Law and Technology

Securing Personal Data: The Data Subject’s Responsibilities and Rights – Adeyemi O. Owoade

When we walk on sand, lands and in the air, we leave footprints that don’t last long before they are wiped away. The walk on the internet leaves footprints that are hard to clear. These footprints are not just ordinary things but expensive information.These footprints are called Personal Data. According to the extant Data protection regulations in the different jurisdictions of the world, Personal data includes all information that identifies and is peculiar to a person.
Personal data include but not limited to the following :

  1. Names, Date of birth, gender, relationship status, nationality, ID number and location data
  2. Online Identifiers such as email,social media posts, IP address, Mac addresses, SIM etc
  3. Bank Information such as pin, cvv, card number etc.
  4. Personal Pictures and videos
  5. All information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These may consists of walking style, religious beliefs, voice, style of doing things, patterns, habits etc.

In addition to the above are data that relates to the personal data i.e. information that indirectly relate to a person. All these are expected to be protected by the Data Controllers (Any Organization that collects these data from Persons). This is the aim of the different Data Protection regulations.

However, we data subjects have roles to play. We can decide in whose hands our data goes. I mean guarding and watching our steps online. (whether we like it or not our personal data will still be processed online for one important reason or the other).

Should we now share data anyhow because we know there’s General Data Protection Regulations of EU, Nigeria Data Protection Regulation and others? Of course no.

Data Subjects Responsibilities/ Cybersecurity Tips

1. Never share personal data on an unsecured sites. Sites without the padlock sign or site with HTTP without S behind it
2. Don’t insert important data on sites you personally don’t trust. Trust your instincts.
3. Don’t be too open on social media platforms. I mean practice a little bit of privacy. You don’t need to talk about everything in your life.
4. Secure your passwords, don’t just write it on paper and don’t use weak passwords. Check out my pinned tweet for more on that.
5. Browse on incognito mode while using external Wi-Fi or use a trusted VPN to stay secure.
6. Stay away from Apps from untrusted sources.
7. Don’t just click on every link you see. Read my thread on demystifying fraudulent URL
8. Update your Apps and use genuine antivirus
9. I know this is hard don’t allow strange flash drive into your PC.
10. Don’t leave your mobile devices in an untrusted hands locked or unlocked.
11. If you discover your device is operating itself. Talk to the IT guys as fast as possible.
12. Just like 2 above, never put your data on a site that your browser has warned you of its insecurity. You should not even go there as such may expose you to attack.
13. Control your cookies settings in your browser. Don’t just agree to any user policy of apps or sites. Read Victoria Adaramola’s article on this Before You Agree

I always like to say that you should use your common sense online. Before you post your personal life issues, ask yourself is this necessary. All those personal stories carries your data which can be used against you later.

Note that this post is not to be taken as a professional advice. Also it is not in anyway reducing the responsibilities of Data processors and controllers in securing personal data.

Personal Data Rights
Since we are well aware of our personal data, it is necessary we know what rights the data protection regulations provide us. I will look at the major rights provided by the European Union’s General Data Protection Regulation (GDPR), Nigeria Data Protection Regulation (NDPR) and California Consumer Privacy Act (CCPA).
If you are giving out your data to a company, agencies or even Non Governmental Organizations(NGOs), the data protection regulations recognize the fact that your data is just you and as you have certain inalienable rights so also your personal data. In essence your data is you going where you can’t go.

Let’s look at these rights in seriatim

  1. Right to be informed
    Most data protection regulations (I know of GDPR, CCPA & NDPR) provides that the data subject has a right to be informed of what data is collected, what it is used for and how such will be processed. The data controllers cannot collect or process data contrary to the information given to the data subject.
    Also, if a third party will have access to the personal data, the data subject must be informed. In essence you must know how your data is being processed.
  2. Right to Erasure
    This is also called the right to be forgotten. It means you can request that your data in the hands of the data controllers, processors and third parties be pulled away from the internet and deleted.
    There are exemptions to this right
    Exemptions to right to erasure includes:
    I. Where such erasure infringes Freedom of expression
    II. Research purposes e.g. health research
    III. In compliance with legal obligation
    IV. Establishment and defense of legal claims
  3. Right to object / opt-out
    Data subjects can oppose the use of their data partially or totally. This can come in withdrawal of consent or objecting to use of data for direct marketing .
    In fact the CCPA provides that business must provide a link caption “Do not sell my personal information “. In essence consumers have right to opt-out from the selling of their personal information.
    GDPR only provides that data subjects can oppose the processing of data unless data controllers can demonstrate that such is legitimate. It is silent on restriction of selling of data.
  4. Right to Access
    Data subjects can request to have access to all personal data the data controllers hold about them. Whether such was freely given, obtained or generated in the course of transactions or modified version of the one freely given.
    In answering, data controllers must state the categories of data, the purposes of the processing, recipients of such data(third parties) and sources from which those data were generated.
  5. Right to Rectification
    Data Subjects can request that errors in their personal data be rectified by the data controllers. Request can be made orally or in writing.
    Available in both GDPR & NDPR.
    Not provided by CCPA
  6. Right to Data portability
    Both GDPR and NDPR provide explicitly that data subjects can request that their data be given to them in a written or electronic format. It allows them to copy or move such data to be used in other services.
    CCPA group this under Right to access.
  7. Right to Restrict Data Processing
    Data subjects can decide to restrict the way their data is being processed or used. It is not absolute but applicable in certain situations. Data controllers can still keep the data.
    GDPR & NDPR provides for such. Not applicable in CCPA
  8. Rights related to automated related decision making and profiling
    Both GDPR & NDPR impliedly provides for data subjects to know and restrict automated decision being made through their data.
    CCPA is silent on this.

Note that all the personal data rights are applicable to data collected on hard copy forms as well as online. So data collected during medical consultation, financial analysis etc are covered. It is easy to assume that data rights only covered data submitted online, this is a wrong assumption. Data protection also covers orally delivered data also.

Now, that you know your personal data rights, you can take action for any breach of your data. Remember, only give out data when important. Data protection cannot enforce your right where you give it to a Con Artist.7

Keep staying safe online!
(This article was collated from two different threads by the author on Twitter on June 12 and 26, 2020. The author does a bi-weekly thread on cyber security and data protection issues on twitter.)

About the Author
Adeyemi O. Owoade
Adeyemi is a Lagos based lawyer interested in Technology law with keen interest in Cybersecurity and Data Protection Regulations.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: