A study with the participation of the researcher Ana Margarida Ferreira, from CINTESIS – Center for Health Technology and Services Research, received the Best Paper Award during the 5th International Conference on Information Systems Security and Privacy (ICISSP 2019), in Prague.
The investigation came up in the context of the General Data Protection Regulation (GDPR), which came into force on May 25, 2018, and the relationship of the GDPR articles with personal data transparency. The paper concluded that most of the tools used to improve data transparency are not in line with the GDPR.
These tools, known as “Transparency Enhancing Tools” (TeTs), were collected during a previous work with the aim of understanding their utility, functioning and problems. In the present study, besides identifying the articles of the Regulation that focus on the provision of transparency of personal data, the team also wanted to map the functionalities of the TeTs taking into account those same articles in order to understand if the tools are in line with the principle of transparency. The transparency is to inform the users about the purposes for which their personal data are being used, whether or not data are protected, and how.
According to the CINTESIS researcher when a user interacts with a website or an application he/she can provide, at some point, his/her personal data (name, email, address, mobile phone number…) or simply provide information from the mere interaction with the system (IP address, geolocalization, access credentials, etc.). In most of the cases, that information can be collected and used for non-authorized purposes and without the user knowledge, like when data is sold or make available to third parties.
“The regulation tries to provide users with the control of their personal data, something that did not exist and which allowed the companies to abuse that data, for their own benefit,” informs the researcher. “Big companies that are not applying the Regulation may have to pay high fines. An example of this is Google, which on January 21, 2019 was penalized with a fine of € 50 million by the French Data Protection Authority (CNIL – Commission Nationale de l’Informatique et des Libertés) for non-compliance with the principle of transparency, which is mandatory by the RGPD”, she adds.
For Ana Margarida Ferreira, “the ideal scenario would involve the aggregation of all the tools available to verify what are the functionalities that really work and comply with the GDPR, so that the current tools can be improved, or so that new tools are created, whatever makes most sense”.
The researcher warns about the legal right citizens have to know, clearly and openly, where is it that their data is “circulating, how are their data being protected and processed, and always have the possibility of deleting that data, if they wish”.
She also warns about problems that may arise in the health field related to the access and processing of patients’ personal data. If such information is not secured and if there is not clear indication about how is the data being protected and for which purposes is being processed, unauthorized use or alterations can occur and result in serious risks for patients, like for example, incorrect diagnosis or prescription of inadequate medication.