In recent years, you might have been forgiven for thinking that our personal data problems have been largely sorted.
Terms like “GDPR” and “Data Protection Commissioner” are now in our national daily discourse. No-one can misuse sensitive personal information about us anymore, right?
If only it was so straightforward.
Organisations, from big-tech companies to public bodies to small firms, still hold vast swathes of information about who you are, what you do, who you love and how you go about your business. And they don’t always treat our data the way we imagine they might.
In recent days, Irish Independent journalists have been documenting some of their own stories. Some seem minor enough, such as public affairs correspondent Amy Molloy’s discovery that her ancient parking fines are being kept in storage by her local council. Or my own publicly documented struggles to persuade a betting company, LiveScore, to delete my personal details from its system.
But others remind us more of why personal data provenance can be pivotal in key moments of our lives. Head of News Kevin Doyle discovered that there had been a row between his solicitor and his mortgage bank over the deeds of his house.
While the issue was resolved, such matters can easily get out of hand. In 2020, the State’s biggest financial credit rating body mixed up the sensitive credit scores of over 15,000 people which threatened the credit ratings of all involved. It only came to light in exchanges with the Data Protection Commissioner. An incorrect credit rating can mean people being wrongly turned down for a mortgage, loan or overdraft facility.
The year before that, the Financial Services and Pensions Ombudsman awarded compensation of €15,000 to an individual when a lender failed to update that person’s Irish Credit Bureau rating to show that a debt had been cleared.
We all have some experience of this kind of thing happening. When I applied for a mortgage in 2016, the bank mistakenly sent me a completed application form from someone else, with his name, address, salary details and other data filled out.
While I deleted the document and informed the bank of its error, I did wonder whether the other person was informed of the gross mishandling of such personal information. (I got the mortgage, though.)
In many cases, we accept some of this as the toll of living in a messy, imperfect world. Who hasn’t called out their credit card details over the phone to a small business vendor who doesn’t have the ecommerce facility to do it securely? Who hasn’t texted, WhatsApped or Gmailed about a sensitive work-related matter that probably should be kept within more secure, controlled apps? In such cases, we often have an inkling of the risks involved, but choose to do it anyway to speed up the tasks of daily life.
But it’s also true that today’s laws and regulations, as framed, have sometimes let us down. Despite GDPR and the rest, privacy rules can be terrible at tackling what they’re supposed to.
The introduction of “cookie consent” banners on websites was hailed as a victory for privacy. But how many times, daily, do you automatically just click “accept all” on the tracking cookies request just to get to the website’s actual content? Rejecting the tracking cookies almost always takes more clicks than consenting to them.
This is quite a facepalm for lawmakers and regulators, giving us the worst of all worlds – irritation at having to click endless consent banners and little difference to the infection of trackers that trade big chunks of our personal data.
So what can you do if you want to check what sort of information companies, state bodies and everyday services have on you? The easiest and quickest way is through a GDPR process known as a “subject access request”.
Basically, you’re allowed to ask any organisation what kind of personal data they hold about you. It’s less tricky, and arguably a little more comprehensive, than a “freedom of information” request.
Such a request looks something like this: “I wish to make an access request under Article 15 of the General Data Protection Regulation for a copy of any information you keep about me.”
The company or organisation you’re asking this of may come back to you to ask for any specifics you’re looking for. But they’re not allowed to make you jump through hoops to justify yourself. A subject access request is a recognised GDPR right that is part of Irish law.
You can ask this of almost any entity, from your local car garage to your bank to a political party to Netflix.
It’s your right to know what they are documenting about you.