How safe is your personal information?

Very few people bother to read the lengthy legal documents when signing a new cellular contract, opening a bank account or signing up for a new email address.

The so-called fine print usually runs nto several pages, and the terms and conditions pertaining to the collection and use of our private information are becoming increasingly important as artificial intelligence (AI) and digital algorithms develop.

Everybody accepts, without question, that AI fixes our spelling mistakes while we type or suggests which movie we should watch on the weekend. We might also allow our wristbands to tell us how far to walk or applications on our smartphones to check what we eat, or when a guest house in Stellenbosch is offering special rates because we visited the area a few months ago.

Give a room full of computers the right to collect and share enough personal information, and very soon the refrigerator will be telling your medical aid that you drink more than the six beers per week you noted in your application. Your laptop might also refuse to order any more cheesecake without permission from the bathroom scale.

All of this hinges on the premise that we allow a wide range of companies to collect, store, analyse and use the data they gather on us.

What we’re clicking – or signing – away

A quick look at the personal data policies of companies that deal in information, which is just about all companies, shows what clicking on ‘Agree’ or signing a piece of paper entitles them to do.

So what may they collect? In a word, everything.

What can they use it for? Anything.

Standard Bank’s policy with regards to its clients’ personal information illustrates this.

Once accepted by a client, Standard Bank’s terms and conditions allow it to collect “information including but not limited to information about race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical and mental health, well-being, disability …”

It goes on: “religion, conscience, belief, culture, language, birth, education, medical, financial, criminal, employment history, any identifying number, location, any online identifier, any other particular assignment to the person, biometric information, account related information, personal opinions, views or preferences of the person, views or opinions of another individual about the person …”

‘Implicitly or explicitly’ private or confidential

And it doesn’t stop there: “correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, further information that would reveal the contents of the original correspondence and the name of the person if it appears with other personal information or if the disclosure of the name itself would reveal information about the person.”

Nedbank opts for more polite, but vague, language. Its privacy policy lists the obvious things it seeks to collect, such as name, identity number, address and contact details, but adds the disclaimer “but not limited to” which effectively opens the door to almost everything.

In addition, disclosures about what companies are allowed to do with the data are defined in quite broad terms. For instance, MTN says in its service agreement that it uses personal information “to perform statistical analysis of user behaviour and characteristics in order to measure interest in and use of various services”.

‘We give your details to others, and we’re not responsible for what they do with it … ‘

MTN also discloses that it may sometimes permit third parties to offer subscription-based services through an MTN platform. It then says that: “MTN is not responsible for any actions or policies of such third parties and users should check the applicable privacy policy of such parties.”

Wendy Tembedza, senior associate at Webber Wentzel, is an expert on the legal issues regarding the collection and use of personal information. She says that companies tend to have an extensive list of personal information that they can collect, store and analyse in terms of the agreements they have with their clients and customers.

“The agreements will also usually include a long list of different ways in which the company can use the personal information collected.

Companies are becoming more mindful

“But there is a definite trend towards ensuring privacy of information, as we see an increasing number of companies being more mindful and intentional about the type of personal information that they collect from their clients and customers,” says Tembedza.

Privacy and protection of personal information is dealt with in various pieces of legislation but will be comprehensively regulated by the Protection of Personal Information Act of 2013.

This act, which regulates the collection and use of personal information, is very much in line with similar legislation in the rest of the world, says Tembedza. “Unfortunately, the provisions in the act that create compliance obligations for companies that collect and use personal information are not yet in force.”

It is likely that the act will eventually make provision for sector-specific data processing requirements and possible exemptions – for example, the manner in which a retailer and a bank will be allowed to store and collect personal data will be different.

Limitations

“The act will allow companies to only collect data that is needed – in other words, not excessive – for the specific contract or service or a particular transaction,” explains Tembedza.

“Firms will also only be allowed to keep the data for as long as deemed necessary in order to achieve the purpose for which it was collected.”

In terms of this legislation, companies will have to justify what data they collect and that its collection is really necessary. The act will prescribe criteria to justify specifically what data firms collect and how they use it.

The act also makes provision for the appointment of an information regulator that will be responsible for monitoring and enforcing compliance with the act.

Tembedza points out that people have a right to privacy in terms of the Constitution with the effect that the more private the information, the stricter a person’s right to privacy is.

The information we give willingly

This leads to questions with regard to the private information people willingly make public on social media, such as their date of birth, address, contact details, relationship status, hobbies, favourite music and where they travel, as well as a list of their friends and photographs of them.

Facebook’s data policy, for example, informs users that it collects all content, communications and other information when they sign up for an account, or create or share any content and communicate with others.

“We collect information about people, pages, hashtags and groups that you are connected to and how you interact with them,” reads the policy.

Facebook’s policy regarding data from third parties is scary to say the least.

“Advertisers, app developers and publishers can send us information through Facebook business tools that they use, including our social plug-ins such as the like button.

“These partners provide information about your activities off Facebook – including information about your device, websites you visit, purchases you make, the ads you see and how you use their services – whether or not you have a Facebook account or are logged into Facebook,” according to the policy published under Terms and Conditions on the Facebook website.

Big brother is watching (and acting)

The disclosure about how Facebook uses this information is very much focused on the fact that it will personalise your experience when using Facebook – in other words, showing you news, advertisements and other content that Facebook thinks you want to see.

A paragraph in Google’s 27-page privacy policy reveals what the data giant collects from its users: “We also collect the content you create, upload or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, documents and spreadsheets you create and comments you make on YouTube videos.”

The policy also states that it reserves the right to collect information from people who might send email to a Gmail account and information in the email, even if the sender is not a Google user.

In short, our lives are open books. Big data companies are able to use ever more sophisticated algorithms to show you what they think you want to see or, maybe, what they want you to see.

How far before AI can really influence the outcome of a presidential election?

Brought to you by Moneyweb