Keeping consumer data private
THE BUSINESSWISE column titled “Bank Customer Feels Naked and Exposed” published on February 3, 2019, triggered a flood of responses from members or the public who fear being stripped of their right to privacy by the catch-all nature of the Bank of Jamaica’s anti-money laundering and anti-terrorism regulatory guidelines.
Here are just eight of the responses, most of which were shared publicly via social media:
I asked a bank the other day to sign an NDA [non-disclosure agreement] before I shared the requested private financial data on my company. They told me they aren’t required to do so. Fine and all, but what guarantees do I have that this will not end up in the wrong hands?
I continue to receive alerts every single time some other person with a similar name as mine uses their ATM card for a withdrawal or transaction despite my requests to stop it.
A representative from the bank called to ‘verify’ some professional information on my LinkedIn profile. This wasn’t even my personal banking officer. I am not a new customer. I was not seeking a loan. I was shocked and disgusted that they could be so intrusive.
I submitted my Jamaican passport & driver’s licence as proof of identification and the bank asked for my naturalisation certificate as well. How come?
Keep in mind, data is the new oil … that data the banks are collecting is worth a lot.
Banks send me other people’s card use by text & have sent my hard copy confidential mail to random addresses despite numerous applications for a change of address. Why am I so powerless?
I’ve been trying to change the home address my confidential statements are sent to from XYZ bank since 2012. I have gone into the bank. I have sent secure messages. I have called by phone. I have GIVEN UP. #Powerless.
Heard a story about someone sharing a business plan with a local bank for funding & have it rejected only to see it pop up elsewhere. Is it really a safe space?
ARROGANT AND DISMISSIVE
There are several other very damning responses, which I received but was asked to keep confidential. Interestingly, I only recently experienced a bank sending my confidential financial information electronically to an unauthorised email address without my permission.
What was most distressing is that the bank’s response to this breach of fiduciary responsibility has been consistent with reports from other customers – nonchalant, arrogant, and even dismissive.
There is no doubt that the concerns which have emerged with respect to this issue strike at the very heart of democratic principles and values. In a democracy, citizens are entitled to several basic rights and freedoms.
Some of these entrenched rights are also internationally recognised as human rights.
The question as to whether some banking customers’ fundamental right to privacy under the Jamaican Constitution is being encroached on by the catch-all nature of the BOJ’s regulations in question, and critically, the unrestricted exploitation of same by several financial institutions, is a matter of paramount importance that demands public scrutiny and legislative attention.
In older democracies where the mere semblance of the aforementioned issues has arisen, the State has affirmed its respect for the fundamental rights of citizens by enacting various data-privacy pieces of legislations, especially in relation to financial and medical data.
SAFEGUARDS AGAINST ABUSE
In fact, to ensure far-reaching protection, data-privacy laws tend to be applicable to not just regulated entities, but, generally, to any organisation that collects a customer’s first and last name and/or middle initials in combination with other data such as: Social security or taxpayer registration; Driver’s licence, passport, or any government-issued ID;
Financial account or credit or debit card number in combination with any password or access code;
Medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or
An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
Privacy statutes have both proactive and reactive measures meant to prevent wanton access to citizens’ private data and appropriate security controls to limit access and remedy breaches.
Data acquisition, maintenance, storage, use, and even destruction are commonly covered under data privacy and protection statutes. In many countries, breaches are criminal, and notifications of suspected breaches must be sent to the regulator and directly to the attorney general or director of public prosecutions.
Typically, these notices must be accompanied by a synopsis of the events surrounding the breach, the number of parties affected, a copy of the notice sent to affected individuals or an explanation as to why such notice was not provided, a police report, a computer forensics report, policies in place regarding breaches, and steps that have been taken to rectify the breach.
According to the JIS website, “the Data Protection Act, which is currently being reviewed by a Joint Select Committee of Parliament, will safeguard the privacy of individuals in relation to personal data as well as govern the collection, regulation, processing, keeping, use, and disclosure of certain information in physical or electronic form.”
Such protection cannot come soon enough for the Jamaican public.
One love! Yaneek Page is an entrepreneur and trainer and creator/ executive producer of The Innovators TV series. Email: info@yaneekpage. com. Twitter: @yaneekpage. Website: www. yaneekpage.com