query.
  • Who has access to the data.
  • What kind of data will be collected.
  • What is done with the data.
  • How long the collected data will be held.
  • Rights of the visitor.

Tip 4: Beware of sharing sensitive personal data

It cannot be emphasised enough how valuable our personal data is to marketers and the like. In the 21st century, the astronomical rise of electronic commerce has driven many businesses, advertisers and marketers to monitor and analyse the online activities of users to track their shopping habits and preferences with a view to targeting specific demographics for various products based on the data collected. Many privacy advocates around the world have raised concerns with regard to the collection, processing, dissemination, and in some cases, the sale of data for marketing purposes. These concerns have placed increasing pressure on governments worldwide to further regulate the extent to which data can be collected on the individual. This, in turn, has resulted in sweeping data protection reforms over the past five years – particularly in Europe, China and the United States.

The Bahamas offers robust data protection laws and has defined personal data as outlined below.

  • Personal data under the Data Protection (Privacy of Personal Information) Act (Ch. 324A) includes:
    • Any data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of a data controller (typically a business or agency).
  • Sensitive personal data under the Data Protection Act relates to:
    • Racial origin.
    • Political opinions or religious or other beliefs.
    • Physical or mental health.
    • Trade union involvement or activities.
    • Sexual life.,
    • Criminal convictions, the commission or alleged commission of any offence, or any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings.
  • Globally, biometric data is often classified as sensitive personal data, including:
    • Facial recognition.
    • Voice recognition.
    • Fingerprint recognition.
    • Iris / retina recognition.

If you find yourself on a website or app that is asking you to fill out a form, survey or response involving the submission of information that is sensitive in nature, question the legitimacy of the source and be cognizant of the fact that this data can be used to build a data profile on your habits. If you are unsure of or cannot confirm the legitimacy of the source or why the information is needed, ask! Similarly, be careful when sharing such information on your social media profiles. Also, be circumspect and cautious in granting permission through your computer or mobile device to access your webcam, fingerprint reader, or microphone.

Tip 5: Know your rights and obligations

Though often overlooked by both business owners and consumers alike, familiarizing oneself with the rights, privileges and obligations that one is entitled to is the most important step in protecting your data, reputation and business.

For business owners and corporations:

  • Do not ignore customer data leaks. Develop an internal crisis management plan with a knowledgeable attorney to ensure that you have a strategy for remediation. Call an attorney immediately after noticing suspicious activity or if you suspect a cyberattack or leak has occurred.
  • Craft an internal and external data protection policy with an attorney so your employees have a better understanding of data protection best practices and for your customers or clients to know how their data is being used and processed.
  • Use adequate safeguards to protect any data that you hold on any customer (be it electronic or in paper form). Indeed, you have a statutory obligation to do so!
  • Follow global privacy incidents in the news and note emerging trends to keep new cyberthreats on your radar.
  • Speak with an Information Technology expert with regard to how you can improve your existing cybersecurity framework to reduce the risk of a cyberattack.
  • If you have a website where you offer a product or service, ensure that you regularly update your privacy policy in order to comply with the privacy laws of The Bahamas in addition to global data protection laws such as the European Union’s General Data Protection Regulation (which extends to EU citizens and is applicable to them extraterritorially).
  • Consider assigning a Data Protection Officer (DPO) for your business whose job it would be to implement various data protection strategies and to serve as the point of contact for data inquiries.
  • Understand that the business, as a data controller, has a statutory duty of care to its customer’s or client’s data. The statutory duties for data controllers under the Data Protection Act include:
    • Lawful and fair collection of data.
    • Keeping data accurate and up-to-date.
    • Only keeping data for one or more specified or lawful purposes.
    • Not using or disclosing data in a matter that is incompatible with the purpose for collecting the data.
    • Making sure that the data is adequate, relevant and not excessive in relation to the purpose of collecting the data.
    • Not keeping data for a longer period of time than is necessary (subject to exceptions).
    • Using adequate security measures to prevent unauthorised access, alteration, disclosure or destruction of data, or accidental loss or destruction of data.

For consumers/clients:

  • Familiarise yourself with local data protection regulation. Data protection and cybersecurity are covered under:
    • The Data Protection (Privacy of Personal Information) Act (Ch. 324A).
    • Computer Misuse Act (Ch. 107A).
    • Electronic Communications and Transactions Act (Ch. 337A).
    • Banks and Trust Companies Regulations Act (Ch. 316), in relation to banking and trust matters.
    • The common law duty of confidentiality.
  • Your attorney will be able to provide guidance where you have any specific concerns about the way in which your data has been handled and will advise you on your options.
  • Some of your rights include:
    • Right of access to your data (with exceptions) via a written request.
    • Right of rectification or erasure of your data (with exceptions).
    • Right to prohibit processing of your data for the purpose of direct marketing.

Sean McWeeney Jr. is an Associate in the firm’s Financial Services, Private Client, Trusts and Estates Practice Group.