Safety of your personal data
View(s):
How safe is your personal data at a time when the authorities are seeking to access your personal information for various national reasons? What happens if it gets into the wrong hands? In such a situation, is your life at risk?Some years back, supporters of a politician seeking election to a local body visited the home of a journalist colleague to distribute propaganda material. Instead of simply handing over the material, they sought various information from the chief householder as to how many people are abroad and what they were doing. The journalist colleague wisely ‘chased’ them away realising that they had no right to this information and that they may have wanted this information to resort to vote impersonation.
As I pondered over these issues, the phone at home rang. Calling on this Thursday morning was Arty, the intrepid entrepreneur.
“Good morning, officers from the Census and Statistics Department came home and gathered data, more than on previous occasions, for the purpose of the national census,” he said.
“That’s right, this time their information collection has ventured into even asking about members of the household who were abroad and what they do, in addition to other information, not merely sticking to the routine names in the household, addresses, etc.,” I said.
“Is our information secure? What happens if it gets into the wrong hands,” he asked.
One of the biggest breaches of valuable and sensitive information happened in late 2021 when the National Medicines Regulatory Authority’s data was ‘stolen’. The authorities are still investigating this data breach.
I realised that these were questions that needed to be posed to a cyber security specialist. I then reached out to Sujit Christy, President Circulo de CISO Cybersecurity and Cyber Safety Professional, who I hadn’t spoken to for a while.
Surprised at my call and happy to reconnect and responding to the question of whether data collected by the Census Department is safe, he said the question lies in between the data collected by the officer by writing it down on a paper and then transferring it to a computer. Can someone copy this data before it is entered into a computer? In fact, to allay fears over personal data collection, the Census Department has assured the public not to worry over this issue.
He said sensitive data is privileged information. For example, if data of a person’s blood group is collected, if it gets into the wrong hands it can be the target of someone wanting that blood group for an operation. Such information can be sold to data brokers for marketing purposes.
Then in collecting data digitally, where is this data stored, who has access to it? Sometime back, when the Police had an app for public use, there were many issues about the safety and security of this information.
He said once there was a breach of data in the US pertaining to solar panels and a rival country secured this data and sold cheaper solar panels.
“We need a governance framework as to how data is collected, how it is stored and if there is a breach, what steps will be taken,” he said, adding that there should be data protection officers at multiple institutions like Immigration and Customs.
Around 2021-22, an ‘Information and Cyber Security Policy for Government Organisations’ was formulated by Sri Lanka CERT (Sri Lanka Computer Emergency Readiness Team).
It said that many government organisations in Sri Lanka now depend on the reliable functioning of digital systems and infrastructure. Malicious actors, however, can exploit these digital systems to cause harm such as theft of sensitive information, disruption of day-to-day operations, damage to the reputation of organisations which, in turn, can lead to the loss of public trust and confidence in government systems and place the nation’s security, economy, safety and well-being at risk.
This Information and Cyber Security Policy was developed for use by state agencies in order to protect their digital systems and resources from various cyber security threats. It said all government organisations that are defined as public authorities in the Right to Information Act No 12 of 2016, are required to comply with the policy statements outlined in this document. “Heads of organisations are required to understand the content of the policy, provide leadership to the implementation of the policy and assume ultimate accountability and responsibility for the organisation’s information security activities and staff,” it said.
The objectives of the policy are to establish a governance framework at organisational level to direct and control the activities in relation to information and cyber security and strengthen government organisations’ resilience to information and cyber security events by mandating security standards, rules and processes related to the design, implementation, use and operations of information, systems and digital infrastructure.
The organisation shall establish an information security organisational structure to execute, direct and manage information security activities of the organisation and to protect the organisation against information and cyber security breaches, intrusions and interruptions, the policy said.
These departments were required to appoint a Chief Innovation Officer (CIO) who shall be trained and assigned responsibilities to take appropriate steps to protect information and other IT assets and to ensure the continuity of the business operations of the organisation, the policy enunciated.
Whew!! From the data breach scenario I walked into the kitchen to fetch my second mug of tea and as per the routine, looked out of the window where the trio had gathered under the margosa tree for their weekly ‘gossip’.
“Mae davas wala godak puvath thiyenawa pita ratin gena car-gena (There is a lot of news about the import of cars),” said Serapina. “Sancharaka anshayey weda karana magey massina kar-ekak ganna balanawa mokada eya guide kenek ney (My brother-in-law working in the tourism industry also wants to buy a car as he is a guide),” added Mabel Rasthiyadu. “Kar wala mila hari adikai. Dara ganna bae (The cars seem to be very expensive and not affordable),” said Kussi Amma Sera.
Winding up my column, I am still not convinced that the personal data collection in Sri Lanka is safe and secure. For that matter, I am not even sure whether state officers understand (unlike the private sector) what a data breach is. For example, is there an auditable trail on who has accessed this data and which party was authorised to access this data? On the other hand, personal data is freely shared on social media, so much so that Google and other platforms are able to create individual profiles of our interest in food, entertainment, etc. The danger is if someone gets their hands on an individual’s bank details or blood group. That would be a disaster!
Hitad.lk has you covered with quality used or brand new cars for sale that are budget friendly yet reliable! Now is the time to sell your old ride for something more attractive to today's modern automotive market demands. Browse through our selection of affordable options now on Hitad.lk before deciding on what will work best for you!