One busy Wednesday afternoon, Nishreen Thaha, a 35-year-old housewife and entrepreneur, received a phone call from an insurance agent asking if she was interested in a tailor-made insurance programme.
At first, she politely declined. “[But] he kept insisting I should buy it,” she told Roar Media. Irritated, she asked him where he got her number from. In response, he hung up.
Incidents like these are far from uncommon. And it makes us wonder: how secure is our personal data?
Wherefrom, The Data?
Data takes various forms. Your educational history, in the hands of the country’s education department, or with your school, is a form of data. Your medical history, with your doctor, at hospitals or at a clinic, is also a form of data. But the most common of these is personal data—names, mobile phone numbers, email addresses and National Identity Card (NIC) numbers.
It is not easy to protect your personal data. The most basic transaction today requires you to part with some form of personal information, and promotions and loyalty programmes at stores and restaurants are notorious for data gathering.
Once data is collected, people become easy targets of unsolicited spam calls, messages and emails.
Even those who are careful about not giving out personal data are bombarded by unsolicited spam calls, emails and text messages.
“I am extra cautious when it comes to giving out my details, especially my phone number,” said Alaric de Silva, a real estate agent. “Despite this, there are over six to seven text messages and calls I receive every day.”
“It is selective selling of data,” Rohan Samarajiva, Chairman of the Information and Communication Technology Agency (ICTA) told Roar Media, explaining that personal data can be a valuable commodity for vendors, especially as a ‘secondary market’ in e-commerce and the telecommunications sector.
Explaining that vendors did not give out detailed, but part information, he said, “If, for instance, a university is trying to market their IT course, they get in touch with data processing vendors and ask for [relevant] data. This includes the mobile numbers of people of a particular age group and shared interest (based on internet feeds and search history). Once they have narrowed down a group of people who meet all the requirements, they send the relevant message to those numbers only.”
But many people are still unaware of how personal data is used—and often abused—by third parties. A watershed moment in the publics’ understanding of personal data was the Facebook and Cambridge Analytica data breach, which harvested the personal data of millions of Facebook profiles without consent and used for purposes of political advertising—sparking a debate on the ethical boundaries of data collection and protection.
Protecting Your Personal Data
Samarajiva explained that the need for data comes primarily from two sectors. “This is the government and the private sector. When the government asks for data, we have to comply,” he said, explaining, however, that the government usually has special safeguards in place—in the form of protection laws—in the public interest.
But the option of not giving out personal information to the private sector is available to the public. “All we need to do is ask what they need it for and if it is absolutely necessary for them to have it,” Samarajiva said.
Ayomi Aluwihare, a lawyer and partner in a leading law firm in Colombo, said it was becoming increasingly important to protect personal data. “It is all over the place,” she said, explaining how commonplace it was for merchants to ask consumers for their mobile phone number, email address and even NIC number. “Your ID, in particular, has a lot of data linked to various information, like your bank details,” she said. “That is a lot of information floating around that can be misused.”
Laws relating to the protection of personal data are non-existent, Aluwihare further explained. “[While] the Constitution guarantees the protection of the Fundamental Rights of people, there is no explicit law that speaks of data protection.” She explained, however, that Sri Lanka’s Right to Information Act empowers public officials to disclose information requested by a citizen, while provisions of the Electronic Transactions Act give electronic documents legal recognition in the form of data messages, electronic records, documents and other communications.
Nevertheless, Ayomi feels it is necessary for Sri Lanka to enact laws on data protection soon. “There are talks of a draft [for personal data protection laws], but no one has seen it yet,” she said.
Changing The System
While—in the absence of specific data protection laws—people are struggling to protect their personal data from being abused, there are some institutions trying to make a difference. The Ampara General Hospital has implemented a system that protects a patient’s personal information from being stolen. Every patient is given a number that translates into a barcode, against which their medical history is recorded. Thereafter, all the doctors need to access the patient’s medical history is that barcode.
The patient is also no longer required to take his prescription along with him when he visits the Ampara General Hospital pharmacy as the information would have already been updated on the system. Earlier this year, e-health cards were also introduced to Sri Lanka, capable of storing patient records accessible to any doctor in any part of the country, to enable a faster and more streamlined medical process.
But even as strides are being made in this sector, the core question of the ethics of data mining remains unanswered. Brittany Kaiser, a former director of business development at Cambridge Analytica argue that if indeed, privacy is dead, digital consumers, should have the right to profit from it, at the very least.
“Privacy doesn’t exist in a post-Facebook crisis era,” Kaiser said, at the Bloomberg Sooner Than You Think summit in Singapore last year. “The digital assets that you produce every day are your own human value. You should be able to own them and you should be able to share in the monetization of that.” She hopes that in the future there will be systems created that will enable people to trade, store and trace and personal data, and is herself is working on similar solutions. In the absence of concrete laws to protect personal data, perhaps this is truly the solution to even our local conundrum.