Personal Data Security

An average person will have his or her data scattered over hundreds to thousands of company and government files. Everybody should be assured that their personal data are properly secured. Poor security can lead to a data leak and subsequently to misuse of the data for e.g. identity fraud.

Data Leaks
A data leak occurs when personal data are accessed, destroyed, altered, or released without an intention of the organization to do so. In other words, a data leak not only includes a release (leaking) of data, but also the unlawful processing of data.

Security Measures
In order to prevent data leaks, companies and government agencies using personal data have an obligation under the Personal Data Protection Act BES(PDPA BES) to secure those data. The PDPA BES provides that they must take adequate technical and organizational measures to achieve this.
This means that organizations must use modern technologies to secure personal data, and that they should not only consider the technology, but also the way in which they, as an organization, deal with personal data, e.g. who has access to which data?
Organizations planning to collect personal data should think in advance about the security of such data. In addition, personal data security should receive an organization’s permanent attention.

What should an organization do to secure my personal data?

Any organization, e.g. a web store where you bought something, that has your personal data has an obligation to take adequate measures to protect those data.

Not using more data than necessary
The organization should make sure that it does not collect and further use more personal data than are truly necessary. As an example, the organization should remove your name and other identifying features from you data whenever possible. Also, an organization very often does not need all your personal data for a specific purpose, such as sending a bill.

Toegang tot gegevens beperken
Ook moet de organisatie de toegang tot uw persoonsgegevens beperken. Hoe meer personen toegang hebben tot de gegevens, hoe groter de kans op misbruik. Zo moeten zorginstellingen, zoals ziekenhuizen, ervoor zorgen dat uitsluitend bevoegde medewerkers toegang hebben tot digitale pati├źntendossiers.

Restricting access to data
Likewise, the organization should restrict access to your personal data. The more people have access to the data, the greater the chance of misuse. Healthcare institutions such as hospitals, for example, should make sure that only authorized staff have access to digital patient files.

Using modern security technology
The organization should secure your personal data in accordance with the state of technological development. This means that the organization should not use outdated technology to secure your data. This will give hackers, for example, little or no opportunity to gain access to your personal data.

What should I pay attention to when providing my data to organizations online?

Sometimes, a website will require you to log in or enter personal information. This may happen when you use internet banking, an auction site, or a web store, for example. If you want to send sensitive data, such as your credit card information, it is important to use a secure internet connection. If your internet connection is secure, you will see “https://” in your browser address bar instead of the normal http://.

Want to know more? Check out the 10 tips for safe internet use on the website of the National Anti-Terrorism and Security Coordinator

Is an organization allowed to use my data to test an information system?

No, this is not allowed. An organization that has your personal data cannot use those data for any other purpose. Testing information systems is only allowed with fictitious (made-up) data or with low-risk personal data, such as public data from public websites.

What can I do if I have a question or complaint about the security of my personal data as provided by an organization?

You should always address your questions or complaints to the organization itself first. If you have a complaint which the organization fails to handle to your satisfaction, there are follow-up actions you can take.